23f43e4151b51424e10b9f7d3ac489a7642bbe6a2092e67e9b55a26549f0612d

Analysis

max time kernel
118s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 04:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e635dfc2f1a09ee37318c8a4b82e610N.exe
Size

1.4MB
MD5

1e635dfc2f1a09ee37318c8a4b82e610
SHA1

2d120170fe637d303e7d3170436d49cecd4d7231
SHA256

23f43e4151b51424e10b9f7d3ac489a7642bbe6a2092e67e9b55a26549f0612d
SHA512

66d0c785d405850d570373f642285b538251c0a979d406f019bd02ca53c1257c4b1ef12db6511ad5b0747cd654bcb36d29b56e06359779ed8f6984c663dd6b2a
SSDEEP

12288:H3FJbk5jJ3mnHdSwM+fMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:XuiNM+0SkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 19 IoCs

pid	Process
3348	alg.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
2068	fxssvc.exe
5092	elevation_service.exe
860	elevation_service.exe
1528	maintenanceservice.exe
1428	msdtc.exe
2200	OSE.EXE
1568	PerceptionSimulationService.exe
4148	perfhost.exe
952	locator.exe
4440	SensorDataService.exe
4448	snmptrap.exe
2416	spectrum.exe
2064	AgentService.exe
2628	vds.exe
732	vssvc.exe
5088	WmiApSrv.exe
832	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\System32\vds.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\83ce3866352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaw.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1e635dfc2f1a09ee37318c8a4b82e610N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b2874d970004db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb8a0f970004db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c283aa970004db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6f8bf970004db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c731e990004db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7aab1970004db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000067559970004db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ca9d0970004db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe
3772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3620	1e635dfc2f1a09ee37318c8a4b82e610N.exe
Token: SeAuditPrivilege	2068	fxssvc.exe
Token: SeRestorePrivilege	2348	TieringEngineService.exe
Token: SeManageVolumePrivilege	2348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2064	AgentService.exe
Token: SeBackupPrivilege	732	vssvc.exe
Token: SeRestorePrivilege	732	vssvc.exe
Token: SeAuditPrivilege	732	vssvc.exe
Token: SeBackupPrivilege	3196	wbengine.exe
Token: SeRestorePrivilege	3196	wbengine.exe
Token: SeSecurityPrivilege	3196	wbengine.exe
Token: 33	832	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	832	SearchIndexer.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeDebugPrivilege	3348	alg.exe
Token: SeDebugPrivilege	3772	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1816	832	SearchIndexer.exe	112
PID 832 wrote to memory of 1816	832	SearchIndexer.exe	112
PID 832 wrote to memory of 4412	832	SearchIndexer.exe	113
PID 832 wrote to memory of 4412	832	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1e635dfc2f1a09ee37318c8a4b82e610N.exe
"C:\Users\Admin\AppData\Local\Temp\1e635dfc2f1a09ee37318c8a4b82e610N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3620

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:860

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1428

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1568

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:952

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4440

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2416

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
PID:4092

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2064

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2628

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3196

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1816
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
554e5ff3bcd566ea53b18def34a8e60a

SHA1
89db017bf5bc9b87d83c2a77b2051eb7e17a42bc

SHA256
0abd26201b3a85d0477a5b8ac2e3ecc8e2973faac0239b39e54f95254edfe00c

SHA512
00b7fc29802182160f3c142f2c214037657f804343f210322aacac52075c9d78253897629327b9984845d616b4764eb14bc2f13ce3f2268221b2faab2fa1cf4f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a2ff48a3c8197ce8072fde327ae84eb3

SHA1
458d6f1d803aeadf28b089389879897dd912d722

SHA256
7eccafef2f3c91153e3528de2d218c7831beefc300c1572c41d7de705ed9aad0

SHA512
e029d01368c841de9b85260900779b91ae10d08476fbd68599b42085f55863adcadad4f380de99c6c6d9ee088bf54ad2cca00b0618f67030ae8ad754da8776cc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1304d95404e657887fc0e15f0db7e0a4

SHA1
6596c08f1b110d0234957b99a5d9242d00e8f6d0

SHA256
57e46b237bc56ae5175cdf712438edc52d653bf31d1a02d1adec5b52cccb98a5

SHA512
4cdf13990ff62d5ed422ad146f9c2b4124f31a9f5a40541ebc2c32a97503e36687d8855dfd27c76a477d79068bb505a7ebbed876b7378b9cecfcb7e4f671062f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
ec3de867252d45aaa171be0d30fa4c31

SHA1
571ced1a98b0f6fd380f3162a1c20c2b67ea7d7f

SHA256
609a245f440b45e3727e13545ba8a520b0b02255d05cda90e170d29689a0c9f0

SHA512
d0d63679e3c71e9736e03f33abbeaa5203a88e0d7f6c9bd9c7799744456176a03113a40acead0eec1637e93c138c6d75e105bec967a75a90889f8487018b712f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5de730e556b31894e3680232f35f501a

SHA1
4b2be8a1ab0bd80334e005cac2a136547b163efe

SHA256
a6b118e1050fd82c064950f2c4d26c28a6704733b747459b9c22c9d5089e3be6

SHA512
4e7a4ea4e570c8314fd7c0f808d1dc446ff2e246348c0f74ebf15bcadaa40a93150388952282145d79b2eb3db18bd997307e70bcd5e8a8fc1060e8b0e6902ab7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
05016b29fb73df81193032033aed4a11

SHA1
7db728299f1665064c4f4f3b42f1d40715737084

SHA256
5eba0d1a8087278e40193b3468fbb2909a09f3b7dec76f2a0c66cdef0a94aab5

SHA512
2a7b21db0abe2b1c062daf4b24ffe1de5c3bcae4eb51957ae19655b5104439bc16eee2e34c5535b95abc015100886d9375f90eaefe36e894e1b79c77113eec05

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
ca04037c94ced321922509da0c6f1652

SHA1
dc35d4778db3a95dfe0d38a8fe4503a8ac812ba2

SHA256
69dcf8672f619bf3eb113d03e711cac97c29b52cb9d22e697643de377a4ef7a7

SHA512
8e0d0e22251a61e092b60ee9b1f2b0b0b14e139740f7dcdb6a8517c4c934a69d331cef25f2cf45ae1e9f4d64aeed9d474c5d57cb74c8dbba6cb242b03431409d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
e992dc40a338812ba34719b88b17b77e

SHA1
df00d6815f210baa3376be233f2742c900d8e57f

SHA256
f0bd0a5a806990c958d357546c88a10aecbb6e5f3e2c70124e94cbd088ae0b35

SHA512
892b21730d2a661bf1531ac3a2c947c8c279c33a7935fd5e1e5ee2f71d4ba9c66872bfc9e427184f6b54108b454b717245799b098598bee835cd7cf973ceab25

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e6f6f909ea571898284ddc0a19c07a20

SHA1
77079a91e47b5cab7d94710abc652bc3694b75fc

SHA256
78f42840aca03ac1196fa7adced2397e0a8795e5088bd349e2f4ab620f4ed101

SHA512
e8c9d7c77e87dd3d29ad29e397ae9acead2bae4eff88d586dbcd7b32765c71b2da282b9fa6f02aa04581a685a87dad51c89097348e738fd780017cf33c3fd4ae

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4e9a6254d623463eba0c77f68a749184

SHA1
a4a5651b60eea55aa39435bce502de81ed4a001f

SHA256
c0c321143058a89ca4272a9c86e81462c93574b37404da8fbc2ea38b0a2b1306

SHA512
2e1f7e77302241e224ab9788da8a8b137fc26955ee714d6b6d9daa60337aa5e5324049232829be4adeb7589164fb4e071f6190896177ebc17dba39f6a9053093

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
fde600af208bf26a0cb0fd1eb12ab1e4

SHA1
5db56c4a7b41ae3e6b57b3d743a3dcd1bdc13393

SHA256
b847cc1173d0dc202e4b544a885770b904effe7a737be47f9642135ff3f36fcc

SHA512
1c49cce631f818920b2bc934b92d65765a543f50bc28be5b733fd1b3ffe94c262afe7655f2570a7bd303a88943cb4ae595b2826b2fa3eb7c9b31f55319c9b2be

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
4790e1a034e17fbc9d17fee9c4353fa2

SHA1
e2670866782c9be3d7fed190c47c2f562f7e11d7

SHA256
19448510e3750d6430e80297213adb2eedffe446faf399b06be733ad0e5d1859

SHA512
e49616aa1b2b68926b3a2a8645c8d26d254c549573e0c9ba13e77501574c127068fd6c00fc7c03ff9c3c14d2bd685222d54ff0a1f992d884b7d08ec758a69723

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
8e13cae67147d8f1691b12fd155748d5

SHA1
87321783935b4ff555b39beb8ffb2407f8b3df20

SHA256
114245c5b6e4890e95c136296a013e386cc9eebd2c27e7b157261399650a5547

SHA512
52229f29dde248871ff898b70c95aca6c47e80385bd485785654ee1f897e230cd081514759080ff4bea9af420ae4d9a08aa2a9109530d376645f82887c15b286

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
a2c1cca548b148a4c34b66a3f7ddfad3

SHA1
7cecba50e923ea44f5dc797c5b089768eb8e7f24

SHA256
dbfa17e0839667b66fe3669bff889b336e3514110e6e69a4b81ab0e6b560b947

SHA512
aa02aea9ce8afb9c8429c0d810814ebdf08d984749ca5b564f80224bb810edc44636e1d0ea977db6df02f7411556d06aadc17e32f79673b675dbff494076b122

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
5d279dce53734b1f997890dc009c3357

SHA1
8ef57b362a145f260de5f5d19951d66bdae3f5d2

SHA256
9425f1fd5b179259fa9a1f41fe6c01524b8d860574f47fb52b02b556b0a003fc

SHA512
f0a9154bcc59986b9f9750409e4f675ccbb24777f4393177d940b601f4f861338876567ddc7489972cc50cfe33480806b7cf043b3877b0ff5b275efd04f0b918

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
16d58faf27e0bcfdd9cf90db81ac0466

SHA1
a459ce4dbba2876399fcefac68cb74a897a5a5e1

SHA256
fbb1b7242b8da45da0991f1d8f192620e3612c6c15adbc8ac8f3d25188026b3b

SHA512
de76a965b4d268e051d909735d6f2881fbff05a10c86b15183b9df815a5410ea51d0cb5ef12d6b671dbecda9c5747c9ba2e35dffc5d95e9d1aa7e04a5ce4c337

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
247abecd5069f5253b190665962458e2

SHA1
4c692e57e946cc223fdba5e70caada227cddfaf8

SHA256
15e14ed041ac9622f62d47efbb0944a42d7a00424a2715bc76775e6185a84528

SHA512
bdfec28a54c26f05bb04f9543bebe5c34df3de265cf54cf86a089c421a9d718ef8d538dc4e85b424a1e40089f4c0706cff208e1ea43bda04c8abfb6081cc322c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
c3d7e01f4a70373eeb602984308cce2f

SHA1
d5afee6003e8c50196ee8d43aaa239dae1e706f5

SHA256
7ff04d57a4881406e8f2c2f2114602c4ad00189e1940518b75dcedb68c8bf5f5

SHA512
258a1df8f5c19b1f041f94f8b967a4fc4156a1f8a749c7ebf3030f43e17f325d177c598f1409fe8931ba86d67c99ef26f7e6c6e6f938fd4e1a9fe10af18a51d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
dc8b097697a0272d8c31fedf7b199615

SHA1
30106893905a7cbaae1c7e06470baac0533a1784

SHA256
68dbde0321bdb7ab2209cca60135fc9b2e1e1ad72a5612e31d65dc31f3b47aa1

SHA512
f3cb3db84579940244041f0cecfd60262173b230f2e3571b227f37ce409ca765f616470ecdfe9d8bfed8e085d51ba451e267cd12b4a62366384af799614c1ca6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6d74d1fb283fbb07465de62f1695b199

SHA1
ca8322b0a9f6b36d5b1ce1ccfd1fab8a11c27989

SHA256
5fe2f024a116db63a56af7b9349eeda6f5280b359557284bf2bad6325e66338f

SHA512
c3e5c633996241a5fc14ef18052cc222f3d82c59e82506619e35b74a289de9673249295824ee04c153650b541b5f2bf221ce9796a25f094af30ef537b12a255a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
57513cafffe30a05d6a1ed6de388151e

SHA1
9a9e96918ef9fe16ace8b98a2831342e5ec83375

SHA256
00692f6764b6479b6a09114cbb418ad14fe571f70b1e56b77a61ad47c26aa51a

SHA512
37ef4a2e67715b48653fcaaf67a22a8dfd6f547d562326b283049cdfe5c66f364c3ef243ff5fe50dfb1f91635dcfb413b857bbdcf8263d5545717f5dfc46ff41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2dff9fe286786ded6633b65db24a064f

SHA1
b0e4504c46a131b8ff569a705789ef94149ad0fb

SHA256
4ce48cac0f382ac61952db54a3f9504e9624b2f87c19b3d24ab05bf58d64548b

SHA512
cba47c4745826f8a66a13b9903111785e40347dba8c64b8a3316a203dbb5b601847629283920a476b524b874c715f01fc264022c3c61d3206f3e2d8c9615fd93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
2345c78ce7324e8dec7484b70e9b753f

SHA1
f7edbee2511e9dfdcbcb82cbe95d63a41bd66cd6

SHA256
9dcde6a14fcdf8822cd7031ea4423323fdf3a992589fe71ceba6a4f3343436e0

SHA512
14615d9315b7c71e56213f40213c74740f17b9baa7b89861174486b5b1bafef6204ec08d92a4f3f9cc35f73a4825d676cede14c6fd5f9a46641b913edce54231

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
3ce00871b195a9c748740edc72d1b637

SHA1
cc664360f99db5bfc2a873e27ecc15b5b24db3ee

SHA256
8e1aca34abc4c7a51cbe5b2c03ad3820c4e4266a9945e5032f4be4b3254ef088

SHA512
933c2d32b33509eea34660a62f853c902db3bd1837df0e0bb2c326e9019efc5753a2ac1f6c4f23a48c27594d4e27767a57290430282e9630c96e6e1f0cc5da53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
695db1a077d6e1d4dd65f5b7387f554a

SHA1
05d07ec1939ec74c07e418d2bdc9f7419d1728b2

SHA256
9513f229b7cec3fbe8d9c94bf90c0e7cb615b3fec9b2dfa930b7acc0ee7d8e3a

SHA512
777f4c6dc038adfc12ea69ee07d872db45823bc3d27b6dfb09727bc6e2b909e5067c1229f6427b4fc437a775eee5752baff44a66bee0431aff95b4d998b7ed99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jps.exe

Filesize
1.2MB

MD5
7c70bd7a2c6c060fb7577b6b412d0ff9

SHA1
ff514fa51816e3693923bef9e75176eaacb761d1

SHA256
24228c3ce531903db9a2d2f373b23d2a111f28a8e19a91e7b67952e5e43a35b5

SHA512
0f71925fb6921ce2a13d791a8334fcf91160ce690d8c979f0b09ad5354dab43b8f5d8b20470d24251f0224fdaaad7ec0b97dabe7f02f37a1d89a1d8aa0cd1f04

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstack.exe

Filesize
1.2MB

MD5
0414d94842945aa32bc2dad24146f6ae

SHA1
a25db6cbd89a1cbe9ea8512194515d3039916576

SHA256
4238b40f7716833f534ac751542ef30de113b3606942f04bf9414f8ca7007ed3

SHA512
92e236e5b13b95bd0adc552fe68ac2cf2f6e390d30056cc5b49cd3d804f3fb6b218d7c824839608d94c2ad943410a78a10c4bfed7ff6b78917cf62c41e40be86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jstatd.exe

Filesize
1.2MB

MD5
44fa0e6382d9d86910cf7fe9f8b0b8b6

SHA1
6bf59f53c648dc449ebf724afd698515a75e7389

SHA256
d711b244fc5be555ab2f1704cb2e5b0e534465a265f934674e1cca298943ef1f

SHA512
918e66d5f4bf52189428d14f8c0c1f6663bfed5a663bb75141d56f7658624f75551d4083a9f522dbf48237cf5098615c9dc04b9d268726b29f831759f65ae915

Download Submit
C:\Program Files\Java\jdk-1.8\bin\kinit.exe

Filesize
1.2MB

MD5
dbc04d3ffb5edd1aee72791c95cf0863

SHA1
d5a4b0b09b214944b7f3b3b1480a6ebcd9452dfd

SHA256
b90d1a200c5a49283f985658e439bc94daa13f105e8ea36d8d3947702366f5ca

SHA512
a313496165ce79932d9b3eeeb9f602b1cbc474eb5dea9f602ea1ec191bf210c201e3ba3ba3c48c6770513ab3d4dbc7de78b378a7029d2994b38a3b4be4e71928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\ktab.exe

Filesize
1.2MB

MD5
ba2b017309beb58cdae95b29005d7651

SHA1
8dcf2052c3674802aed6dc1c149ed937104891ef

SHA256
63460b2e5a38d80bfee51e1affc560d530ecdb4e14ee6e7ced08f4bcc5ecca4b

SHA512
167a91a4617d25d8cbfc9ed4e3e059df7734d2b410007aba1319f21a6c1044723eb7a00d00c03b3e32087bb7f56c73e565854d742f5d8597423cc6f50f0baea0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\orbd.exe

Filesize
1.2MB

MD5
b0b5bdaad818f3dc5e703d610f8581f7

SHA1
75bff2787597a9461e61c03f0eb4a4df2466f72f

SHA256
9cdd8928a67ea59d9069a4e3af3c148736dfccad7da747fb6acda1e7486984fb

SHA512
a4f0df8ee03bf7985f1590e4346bdffd0c525e3e067207c915d5882505f8caf4d1271ca94a7059717b1f8922ace45272095903cde139a3c1e87ed1a54e8416e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\policytool.exe

Filesize
1.2MB

MD5
fe61e708b8d9df16df606ed9be284507

SHA1
3d83faf4e553410b12568cc4e6c2a9dbbe53bdaa

SHA256
b2b90f70a2d5e6de9f6aef183e1384b7e6e3cf7f6bb03315e1dd1cd819859a4b

SHA512
0f0807956e03014b7fec2af5c010832917ed33f761e725b571471b2fa441649b348a1998a0477ed8b4faf5146681978711d27ee9148251cef606650699ef43d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\rmid.exe

Filesize
1.2MB

MD5
e9237e2f4b634ec749dd633fada7ca98

SHA1
186de81b749b1b952f86354b2aba00fe60e07d2b

SHA256
3217c959e14aebc031de53f197094ae2e84ed928be882a41ec926505bbfc772b

SHA512
5e43f55cd32bfcd795a9385fb8bc19e2efb8dff0e7530736a57293f09c3263aef1299bc5b5a87750eec5ba96ce8fa55e01d4d7ef060f694113330beb7e397b55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\serialver.exe

Filesize
1.2MB

MD5
db01262bb296fe6f748673fef4caea5f

SHA1
4432105278ee9554d4ed17b208dbb55244abbb49

SHA256
9e5a085c6f512ed48a2768c598ab56ade1a8aeeb363557e9e5838e1d20da726d

SHA512
018300b9b12edd3b01b7502d5de637c75dcc119f8f407cc144db2c6ea2555e069479d092bbce5cdb67fe85cf9133f3a5220379921347fd484ad4cca3efb5c46a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe

Filesize
1.2MB

MD5
7d1c0ae4534fda40877ac84a9988375c

SHA1
3f70ab12209b0ae6aa9157ce12067788c37f0aaf

SHA256
e9d88be7ee97a0aec6a63a9361c2dce49d8c72d4a5ff5f9fd8ad4b37d815be28

SHA512
e9de915b8d925a09265316b0f2707834c3b8712f422695749ee57325b7e003e6c2d653a9b57b16408df62c57f5faa5890d1d0b360fd3ddb230308381e82ea8b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\unpack200.exe

Filesize
1.3MB

MD5
b5c333d752455ba097a724652d6b4a6d

SHA1
87de52da78ae53f64ddbc2656db232b40c8b48da

SHA256
b45439f1bf014231a99dbc1e59752db11535182c53c117f3929780b2822fe6a4

SHA512
976472867ad762a1f303e48e5bb624365c2dad6d75014aa826a53bd913821ca1b538fd8b4cd99de62d4c73c2fa2c27ed3c9a86e918cb8a84df5739b9ec94805b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\wsimport.exe

Filesize
1.2MB

MD5
3ef5b8f7b64ec3c8a4fd66856c9a5e5a

SHA1
af50a28615a38473daa5e8ce3ec80db25780000c

SHA256
f4b2db01f60cb3f19a990e7bbfe8e2caf7ace13ffd53aac0267fe20dacea105e

SHA512
420efb4a73ab4a09e7536a75db3805864a4cad81649be9eabd17b99f8b8b817562c53a8a204d47bb637ea71cb7e72aab58a6f597a3783bd76c6af3c209ed3860

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe

Filesize
1.2MB

MD5
e1dc0ddcaa7548b8d70b37cff29c2296

SHA1
b7e93ccb65b49e78f5e8b272a54490db16bf1c66

SHA256
33ce33cd5cf32fa1a01132cfc25de071667a5c8182b662c30336b0ca750caf55

SHA512
b31f9eefb59003a9bb18f76c4225edcfa216c2f215f9b6e44d4d4251584a61d0e6e4ec2c15e3149cf09ff2e92bb09d2311c0fc0d5624514392bc814ad12276fa

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\java.exe

Filesize
1.4MB

MD5
03b7319af266f781c9d5d925d7c209ee

SHA1
aae8e73e66525ff819948da5bb29370ce6465549

SHA256
517bfa83645ef7f93f4e362b905cbeafeb66e8a8bb22fdf712b0f0c306cfda53

SHA512
74f791db4d405d7b9986f37446f4875a21bb0697d8c0449ef88d64bc45e37941c7bd0b199e1e10caeb096a1914808991b0087cdf005915782966bcdaf74c24a9

Download Submit
C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe

Filesize
1.2MB

MD5
f86ae2c204cbcf1d6e376ad3443dae63

SHA1
5c0818664c0b97b46f85fbd562485ce2904a5143

SHA256
7fabb2d60c1ca89abf4a49f525bcff48784a1790a764875bc942785e2224a0b6

SHA512
5a542df887f24fc9eae73b4fae657095f2e1098957bd51fd4b07691e4ab03054c8618af09138e9e85835d785dd99494034daf10baf09b8436005de9f9f54f3c2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b6559f7b52860b3f1c26b3acd7c74204

SHA1
5926ea9dea4ecbc9d022057a088bc34c09d4f15b

SHA256
febb8340b7ebb16e9e388240812e18085a25782a7be1edad36315ad2453c596a

SHA512
43f0f35834eccc58446fdf2fa39c2874f1263a62060a21a34bd261cb25cf43c76f06fe09f9042073a8c836ad94bd595937c92738ad26941be65b9894c394c66e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
cae3fc2cce1f18225a73c28000505481

SHA1
80c917745bedfdd18f793fa0106f6c5474595c27

SHA256
f08319bd15a3a3327d2c087871e1060af46655c2e274c61934514db2cf0c48fa

SHA512
e3c1f8b410e75e4b3e5d4300e73e2124179c973ab5dd7be05a710aee1c9a77653a373759a341bbdaa530120915b20fbfc9cfb5b3502491ffc801d8bc1e6b392a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
19e8328cdde49e6e7a26b711eb028cc6

SHA1
45f6c21286aab66ed169a56999d77e719341a592

SHA256
1d7454595e4411ae7f92d44cf21ec10a75017ae18e3200452759278e509d327e

SHA512
e62480b07775e07f7788561d996c5e6ccc1e4bfed2e98ea18629b0809a6bfebcbc1b4414648cd747c384e22404440b915c367455ecd16b385a6951cafd49cc60

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
eec6c17c88d8a5f7c105a893424fce42

SHA1
cd02c7296a071896578de289a746db34e46f9d05

SHA256
c9edfc5e68cb1c50a62749705a3638715a7698448492cc2f472f8297a6dbbc90

SHA512
a1e7a5d65e6d8025aad193c1ef79a44e0c553f2a35882ff52fc60c3347be633efc073f96a8ea6128524d5356cc59228c9bc4d582a968157cc8676d98929a370a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
e9fa192eab65b3c2938301f52fd35807

SHA1
8985ec7ad5ac548833725bd342c773da20d56826

SHA256
34ea789109bb56cc1dc384df815d32159f4e0fb753d2389db3f3955d8e45bd57

SHA512
14dfedf51a86d1c2fbf1c58cf7de4221756242da120dbc9aa350e634169faaa37c69d63b5fe93abd250ec3cf76e5d9b44d0b4f2eeef611b45e937f8e698759f9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
780d61b3cbb0d4aa22ff3eb1b30a5644

SHA1
f6abbc33b60577055640c574db2aa30a19ade0cc

SHA256
57b13d27187d9ce20380fd93f4821acdb3e72d25a6aa69ad9c3e4653a0ac5654

SHA512
15ae77bbed683205bae3995f1fcd9def04cdfff8219c103a8c04560181706f901a29ce21b9ea41d02392ed643e5d12be20c3b34bcd692a39daec68f30107b3aa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
d27bd2144c1625128e3f3ac6e83eeb8c

SHA1
6815a58c7de694a6a48801b263f40e1a118d42c3

SHA256
f93832275da486bd4d78143a7739a67f0174bc74668f3dc18c0d39bfed8991b3

SHA512
cd4979ce5509446c40f5f934d1794f3733d874170155ce093dad07ef3a5876dbdc1a81bc6936cb6ec24c555076b66aa0b2d7557d4dfc18dab56cacabc36ccad4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
10844ccdeb8211d8886c38a3cabf41c7

SHA1
ffa3d68a548e2658f7a49b32a8191feb1e5d4479

SHA256
05d32d677e94fee52cf433ee7135ab3e81888b412f8565c972bb97bb117a6bec

SHA512
cbf7c7c522fd7b4d4a418c9ff80b0d3f8aabaf690054e375b6875eb01d92c850235de7edb861795269d55cf05f8ddac6efa1e7bafaafda5def9e8fe3eb7a565f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1bf0e77abd249d9acdc6c275fadfde33

SHA1
e5042f88beb4a6c8765dcf080e2f3bd0b530e57a

SHA256
e3525cf60039926f20030e9fd50a5b59a6903a625833034e2df3d4da9486f5dd

SHA512
b8529eea608dfbf4330ba43ebc5df96f8196eb5526ee78f0b07beaa56a59efc740862d010993d1ab92054eb9b0201d72bae709cc34d5674a927c3420936c4e09

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a3f16a4370cc9e0cba8f57076d6f7feb

SHA1
469a3499dfb98d52a181d1744371ac7b6234f5c0

SHA256
be9ff3545b648ffefd3cbb7f4f2aa77841e47aa67a8d912d1d65b0c88b004009

SHA512
859f22132fb51661e321b6504037c033bd64378cc0e98b08cc2c73457434a2768b6b82145bcd09c296b6a96d7441a206d7b0b36fc13218539e642e766d8e14a9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
64916e526182ace5ad2a2cbf7994a39e

SHA1
14d2fb88de02f69ba77f0ab84d1b606e91b4dcb7

SHA256
fbb62272624814e014da768cae23d6e2bdcb7e58ff5dc998ef3406476e1da4ea

SHA512
fb37992499ae57aa2a1e3f5a6aa80349141a97c3f623f42c8bec42caf227a749cc936bcfddc72d07b9bfdaed4c909251df06010a47e90717a7bea85ace171370

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f051e1399ceb33965202ae91d9aa4394

SHA1
1d07083bf98d3076296d8922934864709e8a5f7f

SHA256
45018ed39fb9f068190dfd5ee4f985e77b642f1c69d16ff08c39b2984f69f68f

SHA512
e940cbaca65d13c52c7a74950fc53d45323ffe547700163ea71f92f1a9ed9715074ecf1ceb3a0cd9153c139127d7c2fb6512128502bc17a4e83d9efa6b6b8c8a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
c88c590326f6e4ca7fc178664a7a0124

SHA1
04ad41f5aaf53ed429d9fbfc06f35bf9abed4b5d

SHA256
bd267d7d6b1e0d18282f8ca7077e82e8d3ac90183bd580fe1f7cd8949b745880

SHA512
c5a315009e37958029dd75cfb1a94121a8cc522f52af9f51596e381d83d47c460c1b99e952c113542610a150e5b6e5b3fef944e733394f34c6647c43c57078d3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
14d80af4d3508d8180671ab80f4041ee

SHA1
8ad2523ecda395bb5745fd6b941dd9588dac5ad1

SHA256
07d21eeff588270bcf0b6d06890af7ea1e34a63809371281f80e45519d88c641

SHA512
0b45edb68b1691bd2dd492610133f58da046d40ce523066e2671c3eb363f00ffcce182b03e2c9086011977bde39a85e4fe491852a2fc3a94bae351d3167a937a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
81c60a343245e6446ebb87136bafebc8

SHA1
e1c2d662e6349cf733ee3afdc062688ed19e5aa0

SHA256
0dd998ff34a9dd1b98502851b2286b1ffb581672706ed6d64ae4bfa3083c170d

SHA512
31e0bb62b96a055dc66c371076ece6b3ad915c17abbcff4b908e79ad9571cd668ac3090abc0ec4e192a6008c03cc7a0af26516e0716f527ee6ddccc0c573a84a

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
90a8e7e3ddead33cd015a2952f9c30df

SHA1
419b631f29cba796a747323dd186d5e677291090

SHA256
13c4eeb01af480125121563fbe0e38d26eedfcfa4e8f627e8dab61ad3b550798

SHA512
e0f5ccd1e3c27b5f190e8bc40509b659c691849ed731ecad1dd8fa337db96b5503ce81b2bd49ce32c2b81ab5ce109c5dac561793dfab2ac4913141d7918f0f2f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
4f7b51a62bdb76135ee064ed2aff5d81

SHA1
fd90574e3a4921d0f814112581cb3bb5f9bfe52b

SHA256
2fd1d52df7d45cc155d9f9d334a31a26b170926cd1786f243334da6de51f7d1d

SHA512
5467e483d464d90ff1f6ec12e090bce94c549af95fcc03e3f065cd43a1ceecc41e33fd399ba9f5b49c482ad7b503f5e9debb9118e54b2f94a52770d122c11096

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2c6eccaf572a1b9a2445ac30cac37396

SHA1
d6f95dc0ad17ffcdb60c03e2a2b4c0e833caf3db

SHA256
b0b2f8d5ae437aa9439c5b8bccdec08600eea88863d7a40c729832369e043c2d

SHA512
e4643cb8426e4478279c48d31d454d3b5087107de9b1695a0ecd88d1f648e9532469ea44b0861353704e4f17906bcdf29f5cfc13b3c00322a3efd91ad560c19f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
89e9261279b31ed1ef2d6b3991bd765b

SHA1
d5d816575bb039cfc2ad6297e3ab679a25e94138

SHA256
7975fa1624b8efc3171c2de30971df0b6ab19d79adbce452c987e30c1bee447c

SHA512
5c5672419a1442d3e2e109197b4b16c597a495c6bb05aff26df90938ad488a5f21f0c4f4a65f448e92190b1d836f3c493f4e1eedd31ca3510591b7d423e9f97f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c46b2b0d3ee4853368eeadb3d3ec76ee

SHA1
bf1f5a8bd32902b69c94f7ddc91f346a18ce3aa4

SHA256
19c41e2ad30909e479d5a54a03323d97783b5b2738eed03f18f14a4f4c593a57

SHA512
95bb47daa77ec98424cecfec3521eeafded160f60c0e8ee85bffd863fb6de94a94d9ec927649bf95f2a07743a4464c8b253696bf9331005dddb9b60d9220cc20

Download Submit
memory/732-218-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/732-454-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/832-270-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/832-492-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/860-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/860-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/860-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/860-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/952-150-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/952-250-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/1428-208-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1428-103-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/1428-93-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1528-87-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1528-77-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1528-83-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1528-84-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1528-89-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1568-117-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/1568-219-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2064-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2064-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2068-49-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2068-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2068-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2068-40-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/2068-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2200-114-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2200-216-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/2348-403-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2348-198-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2416-384-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2416-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2628-453-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2628-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3196-491-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3196-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3348-92-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3348-22-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3348-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3348-21-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/3620-408-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/3620-65-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/3620-9-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/3620-0-0x0000000002010000-0x0000000002070000-memory.dmp

Filesize
384KB

Download
memory/3620-412-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/3620-8-0x0000000140000000-0x0000000140181000-memory.dmp

Filesize
1.5MB

Download
memory/3772-116-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3772-36-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3772-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3772-35-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/4092-188-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4092-400-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4148-131-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4148-247-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/4440-161-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-489-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4440-269-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4448-173-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/4448-314-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/5088-248-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5088-490-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/5092-57-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5092-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/5092-51-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5092-177-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download