9c92361a9880888ac9fdf341b94ad1da660011b1f91b78ebe8f60127f25b0e3c

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/09/2024, 00:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ff21a1570d0a027f8b0226cb37ec1d0N.exe
Size

1.2MB
MD5

1ff21a1570d0a027f8b0226cb37ec1d0
SHA1

7958bb49c785a05d7a059f7dc1566a8649fe1cc3
SHA256

9c92361a9880888ac9fdf341b94ad1da660011b1f91b78ebe8f60127f25b0e3c
SHA512

446f96237d910e83903a02b65135a866d36f4704b00ff2f5d480df47ae8f87db6621e74975595f694ff146912893f457949b2cc0d7f1b02b2ba329f4ebf5f896
SSDEEP

12288:wuOXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:w3sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2012	alg.exe
528	DiagnosticsHub.StandardCollector.Service.exe
1976	fxssvc.exe
728	elevation_service.exe
1432	elevation_service.exe
1472	maintenanceservice.exe
3668	msdtc.exe
2640	OSE.EXE
1712	PerceptionSimulationService.exe
2320	perfhost.exe
4644	locator.exe
316	SensorDataService.exe
2224	snmptrap.exe
2668	spectrum.exe
2536	ssh-agent.exe
2760	TieringEngineService.exe
1068	AgentService.exe
3260	vds.exe
3920	vssvc.exe
4256	wbengine.exe
1472	WmiApSrv.exe
3680	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\System32\vds.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\16618c064521e136.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{E9FAE721-C42D-4B32-B146-9DE88A456C64}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064228ee00407db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c21a83df0407db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000944b57e00407db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002d585fdf0407db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026cd74df0407db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d000be00407db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6a2abdf0407db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022935adf0407db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe
528	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1060	1ff21a1570d0a027f8b0226cb37ec1d0N.exe
Token: SeAuditPrivilege	1976	fxssvc.exe
Token: SeRestorePrivilege	2760	TieringEngineService.exe
Token: SeManageVolumePrivilege	2760	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1068	AgentService.exe
Token: SeBackupPrivilege	3920	vssvc.exe
Token: SeRestorePrivilege	3920	vssvc.exe
Token: SeAuditPrivilege	3920	vssvc.exe
Token: SeBackupPrivilege	4256	wbengine.exe
Token: SeRestorePrivilege	4256	wbengine.exe
Token: SeSecurityPrivilege	4256	wbengine.exe
Token: 33	3680	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3680	SearchIndexer.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	528	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 3388	3680	SearchIndexer.exe	112
PID 3680 wrote to memory of 3388	3680	SearchIndexer.exe	112
PID 3680 wrote to memory of 5036	3680	SearchIndexer.exe	113
PID 3680 wrote to memory of 5036	3680	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1ff21a1570d0a027f8b0226cb37ec1d0N.exe
"C:\Users\Admin\AppData\Local\Temp\1ff21a1570d0a027f8b0226cb37ec1d0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4692

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3668

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2640

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4644

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:316

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2668

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1444

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1472

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3388
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bd6f349de3ea08c10ca50f0b9b971cce

SHA1
ebb70f756e242a3a57c515905a901908daf6bd0d

SHA256
31ef867d46033d8e6f56d8c522f2ff85f6f108d41fcecccdb3643a6528c34a25

SHA512
d945066ff87237ec3b83ac63c165c6b2451c5c9d3f61a6aa2fd143afa49fd6f6085d3e3dae70afe13bb6fbf59a23e5802da09c1d823379ab3bc5676bb7049ffc

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
96e6280f6262b207ad4ecf1beb26c10f

SHA1
b686523a16e6662d77f12d6c332ced01bbb1eaee

SHA256
4ed5874777e8e20fb39f878ebab632ccc863409899a3dbda0c3010003dd0296d

SHA512
1311fd48dd77e0a1940aff9015f5347c9c673b1713e7f4321f7c3474cef55f8963009ba56723c7f67a96a7efdb41874dd2d41fb58771a4077e204d88baa73cca

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
af75f26294b0f5f99de31eb01ffa5c37

SHA1
96a187e1e0097ab60c32842392102e97aca56b18

SHA256
1d60643271540e0f033ed9fd0433e6f0ed9726a712a34cc08edf54cd0ba7fe0b

SHA512
a025d6f7ceb673f8fee066dfe6df8496ca07cf9bab717cbdea74f3c15208e9b06c41b2e0d37a96823f05fff448b2f0595d89fff8ffd7a7e7d9983ec11cbc4a1a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d92501eb533183fb2a6128c12553bcbe

SHA1
ac8795d7da6ead2eb4063ac2b678e611512cf2e6

SHA256
8f65f9921610336c98d3401033b4a31dd415f44c198b07fa77d9e5636d1bff21

SHA512
9f2445d686c0677391f3b2388721af67eb7ad5b33296c30a0b3cb4a5024ff6befbc2843c0b86b2ab08d0192de61fc7999580adc91b8aa4cc1308faf38f35b531

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
deec6a9be50f8f3dfc4910091d9c0ffb

SHA1
97696e546934e7408c4c3b9ef4024e39542dba9a

SHA256
1693d9ceb4d3ab64c9b291f1feb0d9856ef63b358809c1fd748ebaed69ec2bb7

SHA512
ff8db864a94c8ddfa527a73d9d1b803f67758a4db637683d90d2655baca9a6341fbdb506a887a287cd212092f2e40f7238d61146b1af5a091988c423730746d8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
71f24032316856b9179ca0a4bb27121e

SHA1
603ac05d6697b1bcd18423a24a68d1252e741042

SHA256
5a8fc2f9f915957577cf52f20278fdb151c9f261e9919932b87127e0106dace3

SHA512
cbc1a55c0de4dd67162f728bbfc65c94415f3cc661028ffe002fb59c9797fb2e7befbfea6bb2a539a082112885c50d3e97d9a2d2debca67950726ed4cd1f612e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
3b49f45ad638ba4b4051129e357d44a3

SHA1
b9800b015522a7217e43d8764221f445fc16c68d

SHA256
236880f534363ffca4bb4cf7093d5e9157fbbc545e37062985ac4b6df491911a

SHA512
b1f2cf5e19f91672084404a6b8bcd001595eef7b2481e121199aecbf3c79ae77099c059f3e93edb7abbc6c85d0611d46bbad9b5104aa02a5e5183264c657884b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c2b67177d1ccec1dc66c6efd3480eef5

SHA1
64237e94d9720f5827caca82464c06978806e743

SHA256
fe5fb283ba6717e4791256be66e7ed9155e72cda12d66b44282a89455aa29e19

SHA512
062c8c40b3bde35eacf75a873d8405de22965ea5b4facdd1446a1842ecb8b9ddf0a4339ae4c22c5706b9b9839ac4348fee8d8c6688fcab1d62bcc601c26f4616

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
4728cde79074ab103ac4823658ca1660

SHA1
c249ce40c8ebcd272b8acba9cfbe8e229253aebf

SHA256
dc6cfc33224d9c0cc0ae803319fa65e8131bc1397fb7e50e42a5240631e4611f

SHA512
7908a7a3b21524108dc8f7ececbaef61c6db2df9ef03f24205e9b9a6b2d7b16c0099753a08af563da45d5eddb861a41c418814a7dd069b333caadff0ae19a67d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9ea546edf0897c40a04d0b155f69f84c

SHA1
d9d39f66b4fa9456c66ffa5e2c085c6511188476

SHA256
98d8033a57091484c93a0ece8e64a62d1ebef8bd6d599b068a3fd7d9eb97fe40

SHA512
6ea944183dab0719ab11bb112461874c7f9867fbb28883ee9b8a97134b71628a0f371985282cd2253adac51c7b214cde0b8f522e7bd9b4e8c76ab34c454cf163

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
bd40609c77440b91fdfe961fdc1808f3

SHA1
dafabf58cb7dd97c234c52a99e58e06ca1737c1c

SHA256
92a6567c49c3283b3d411548b419ee368bc8816e245e4acf772754cdef295db9

SHA512
cbcddb0e4da3d9461cb9c8de1433efad60365601d2d1b4e4f6fe4568e3dd64d7f1ecabc72c89678fbee92133e1d1d9b2775248a6314567865c3c01c80d4edd57

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0d45a547eef0672ddd1366e0141ea53e

SHA1
50cfd6ac4a01e84125b397e957d347d9c24b7c36

SHA256
2d89b91cd769a2f492aa4172d9a3806ef0e6a8e60f6084550bd2030ed74185fb

SHA512
599dfe26f895220c403ba4be1e2d93d0498f3453dddb8220048a7aec2dba5955eb779a7ed49dc616fba9069b75962855c2ff1577a48696400a1759b018e81a37

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
7d5cf0707650c06b69bf21c923f07253

SHA1
a783cec8f77d5d6b3a8efcde9993c440410daf3b

SHA256
8cdf5fdd69a3164f62501a3bc97e4cf5dc3264c93a9d58796f5f66202a8770f1

SHA512
0fc6e7afd85615a31e4d48f8dfd208dba4bf817cb64e06fada8e6533cb3c5c1509b3a84c087954cd2b91e62bfabe4740a78df622d0f9fc185b29606b9a729149

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
f4907c257802c6259e6c5cd971a6972f

SHA1
4c9510c559c8a0902b9fa52a9954750a784709cf

SHA256
24bf9c3483a28251f370f3a8cc8bc66570339ca1e8ed41f7cd70688ba7fbbaff

SHA512
2dde8d63b212fdd68b35b9cdf44229f720510150af87fa2c88450a6bc633a0ce6d00b4751c9419fdc195c3dece6ffa6d76ad6722d13096eaaf2ae91e3aaf9688

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d96ad019e4e77064e946f054bc5e7586

SHA1
daac0c66445639b0cec0b3637ebd943d38c4c626

SHA256
877dcbc15cf916783445f193af7c7ae1b248d6665e15c4a9cce992d518e16fbd

SHA512
20e08777273bfbe9b61a43ef4d6df9e080397bd93b9853a44458fc62864e1a8e721ea09c220b89e53168b08c7fb810ef25069285638cc30cf381a20c05d4e64c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
f92e8d0611cfd48694eff50ebf401f58

SHA1
4d04ccd5b21665ccebdaf77ccbd8f6443535fa9b

SHA256
8fd3118224d420409269453ebc01bd13fc2dcb99a075cc32e7aa9ac3f5c93918

SHA512
f2f22b1c34baac252f3e946534a6affc93130eb7c9ed055ccd8f3b4e2f639203fc466688172a84c04d6fca19fd090d289e65ab15da5807feb28107ce17164135

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
fc9536677530da3a6b1a071ac6a2865f

SHA1
d8a43422bbea9d003aadf542d200641f31eba8f2

SHA256
08ee539c43ebae69ccb6e121eb49c42ec5662fe8b46db49df0ef018ae8670916

SHA512
12e1e07c82308b50d2f20081032aa7ab96609f8d9286abba87a78aea0fe82129880f19aa3614a5945a54ca6769561bfb38160db068dfc820a9e21cd89dccb3de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d48016f760de09f41435f4aa16bf52de

SHA1
f1a029ce3a75f7a2d85c47ff1ac1212f2b0a8348

SHA256
a78b05d2fecc75725c3f06269897b5071de9555cc1335619b927c515571561ed

SHA512
4a450ce73f3ba1baa929f9e8379da350cb26e55cff77741442466019055a95a8b8dcf8ead7fd20c31d8538ccb1a21497e94389c3f0b4a9460742d38126271adc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
3a2841fcc56d5625aa4d63af4cf3aa7d

SHA1
a50580c1f4b5de09a21d12d9e2dcdcf9577d21c4

SHA256
125d7c15f490093d911ca7231c526a765b05c21c28be1d66e6a1d1238a3c4900

SHA512
c13fca8018de8bfd2f8722b9c6ea6b556c600aa7fdfccc6430d3f4981efe7ed5423973f7f68e32348bee554627537632851d6fa5ce5ddd9b61365d5355a4770f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4c3918c8fa344c5a05c3291e92b1aa0c

SHA1
a71dd7167624d7447457591d118dcb6f02ce7b91

SHA256
a99e6726b3e9b6d0b85676c3a01102482baadfe67aefcfbae76324fca6527eb0

SHA512
4cc516efef2c93309b53fdeab1139ffc60b4b350011734dbc8d3207e1774a63510a473d2eebdb38c24deeb30af90659fa6200624203bb2e4d0c5a38e1c752bf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
c5bc2f0a52e5d9a0f2f1312da060c9e3

SHA1
4da020ee6a292c0687b8018942ed98e7e6aebdfd

SHA256
0d99f2938892b46147850da51ca9bf3c10e7dc0249d1d51a7274467ee1412098

SHA512
6025a8c9ed2fd31f12d143a06dcb9780ec273c8ed661abf163505fcea8a7ba92059b8bd1969fcb7e0360ef2031d09e4579628a73c4ff44b800c25d03a0046698

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
5cefd4530fdd706191873f4fe7a012e9

SHA1
65dcc25a3be08d06257fc17cc7d39614bbf549bb

SHA256
0766b6f3caef0bc98ae39b43199fe3e2db223ed0d0205c11b33380d3232863bf

SHA512
dcdca942eaa963165f47cbbef5844c5916f90161acafd0e2dd912cdd8d16f6a5262aafb67ee998f4781ef273026f6386bf3a748aec64827cba38527bb305eaa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
32736cb76f8de9d90aa0f01032601822

SHA1
21918eeb9f3665c930665ac19e820a94ab2abda6

SHA256
dfe041093f660c9b7f2772836e86ae8f9dc8e181fad3d543842ce96b8ac92f0f

SHA512
02a00866b67cecfd93c03c1d3f11dc0b11b758bc5af041b53bb766a1f716f3964d7dc1943b97452ee61af675285880f87f748c09dc779d8bf386ae851e60d5b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
51ef2e8e813ffcdd3996e7ced8aa1cd7

SHA1
69b9011ad399b88b81af6399e241a1e1215c0e11

SHA256
468708e152086cb85742eb5ed07eabb8490450b6459ff05fe174e67a88551686

SHA512
119239a87718bc80bd6a9bd82ef938b03fa6307068ce7095c81b68ff1426b6a9f73e0bf3284bdd7b9b11170b703c79a29e40daeadc1d33f99bb9a96a86ebd2cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
f12f40c6c6dc95783353d3e8815118b8

SHA1
20af9cc48d2a70a8a2b589bb4d1b56ef9a03a501

SHA256
85a0a165b029a5e577460671dfe6abfb7627bfce4ac39cecbbd8e47e055e1409

SHA512
069413864b1dbacdac5a5adb55790861c0a811a97510ba1ba0bbe6982f0ae7dc3580da8b206f2bd57b02ad8ae0efaabb0cd8ca4d93fe8fd1ebfd1d009aa0fd76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
fc4248c2bc9d5c15a4e00378ca72b987

SHA1
171515f141031bdb125404099f60bcb62dd07c02

SHA256
6b9898d86543b26966241dc2333246b66161d8ea97e735574663372e2fa2c0d2

SHA512
d0e4537c223b628643f44555ee713caadd10fa143fc59f950655242a24da4e9c65cdb9a1d4857ec7b2e5dbeb823ca24b0786177b8606fd7af835f20e1f75c031

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
02fdb8d5631b656d8a67663445eb357c

SHA1
f3a9b71b5e7ecd556528c795126efd840dad61cc

SHA256
9ef236e58364f48102f440d2271737dc4f6d6e36fce439c06301a478d3e39850

SHA512
cc6bb0355f8e2824ea0e298c9fe058e3261f7f89402565d0920bd3bcaff6765b0a7631e309b17258c0951755e95bc4385a75b3d244999070bb0d1980cd62fc51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
56fda4c15d446d9baf10dca51c48b263

SHA1
ffbe3d5f26929b9367d012c71343c526fa318ba2

SHA256
b2546f8935c48f2fcb68cfe4169085c3dae16e66a920d4417c7cf4d81123835e

SHA512
880d2af544aeca133c9ea346ed8a89787a6748c50a9d284ef2668d85b9d8ddd5d7f230d35cec69c1ca6003df723430752fd20716ae8e65f15dc240fa4a094e75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
65357009cdff83c5a62763128d874fb5

SHA1
413a423848856d1b0a8e4b2c250fde2aef3827b9

SHA256
9f2b49867a4c29059b1789bfbaebd3e3b0b6c62c7aff3f9b545f2ba5e1cc5ac8

SHA512
5f863e11535189cdbf0fc83ec828af0a42cc6c99763ea3cef46d169f44837c92d3dcf2ce29520b6d2113063b05bec2c9f163337b951afe0e8bd0941a8828b283

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
f503146707f3c547c0dcf00d5fd59d1e

SHA1
756ac6b9d0c404c7131aed72f62ce37f0df7ac4c

SHA256
536595261dc94c8085950620b011ec5a3ff08268072e2558497fe3fbc9e829fb

SHA512
4fd5e577c3f5dc1dd8dbeff8d864d6fa11ded922629b18a259ef0288191f2b1ed691a3a2921dc1327d2f215d6cb0d3c0e31679cbfe895db2aa165d79b116d00d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
b5637679a85e1152fbedac1229292eff

SHA1
ed56eadf8be6c90c9e2fcdeac2ce6a3b123a611f

SHA256
f3133c80dc49caaea50f487dbbbff5bd1594fdf0d12c5a4412a148b43842f761

SHA512
322fcf14eea01eacfcd6c7928b598515fe67bbb142231e5a8b1dc63a95523586e3954720a0d954b0d35def7107d2ba62e9f12d0c17ea1d92bd6414fe06b03573

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
886e4151387bb523ccaa2e2d5227be7c

SHA1
ffad9e1199f99f45b3b8683c4dae5948ad4f1f56

SHA256
ec089ba048fc5e8c22daa4c6162c5fac03b201ecf14bab81449932e1fb7faba8

SHA512
02c413acb15901846efb1df466a5219430ab5c7c6b6fe71c621e9bdd86f022f9c44b25d4a4055328ff3f0a25e4d41206ee9f5fafe27230495e05bde06a09bf36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
f416bd0161d557d0ba1ba36fc3d76dae

SHA1
6f66c0ed289cf78d931a5fae3b6658b5a12c2d8e

SHA256
de93d58f3f2b629bdef8182eae1a6ef3e24a5ac1804eaeb5a683173b3c0efbde

SHA512
54fc1af3c02d4f24b4a0b9ff773bbcf5f4cd77ad7a44174beb588b95d5e9f38dc7fd3f4ab7b2214033836887d82f13a98c2e1e96af314d3d1a40897dd927e406

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
3e91049adce9dbefd535a883fe6a0ddf

SHA1
32c0cba83bf5d54cc886cbbd4b62274cb7bce5c4

SHA256
3f2803892bac7e1e1d4ab9fe81412825b493e9d10c7c137b9d9276547e3f5296

SHA512
dc79ee24422e0d0ece1ef14ef23209639d4045684d20f7633fb63f2162cf1b1fe176237482b4d822760a20c478c911d26ef858684aa691914ec949247584f246

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
352ef22280dcb111f2486120b26b7c0e

SHA1
e0db4dd6578aca459f0c10949cce5395be4f3690

SHA256
c10f387a7438d21301cc4ddbb317b337d96d531bce4f2f7d32518bf37ab1a90d

SHA512
73999e8ad13356dedf4289aaa16fed61fa45d01e1549123fee37fe3f4554d3f383ffa91448a4cc8b482cd14640ff57c7cbf6d3a76168e850aff5e241c87fa991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
0fe07fa9137e741668d0c2cf17f11123

SHA1
a0085a975725a1fb65f4ee2b749a960e769b752f

SHA256
da22e4fa9f3ee6b560d6f7efa889e0c660f68cfda7e95a73b4244b8263e31888

SHA512
17fea16743a8d3cfc3f7114a22443ae0dabbfe0ef932589a0f354e4388cd62814c7977631d7ea15554ca9c661ad4c1790ef37c1489ae874f2ed65a4ad5dcb696

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0195d21941e8b937265a064b8e396b5e

SHA1
58ac60ffbbc55d4a8445e5ffce7bb0eff3f3d44b

SHA256
331ef52629cc98b7f1ae0d4b4de7a8e5b5942e6b0ef2ac152fb8607618e6c61f

SHA512
c3aff9d292e684dcfc7965af72a8808cc007f90ad6e8fb1d7a15735e225743334e8dc535b2727571c882e95ba7f4979b592894f2a6bb4900f1b36c64d1d94ddf

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
16406315e9ac08b0bbde11240501e2c7

SHA1
fd696e421fa06b84b57e9fc553b9ce97ad336f8e

SHA256
373199bb21b6a92bc252e3405ccc6dd710c3901918a8b2ae009d3b2dd15e96ea

SHA512
364c7408f38799ebbd73400114b8ebfc8b4b6522d2cd71b4b72f4a3f0846cd3a48f497689e44af25b044964ec9303960c146fe9e022b9a25846598fab232cab2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
55b7fc29a5a00c9662096243bb4c682c

SHA1
4378b67dc2ba7d59a0b194985836d59b3fc60aef

SHA256
47d49c7db37a0883c021d7de1d3be89bb3a91a84c0e18bdae8e6ea5e8dc35590

SHA512
0541f32461a2f1ffd794021c3019b70d7fb309a4706b1b5fa2020b31660127032503d9c19b7828cb402118b6751f03abdbda92593a7f2750e799f3fa18f021d5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a224cd217b1b51fd151d83342b4147dc

SHA1
b29bcbc555df493c8bfb77f9dc09a3e43840e386

SHA256
d6b3ce8f57f30db327406cee62758390ada66f175aaf78cdda7d5ac7dce5a3f9

SHA512
226de75fb90d1986d7a5febe09b738bd1cfed885d7f15d0084ddff42d5c9c562ba484ee9c938a87a850d67bca0817cf1cea5e34972730e5e3736f320ef77445e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
0769d7418eb685558b54f9e1b3cf80df

SHA1
a298f14f33d8b1a7512b04b59b81eb8d559f0ba4

SHA256
1d6ecd9ccfc351839d324e131789de36536fb39cb61d3a6d5d13c34c05685c2b

SHA512
7c3c9b2d8e273d347548df96de8afc61cf7d2277c72a617746b66ee9cfb670eef3a634447a4d1c41764b6018d6ea3898761f1546ed2b4c04904beadffc1f427e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
02aab13fa303ba3db8fb96d165fdf655

SHA1
ad39b28f29ea48a0a643ff192efc8ff4a74f409b

SHA256
c60c30d89267c039463c4d8a24126d13a796bffb9d6edf332376c60a63252a14

SHA512
e129582fc9560e2a2c390dfa4c48880e01424e8d503c854630fec25aa147a5a009eb363c515d8118f47339e89cba2ff7cf09e39aee939c301c37952fbce8da10

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
2f5f7edb36d7963e95cfdc110055c6f9

SHA1
66430401b75d0e8e90ca8ee60eebf9c39972a3ac

SHA256
205f33bcf0c5e20132a0f2b6f05864f32af76be28c209477ea7a4e3602a8038b

SHA512
639ffd2d3863889f7f55a585fb2236af5ec62ec308eda515e799858421190a291be1c0bd5c3b0594a89679ef0a629ffbe357126e489d67f52820f0e28e1fe937

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
d505f886258c6a5b931ec63731468c2b

SHA1
56d78d45a4fe5cc999dabf327814c284e5d1ac36

SHA256
27f24454c2af3b9a192c900e8ffb56899b4bc69eca8e5d87a22ead0a29c894d3

SHA512
f5293c877cc11f4e5a88bcced47661ca3da099d9d3863f3cb06b88e4997faa1a7d164c1afba59cb680257598166970abed08abb41ddbcd261231ccdc6489f827

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
c4335ed80c53d77b2d81c58f30c3fcc0

SHA1
371b2760820fdb22ffd3a1e19c7b92bdae08b27e

SHA256
50a24eb2538efd758e42a7f7ec635aa3613494e1b8d16d842e967aa0650de6c4

SHA512
8a358879c7422c514761bb084ec81b8cc67484906385f08b68ea1a50d17c802d779ed1167f94ca17dc3b43c4e288608438f18295c6ac192311c9a426324afeaf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
216fa7fc4314878321fd36f67a35f542

SHA1
59637714c0cf6cf20da6208e55aa66dcea89c4df

SHA256
86dedb3f79676940d400ae6b203b0deeb573cc89c80f5ee2f8e399140621de0c

SHA512
b95bb2e89a9e6fef02aa1748e6c2f10683decdfe109333d4570a7bd33d2bd8f563448449538a286525d820570aebe6cb74da3499eaf67699ab4130d75cdd9221

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4aad891e20e0a1a88df43a1c1db911a6

SHA1
999c62640502c2b7f893da33292d89210e0df873

SHA256
2c9f0e195b7ca96d79b5943c93de9272879e17d60e1cf60dcb9334e453c624da

SHA512
1f048dc42db69d4826c9a9ac52cc51fc1cd05ba6e907b9bed56017da866c5f144bae2bd03d99cab3e55d2a96b83c214588eb84a355bd31538c372d2b9f716dbb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ba921abb6ca2054e43d09fb554fa2038

SHA1
56d0519b6aa5e843a3e5d06a8f538c2fadd8cfbb

SHA256
ead5068c9e2ecab676552043fc1249d67b88128b14967dd7447093647fa6fe1e

SHA512
44a925fa914c575e751615adb7528709be4e2eec875851e0a37ce1090ab36a448d9685cc95915775434748e8a8b09165991d7b2e485013a010a55e4fafe8bcad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
a10453712897752dfc610029ee276926

SHA1
79e3ae2a2253f34890250635f6ba7f1c4d8ff662

SHA256
a5429cea0deb344face9fa23909a3648ab990ca73deb7aeacf92ac7951a97925

SHA512
d783ef5a612ce0d05eb5999090603d28a27d5d7d39ff300ac259655a2a60680cf565dd19b5d65127da2ddf72e3b7f176f4b71ed14d5c6efedf1f0790e0387041

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df60689cca11e8886e8f3dd39d58d667

SHA1
ffca4c496aab97baa0b290027af3884b9ef9b94f

SHA256
69c6fa4d3b52210d874723a131e444039b783540977db55d6577eefab6791730

SHA512
b0eb8018cb3d6dce56fcf685f643885a426f611a6e09f1b8f7f3efbaa22db2f302f4a9b2088973ba0bff63523838c1c6b06b278e1b21248fa3991dca4f8a0b91

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
bd7ed3cd3c75b90afa9cbe6c81da42fb

SHA1
897ba0bd27982558dc97df1b09082c9e32e5b7e8

SHA256
dacf69bec05723501a8aa2d05bafb12520fd7d123b12eb515764bf0db4840e64

SHA512
c3334d8a9bf73fe71cc02de1acf20a23ccfaa09327fc283f4575e22cec6c50ff54ace9d5b01bff5b82ec6d0980290b5c857fd5da1ca68e488a7787e972ecf1f0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
9c94e6ae8315f03aef925dafea552fa3

SHA1
aa4e7247cd3ebf36f5e957ddb71b2f73df6cb274

SHA256
ea36bc83cd9d6d7e77ff257975cd5b7219f2dc1e859d52136a62ea38d2057a47

SHA512
ebf449f5203144a324816014628dc376564675b98f853b7cb74bdcee5d643911391e5ea0b267426ec649e6d93501aa238e4b93a394b2b1ba44fd940850a6463d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
01ff1c0462df6d8d1b5fc030ba7096f2

SHA1
6ca4c5b97776d4e6e1ff24e74b31d68bd28ff780

SHA256
89e49c97ebd3eb835b9ccf4edcebb014fd82c659db58bbe6cf4ed642687f93e6

SHA512
4371246187d25db05716ebba54fa0df4ae107359fd5e62b6e8bf0b603e709bec3a2fa4671d0bd99268892156e3de3c7d6ac2589e0d4cd815f0797c0de9f5aaa6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
04fad230c42bf36ee40c777e0b599652

SHA1
897393841a216219dc0bf25843f14f261ec3cc54

SHA256
a23222af13ffa902dc85d38d26818e43a645489090365f6563918eb27f46a274

SHA512
fdbce75a6330eb64725e30772c9f6fcdbac80b740ce81b03de80fd50c413eeafec0a1a9c9ade175f92396ad6a018ecb1339af3b1b484b20a8e4173c1d4cdcfd4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
6c5637b2f48558b416e2337cfa934edf

SHA1
c0b7387ae73caa51d656cc9b91aeac34f236e484

SHA256
bb6f41360f2db26bcf177c79a54bd1650d1d9bb5ca9a2ffe7c13239e05235386

SHA512
2e0028af3b049ffd83d3a91cb2334a07ddbebb2cbfe04a8061a188475dffe359e671edec8909106d440080ba52e9e3cf08381dc9e4611ef9b18bb5ef3b90766a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0b45ea088154b7a7298d2ebde048bddc

SHA1
9d252d89927df630db0fe82669c322a12ee49800

SHA256
4e42e137dcfff18256b4dd16bce92b6729f6e5f40cd3450958795776552d12c9

SHA512
8b2a26ce2446899caa898001560f93de244b7aa36647a480af6bdd4d09e3c23581245a9f4dd06edc956951bd5ac9738f43d4305a9af2e82a4ff763c2812d9a0c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f4b6b30325d1c8e04a9c7e8552beaf34

SHA1
26f7380d08801fd79a3706f0ca127a5ee33d5e5c

SHA256
cf41667dc04609df6ad406f09a5f4b25ff8e69c0f1699965d4264a98b4216bb5

SHA512
c863433b882e2a8978c587bc89248f292ba69fae5b26837291b2eb8ea11395b3302f70dc0d12580532b8bd5229998db533fac2376376b7c74608cd2f236a1405

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
1375fcfa3944a37b76d745b0e0f4fd10

SHA1
ec0d9c81035e71fd4d35435b6f98f809e31b2694

SHA256
f83c607d0553343a24be09d230b04a4377ed9ab8d59139f7254603a7f62339c3

SHA512
e0800d837adbd0764b4398439810bbd7d33904f78c969538972f1518dfb1f5d903c01fc7b73dd71f4e2ab1fc9a42d47782f3017a8ae9cca0a722bd8f9496ed12

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
92b35ae5ceaaa8267b48b88f56347207

SHA1
98d0aac5e6508c90efe90b5eb8a0348a8f4e7634

SHA256
7e8042a4f18a594d6a5c2d9b15446590cd8b4d98fddc56ee6ab69275ceada754

SHA512
238bc2317707cd2d2c77a2efe651b4df3f9190a2a21edc18dfb4c312fdcee2874bf22b85a2b40a383401272a4d62707e408d5db85965321d0a2fefe69b8131bf

Download Submit
memory/316-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/316-274-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/316-556-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/528-33-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/528-35-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/528-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/728-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/728-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/728-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/728-56-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1060-9-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1060-339-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1060-341-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1060-1-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1060-84-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1060-0-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/1068-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1068-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1432-188-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1432-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1432-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1432-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1472-75-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1472-263-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1472-81-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1472-85-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1472-87-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/1472-557-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/1472-89-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/1712-126-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1712-237-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/1976-47-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1976-39-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1976-59-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1976-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1976-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2012-112-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2012-22-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2012-21-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/2012-13-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2224-327-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2224-164-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2320-250-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2320-129-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/2536-189-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2536-456-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2640-113-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2640-226-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2668-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2668-367-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2760-200-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/2760-489-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/3260-503-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3260-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3668-92-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3668-91-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3668-210-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/3680-558-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3680-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3920-520-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3920-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4256-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4256-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4644-262-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/4644-141-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download