783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 12:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
Size

1.8MB
MD5

4ae053d809ea918291171fdc4fbb83f5
SHA1

33fdf45ad8b05cd4752a5d421d5b28bebd3d2752
SHA256

783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2
SHA512

3d06d995d00b3aabd4ea4c7f5ddb08263038d7306b5837e8f9d34293d6bab2e6b4e3b9479d7b0a8eaf938aa09783449822e2ced03c06e3a8f82cbac682cf8848
SSDEEP

49152:gKJ0WR7AFPyyiSruXKpk3WFDL9zxnSg6KFdi2Ga9x3Ek0V:gKlBAFPydSS6W6X9lnNHFdi4VEk0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4024	alg.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
1000	fxssvc.exe
4336	elevation_service.exe
3360	elevation_service.exe
2848	maintenanceservice.exe
3144	msdtc.exe
2904	OSE.EXE
2148	PerceptionSimulationService.exe
5068	perfhost.exe
4444	locator.exe
3176	SensorDataService.exe
2196	snmptrap.exe
3792	spectrum.exe
828	ssh-agent.exe
1740	TieringEngineService.exe
4688	AgentService.exe
3468	vds.exe
4284	vssvc.exe
3664	wbengine.exe
2200	WmiApSrv.exe
2704	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\System32\msdtc.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2137ebfc8fd48cb4.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM540B.tmp\goopdateres_fil.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_115765\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM540B.tmp\goopdate.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM540B.tmp\goopdateres_ms.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM540B.tmp\goopdateres_vi.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM540B.tmp\goopdateres_ml.dll	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dbc48d4f9091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093bd09509091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcc8d6509091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b77414f9091da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004dfea74f9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000886dfb4f9091da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4280	DiagnosticsHub.StandardCollector.Service.exe
4336	elevation_service.exe
4336	elevation_service.exe
4336	elevation_service.exe
4336	elevation_service.exe
4336	elevation_service.exe
4336	elevation_service.exe
4336	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2240	783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
Token: SeAuditPrivilege	1000	fxssvc.exe
Token: SeDebugPrivilege	4280	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4336	elevation_service.exe
Token: SeRestorePrivilege	1740	TieringEngineService.exe
Token: SeManageVolumePrivilege	1740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4688	AgentService.exe
Token: SeBackupPrivilege	4284	vssvc.exe
Token: SeRestorePrivilege	4284	vssvc.exe
Token: SeAuditPrivilege	4284	vssvc.exe
Token: SeBackupPrivilege	3664	wbengine.exe
Token: SeRestorePrivilege	3664	wbengine.exe
Token: SeSecurityPrivilege	3664	wbengine.exe
Token: 33	2704	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2704	SearchIndexer.exe
Token: SeDebugPrivilege	4336	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 404	2704	SearchIndexer.exe	117
PID 2704 wrote to memory of 404	2704	SearchIndexer.exe	117
PID 2704 wrote to memory of 3160	2704	SearchIndexer.exe	118
PID 2704 wrote to memory of 3160	2704	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe
"C:\Users\Admin\AppData\Local\Temp\783cf3f363ae44a53d5fac52edbfc98788b5f0dfd5afbcbd5c9080c405bb28a2.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3360

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3144

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2148

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3176

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2200

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:404
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:3160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ff8177e02f1aede3da21950e7c3e4d4d

SHA1
1c3f239490ede49a2db61899c019e8a55e021277

SHA256
9d99dbfea32fdf1f43c89d5ed90b8390a347b5a69a3e4735f1cf463aa614caec

SHA512
d4361f6533841954e045d3de1553ad9bf9fe441c3a215496adf6d612cc5722d14cc7589388bd67729354e8ebf259885898a8979424c49aa67dc2b2cbd10b86c9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7911fb47f53f60b8ab0517ff6a360713

SHA1
8ff3ba62bed5245b17ce0aeaa2e74c9b9af1abe8

SHA256
eea434b919f5b72d9cf3cba9e93c3dfe2e59193c56743d8dd13700f171c1b0a9

SHA512
e72b5d6dbaf10f0e9b16f7ae11108eba56063d2c6ab9e753d366d5a9452ef0233323ef9f13d1b4920958d8930a372c588f289290a156f77f2a55e96a662263c5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
c38167fca11bfef10de09e9106bc4602

SHA1
cf35f3e1d248c399df70d91069d2758a9a63a958

SHA256
b0f25709e29bca93c1e2d9676ab7983fbf9e6a9ec68bc68bf98880783494bb81

SHA512
f022095d53e01b9818dfc8e5dbf78cc01ee1518cf11390a67a09bd642091a5b61d2dc0243384067006706197be2b91cfb71e876c82b5f69b20e067a94214b993

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8cf5cde592d2b2f48a61b329b182c286

SHA1
0e639765a8343692248003162159f5276726dd2c

SHA256
c8d08229ff4a69b12f06a5471155f0d5eb6df103c1014cdae9eb848e188b018b

SHA512
44bd3e0ad26224da69ff0b3f42ab4c20a51f32e2c1eab55f7248191cb14415d0de8fce319270d368e89b9184872ddc47a0b5d4fdf03c3368042a0d929ecf3fa1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
13515b2a58872ef41dca7d07fa1d8b6d

SHA1
b6f268048051425be900d3ca9b8d4a63f2c16eac

SHA256
dfacd4ff4c52860d34f69bac6a178989791b7a8e125d0ddfa8b25c4e86576c59

SHA512
3ba24e3ebdd544e3d991c60c716a45532518d08c8830007efe6617cf530f0b24160c4e7776d2d92cbddee4b7259eab4f184145a8c969cb9919731fe987d172d2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
82afb691e81073765bdc2a86bd909a4b

SHA1
264f4ee1071fc3307c42991078c7d91cc5edb243

SHA256
aeb23af3d62f45ee358afcfc28d81386fc0c5da21cc31990a38086ddfcb5dc29

SHA512
f4f014c46ef400ad6a963f6a413b19f063be78c31060331e9d1768d9b85bb99b38100076f1c3b17a8906d53ed350951152b892e82b115b0e63271dc286d97691

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
c705f9fe10986ae7760d299e39dce488

SHA1
80470f987b889df3574a64c29967aa21890f4ea6

SHA256
d180b01e13be82920257ea347c7101d949507fe7a251ab91551040f91b9f1d84

SHA512
12db4e3bd4d835f0d48aaa7c917667cc684c9c5fdf46791ffd76e4c7a54f6f082f228326a53a8aae44eb6d0a8367b578900f35c1dda081a615b122b27dc2b7b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bc317e54c148a2c59a8f83252849bc2e

SHA1
a4078cb1d06dd30be93e625271fe356e745cbb6c

SHA256
5f74865afadda88e24bbbd9235d55fbc6b24ae8ce347a27c90f5dc369257ea5d

SHA512
e7e0a92b0f286b6dc219851b4cb7fc1520416d6d8f437ef425f9f3112520743969814d3d81f85279564215cd77dda492df74e35ec4f43534fb252eaca25f08c6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
46ecf53dc5295d0030213f1157b9d315

SHA1
43397d74fc2a6cc6d566395a1e1028b2bf5e27d6

SHA256
fd5e7135b46049c0f31e519398f6041205f66c5103fae8b4f52d1402b9f84abe

SHA512
2900beb6d658307e9959c31ce33c263a1bb1d5b7fb822fed6217a2f11555799f61ad93894f662a2ddb711599bcf30262dffc148ec0b58b8f17d4986c46c0cfaf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9a199f289dd6b480bc3d04de9f57dffc

SHA1
ace19a355dd469624d023ccda3e48c8434428b58

SHA256
74d38090748d7ca1aa8f829fade3684d7856a2456435c8370e2ddba9fb3bcbf3

SHA512
fde93f9ecf70a3b4bc357be75fa659c08da97218add589c5ad2a09c81199ea2b9a8b87907db41ce68af09fcaaac0809c7a6d21ddd84daca4355814fd20b79026

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1586648d6ba9ffa8abc2f80e3ff6349

SHA1
6e2e165a2f93ee356681e3801db95be7975df8af

SHA256
5c2ce0eda991488cbb4cba4b6e673ff1304a74e9b17296e7fadfed6d2a8cf4e1

SHA512
3eeb719a5f58044a6d84b962d3e69a63f04bf3b7738bce4d3d7361d18ece39b906e0c1002f111eb2e02b1ba9558889826780b67b8dbc127a50629a08d86c8c46

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e4ea9311c04ddeabbaf81afccd875d93

SHA1
008e15078bfd75b39f46d8b089f298d4a3ab9c1f

SHA256
de7eb683e490f57fa48487abec20f01fd602136f37efdff76369eefeebb78a69

SHA512
951bd8a8e1f3fe34be51a820bb2133dab8a4ef376f0d6f8f71d9575e34029854243cc7e070a8bff2866fb07ea5480d76590e8ad37cffdea93314cd27405d5ed8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
8dc655e6431d0b885434639be92c64b1

SHA1
4fff5216f8be7eff15353f77a4072d3510d20179

SHA256
496b932799bad79c351bd97d24649db686aa26c3231e224a811a0d3a4c4d0812

SHA512
5a8f2344d8a458c7b26fcf98d6decda5607cd5fb13c762d29bf253513e3df824fc609bbcaa33ad4bef301e285910fb7e8b89a7a819296a273921149922bc809e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
1ce76253205370e9f18287f2b07a1fed

SHA1
8440caebd92c847011e723547b39bc71b590dbc0

SHA256
0b4d69b1e197c8d83a4088e3cd366c8d838b21c54c64ceee64b125363a4a5685

SHA512
5bd07eaf34a8c6e9b92da973418cb6f577972927ee8ed23faab1f38451dcea7662df2f131b9142b66d35908a1a53f1e28de7ae13530a05fbced39458523af5a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ba03f1dee208fdd46d8a2a226520d416

SHA1
77e6fd4ec414593df43b766c1a464bde1919e07b

SHA256
1fe6d8933b3e206312e3818b52b8c6d42568606e4eb5867cfca94ca0a5afca25

SHA512
ac767f0f6ada23703f0f28dab4ad785cdbb448dde1eac8db65fd9f6bb7113204c4f6ce871043244e40fed686a44038bab2a1bd3c33fce46ca7c19b20689d2337

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
bbd555be80d9938ab4ceb5a80b9915f0

SHA1
aa2beec04c804b0e4f3231dc6780581e06a9047b

SHA256
9fc58922e0142cfcdb465cb073e5945d73e0f488254cd02361575f22c1951ad2

SHA512
355ac584ad886359eaaf38a9197cb36f243ddefdd12b9cc815c77f2aff0cff17b14f3d2c662ee75a8a63fc5434c3cd9666996dce3cd8ac28b4ce6525ff24ff66

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
1439f3fcf35b13c307c4459405ba3750

SHA1
e820f6e342498ee34b4ad8c559964c42c0836b89

SHA256
5e9e4e6fd5ecbed675c2709b10017f2d657648dda8792a243c719dcfa5e31eab

SHA512
36dbe967326b8b60b0dce55b8ad78fe3ecdbd3004807ba55677e9a3f249e775986a16fed54883f91f66e941c73330e76e33c3a32f812fb581114fbb98593078f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8ef15bb00ed04cf53e91cad431887d4f

SHA1
cfeb26b3bfdbc2e3ef27a1869fa7707d0ec1b251

SHA256
abf43bb879220d69a9503d32e8dafd31c5ee671b1f04c00f76e0ba5c0d3d97b1

SHA512
eccac3e867bef88030ea74da96d918c4a88c4aaba9ee5722c3509bc3f972242ac36117636c6b8513b66a9013671cea3f957ebda02032a7b919e4bd70c5b7d15d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7a424549171fa7acf1b8b3b67e869028

SHA1
93187b8f595a6e5a3fd4916b2297817d96eb3dfb

SHA256
5ff43f4f4656b96c6b1448f6fe2ef23a7f9931d7e4a32b40b474ce4d0bfb597e

SHA512
e590f0f7be56ca225d6425a0217dd36ef0740338b49ceb7846a2768cf87b85db51c839fa8fc42afb17abdcb6ee78832b00e58118c6f0935da0c00b74684b0daf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4776f0bc79e3da12c783b2f4154980d0

SHA1
d9dba19354732039bf96df8da78159814f123339

SHA256
8e5ada86852f80327187e088d4b13dd7fbdfa28856da4b47d2177d968e2ae5f8

SHA512
32bc692c98e97e8d8490a6a0fa90fd403830d479e4fc13469d41b82feccd8f04a2738bee62c14a541d1ed9596e727595781bae5cf1247445a951889b9b02c1ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
77edf99db12977a65449e31952d6d3d4

SHA1
9dd07c6e03cf0bd93a8cf27de1e800a26b54fd49

SHA256
447416057235c3e6d3bb2e065bc34fc36bac1b55bd5bbae4570a0d0b94caba13

SHA512
c756898cab5a74dfb0c60280b303e931dee1e170bf8a1d22ef01f614fec339f1ac62c22701ec2131befe222780d8b341180ed099671252e19b3bb3fdb60d4ec9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
58c97fe6aee0ca3254233fdbd5f65f5e

SHA1
742dd1d5960d59a84f21f84b80405d6d6c6d44a2

SHA256
0ce6d65a26a704468e7cb39aa44aa1821a4ed0578ad7a43d7bd4683e81fdfbb4

SHA512
7297e30dcc0cb9417b43718d0e281e52c2fff30ae4de143e4ba1f6471e4800f7a019dbcec046c62b4c6cb09f594118fd47a34faec0bac3e09ad3e23c773c362f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
04a6be5f6b95bcf04520c47980a77821

SHA1
b17f173545bbcbb2c882de60e5510b6c9d47249e

SHA256
19baf2ed630f345354123ef0c6dbf66142b2248b244a04f37766ba076f9c4855

SHA512
ad67fdac9560fc86ae10be621e88da94ebcf42b92b591abececb75b73a0a722e52ecb95c7caee81e21f22b248b1ac515f1c7c9f1e5d03bf9cb7398f2a3f197e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
b26f1f4571996c393acc62e56c15e453

SHA1
6c54c0d99432f9386fdc3f9a48a412c7d28cf20a

SHA256
f77c0e6d947cc83b3cf8100376e25e8d3e58aacb9ae1b9fda200d8677ba1a716

SHA512
38b3fa8d9c2a67a4547f578cbbaefa7fec76846a2f70c84dd198981458eb02d5070cd9ee78a480c7cae906b18c339b602ace7b2a8ec41ae317f1c228600c5eeb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7fc88cec0e58bfc675182ed871b3e957

SHA1
6d013cd7fb3addec08ec1f158214b7bc4b001fa1

SHA256
276b165b3b7d9a397826b66094d6b37e9908621a15fc8a6a0f7e31ff5a96e379

SHA512
5b13e6c3eedba6fc4ccd4edb6f6695c70a0e586e557ca850369c83568da7e517324cded9f9a59029b5e63eb1f0767916880a07bedd4dff1295731f97ce8396cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
8aafb19ec895e56a9e4aa753ac96a7cb

SHA1
f51cfd51ae457c7d70ea5c5467bc4d7ad8167bd3

SHA256
80367b728e7ac592b0c10fbfb63b75bb2a221205803ffd7975012d717226027e

SHA512
21581d57b69550c0ca55736d362d21c6be00d7a0ba5808e8803d2379e80bb39f0eb9394fad9480d09303073c3a5eaea6a55672bb25d78bff573e41787af76584

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b098a33b8df24cbbad594a040a65e710

SHA1
df35a7af55b626758ad59d18dba1e4eb3eb1f75d

SHA256
903427da99c23e8cab4bd745969848ec2f0e35d77392c11c271eb898182184c3

SHA512
a3cd67cb13d1afeac21934e06050f45ac9eca3dbcb4f67344af5b5828f5b2b1d36b3a6c8a251910c08aa026ce9a0271c7d2c03a2b6c015d8c4142c19a8ee88a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e0f0e9b8c92eaa21451b72dc51710c68

SHA1
fd25bf4fffc14181eb67241a9ca1a60f655acf05

SHA256
d9b01da9f287e4c361fc58c203187732bfec261446f59858015e262bbafc185d

SHA512
6cbc63830c8cdd00e785b667ef2d4ebab2cc417b555253fbd7eeb94f24e598fccbc870e302b2dfd00679083f71cad0843b8a64cd97ef3dfe9aa1e8c81e45e31c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
272a88e1c9236445a5067c369fcc70f7

SHA1
3fd251019ba6855b2bc659db13548f8fb9edf369

SHA256
fdbc3a7569ca4062b28cdf3783ec1d7c8b598bab0ece8beb9107ea8c893729b2

SHA512
274b2b4d94aa3f3510785895818429f9d9974157e2adb0362c53d6e099a0423bd5c185f10b30db776172980f1cbb4ed782811727f5e2a70d6857b029a9af742b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
ed0a53603c160613a84e21a709057e0f

SHA1
c70b9fefc8fc31723fb705379b354e630a7190ef

SHA256
5b02f6fdc7cc2ff65a6cd3c55df5c2cbb54bdb579d7e8a96193b3f8876ab9c11

SHA512
542f24611eef3f6942062244b21ec496cd05cf4e98779bca1dd70a944ebd5fb3a67bc347fec86ec52628abf1b018f5c717f63f56b1ce9c2ba85c91b3dc413f19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
18491566aae5bd46b0178d3c847caf15

SHA1
07d9ed15bc9910fa97037ed09705d827a32d3118

SHA256
da492e92d899d248251d52cb5de374efd8400729d22de224e96af12427fbb577

SHA512
7da56e86d580f0b0a3731ba8ad6e1453c70e667256a2336b920f74b0ac590c0ba06140b145435dcca1f29aae5e7a9d02024e840f0f2b073665eef547bab699cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
48231ef280f00c68346638fe098fc037

SHA1
ced8c4d5967482674d5d1687c22f71febd39e702

SHA256
447d0959e7bbc019cf68ca135c3098e2ab51781a81122600f4969b2091331688

SHA512
7f74602ba16abd628ae00d1bc74f34b63b17bdc8c6a17da1ae4901da3358af09ca1c876de591aa9dbc19baac41eee85c0c28851d46053904cfc2fd17477c373a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fc3a6c58669ca3a697bac21b2f94a72b

SHA1
3e88dcda110ce74bfca945e8b3a3ee0d77def3fd

SHA256
daf648f2a4ca18f0086706b25dba2d498a0f0b05c218802074ab8505e6ff191c

SHA512
ab59187d414a300609a6287703bc1d1167471616ff9ff6212e0218fb2c97fedece7b730122fcdf8ecc294fb1f432c3bb4daa9756c2788fe1019d75604c54d820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
ee6ee7e73e5a379f7e4935943d09d2de

SHA1
28ff8ffaf159911d669fe9fdfef257197f6eafe8

SHA256
64040fe422d9a35da564876612a7e975f41adbab3c0bbdeec1b9c8e647c141f0

SHA512
5008a325c580c4fa6bdff4065db632e7c4a8d0f3359697a834528552d6ba07dddd6436f04663e6da1a5044136f4278ee5681fd1afe4cb89731442c80540cf3d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
c4238c4204b058f47bb2aa674b62809a

SHA1
a7898874598d360b60ab00248e917d460f061253

SHA256
a4447c493edd7233f6694ffadffa9bd3e7aff83c80eca70ae05c4b898b8078f5

SHA512
871af325bb52aade8696711db2fdc4210320c10fc934323cea9ab6f1ab08ab4562f87385607d8222ea7d8861df4e0dbee7e41b7fd078b02bb94268c3e9d43ee2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
e20916dd4b90fd197545a482394584ca

SHA1
090d087d6c85dc1c3d0784c69058853b804d1e16

SHA256
2e2326c685139c4d25c1e7a1b245aab2e6d7d0e810dc2b4a4ccd36d8b45b6593

SHA512
def861f27dc84b4704fd51c0ca16f6e95f0ee7335d38d12f825cfd0fe288143656bd431791a7d3a9c5da1efb947c90744b51d6c88e21131a16b223b12c4aac5b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
0844a87e8c0ffffbb807858b5566b01e

SHA1
de9a63a0a877b4bcc21338ca8062e67cfe1323f8

SHA256
c2045fc6eec8a6861e046efe218431785aae263ee5d9de7f70f945ec454c381a

SHA512
0bb7f1d6573b172b5cdfc28f835f7bd067f6d1237c13d8baa214884d56880cf524e7b25b4b7b92faf46121a0e316634b0b1b17975eaaeea712164eff5371e572

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
4ed65a7f3427e301e87ff6adedef97dc

SHA1
0b3315b1dcf5fae448cfb3fae286dc4ea9d6dd47

SHA256
87ea9ab839d0109089ecad5aacbcd27419e7e3e42a168d1b484b60e3c2572db8

SHA512
a0f0502939df46a5c4d10a279d1a42cb60015f1e51c5fc9b217b0a09cb49cf6f04ab8f5dc0c59da59d9370e3f4a1d1f6aeb56bcac46354ee1c371aea5abb5e78

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
6b0783b89b3454baf329e592b641949f

SHA1
dc27b11cd3d4f38180125b92c3a16c3b937b5114

SHA256
0005ff9f095c488bccc95f57c51554a0a0da3e43b25b8ad2537ffb18a6b66a94

SHA512
21ccd04c3bf578f18b66ea482b42345756a4732f01ae16958c91e074c010d4ac33dea93b55f5d9aafbbe5e12b6dc0f8d98fcc5beaa18442a8ef6ab9a259ec003

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
660c82b206396bd7a45d69ed4f7cea00

SHA1
3c47983c82f7a7595c78846bedaecc5c37dcf86a

SHA256
18c88a81e89d345047b9b7984b1e4504270bf49a2dd48ac614a6073e46ca8cfd

SHA512
e12784c0deec6b2860e6b33d0d8670dee3bf81ef70bfcb34bc9b30c6da60c8930a7aa69fb9ca616aa600b84c3bfc7d31f0663440080024983cf318adf466af29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8fc7a96404350a767b7c3cc7925a2eff

SHA1
3af92208d48841c80198a0e65043691bf02f5b23

SHA256
39aff3a283f53973c8f5c77aa74cb7629960fd0a66e7312c620d36eeab887d7b

SHA512
55b795c6dbd3a407468eff642fd8daac0c5fde258b250399965ba4965b18f8aeaf6bd5eb9e8cbf52f75c6c60474d22960bbb81afb0b40114266ac87eaeffb306

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
19adbd8b8cd07a955a564d2b80c4fdb2

SHA1
a9f49fff6677b6e70fd9045b59c6a2aeb1450300

SHA256
a863ab944519bd40d6a85e85c74d05312e860c023fe4f34c351dc27c54d9026b

SHA512
14102da5a11690496bc05c2e2e850b005b57a3ea1d1873d6b2fd1e710e8933ee076093ff4cfe86f1a6416afa2db93b255a435652f8e00bb57de74e79fb062629

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0e934d6fe2d04d06e8cf5c002dcc25e1

SHA1
b0f1005446b6a033b6778c5d642ce27eeb2cc05d

SHA256
e9ee4591c0cd9551beb8b2511b6beaa5100b2b8adf3afa62f8bdbefe709c391e

SHA512
e8a1ac45f269fe8a200a84d9932bee1d90df3056dd9847827666145ef7650f139add3a94344886385bbb866ac03f42147db6819a4734b4525ca279a19530437b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
6a7010beb2baebc5cc3e952ab006b98e

SHA1
fc16e46b289951bde5702c3a24e1d9dbc4c2b8b8

SHA256
f06151447c33ef9da2d3fb9c6daaae74837a63f2b8309594312d4d678d78584a

SHA512
63c8fc5b66e9a708b8777d02b45bfd1717e4c3954dbb259478440b9e18a8d36866c735539071c5df64a1819c72ecd23a082bbe7d4cb4af95b206cd56992276e8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
42143c6d6613887d60b965ade8a980f2

SHA1
3385e333fd796a0609f497272bb88565faf8b21c

SHA256
14f735e22118edfbef37a598ffd7fdc00d103efa7e7e72eb6bceeafb95d38b97

SHA512
aae4b446f159919d57a3518291ebdf1b9f973493669f64c0bde7704a3a8218a2be40302e5fca0273e15a96ad66230e69657d8932fe41fff111f651d882dacb29

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b30ed704348753471e911c4e51849c8f

SHA1
57b3a0a00b8cd55cb9cab1fa9ea1e19de0e98aa0

SHA256
6a35eefa9f190c8a52d7d25d39d57ea76910aa9714c4d4502149e48e9ade2bdb

SHA512
11355450110d3932c7cdd0d9674c27fc26d122a27d93be278e877c4b3602b23839018441cc542e2db9342286846373f45b949d94ec5a630c095a75a5569fb63d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
468169d5d2044913b3d026ad6d6c8dad

SHA1
07e2fb311939e84c8562884b9980fe34c6890a1e

SHA256
3c07b4f5b93ef457ba1d473d40628dac1615d4150799d6570ff8622f7db6561a

SHA512
9e0d81864a946a3dfd67a1fa3dced2541d5882dfa374915485fcb6c5dd07da7c3d32c592e69deb9758d61764f99eff4e33f7f6354bea570185c7775def231d83

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6646dec4af5e0120f0ebca9e7555a144

SHA1
2a0f2138d808a9f39be0631ed890d032b25f05c6

SHA256
f1c9f726ddf5b40b56312e51e001f8c8328d3419f2c7bc5b54d1e284ce0bf432

SHA512
1bdd01564d2edef85b9da2a447f2a8d7196b4f80de6d9f2204fa5d6e599687d8968dba7a9d03d95ed4e5d0e5d04f316699622945a21915294044aa5f066f67ff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
96e3da8ed15a2a12358990de9fc99301

SHA1
7bb5bc7be58ae0fb81ad34d5cfed4d8688337588

SHA256
2ae4a8ed7522180ceb1a1ce8eddf8ee7a7fc35ec62df2e4e44041a576c93c011

SHA512
f8cb2a5c03e7f7a924cc0791d469cc3f1581564048bf42c0caa4dd0c25f43be68ee95972e8d7570725d3686aaa318737734e67515dc7fe70f583c78fe312c2af

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
f7ed943f3db2bb79914347695839205a

SHA1
0b3c957189c6227a056c5cb1506398fb3484caca

SHA256
3232417ca6f4c01a29b230f114f9a9cf1047ddb93f1b665f9601fc991034fd8b

SHA512
8c946c81baea1210ec7bb6252b120867a2d00e2cf22f468ad051b0e7b2d2624893317365161d02548e44941d980207a551cab6f29f2c3c5c80aec1ad847f6df2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
79e3fbdb399ba3229d7f05c1caa69467

SHA1
8f74a625e10e1fc10f1bb0f8514182b5876fa470

SHA256
1e3d116fdf5105aefbeac8e00dd7ab2e79b79798e9fb73935fa64b66609e103e

SHA512
28216069ca5bf5682966f7a300df84d8e73e52fc232f238cdd6415f84815b5fdb980c8446f0afa5f48a256b40d38e1bdd2439f1f2dbced05d2721a667d95b75a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b00f53a0cb89d1d00b3ea156d2263f69

SHA1
898c155d44dcffb16bbc8227db3434ad00efaa66

SHA256
d4ff4cf99c8d3d46579b1883eb24e5f36f68ca21131cd0a6a0686b99e8f8b40a

SHA512
cce0c13f23c89e8437ae48ab5097dd11786723d3a54ec3ec0504db1c0bcaa471bff906a25e2186c3082d5276061ed9e98e036c72c549a6ad85ce29c2276f4fdf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
47cd172f0dd1e0ae987ae28f5e65cd71

SHA1
9b29eaaa5b7c31fa5b302115095dbc5497376d75

SHA256
d7d01123a9c3fb66027ba53698c1fe069a850468a272615597299a7390eb79a3

SHA512
314cbfa1605b26903bf636268ecdf5534e3e84115cc02cc0990d5c8567a514458988fc8090f323ee23d3f1d04fc0cf86bd25e9d82a980101ddedd6488ef4145c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
9a578c70746484a03535b6729dafe072

SHA1
862923bb81d938cb7cf9833f034afa85b6fd6196

SHA256
f535898e9a3e36252a1902375519d29a0b5099b5204027122276f8f10f8770ff

SHA512
0727e0d5d2c830d440b9c6c92e1ff46a046b0f5d17bf48e5a3d5e4323043f65e0e6d0204ba1d74613dc777efde3ce0d6530b3742d0b5699d0b3d30415bdad3bb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
223292f6c0c1ad2885daa5587b6b0a43

SHA1
23197dee1255575e12ed5929523603ea7ceb76fe

SHA256
399f02485a667a28902039589b1dbd6db103e48344ab85659b3d8f66b818e398

SHA512
acc553c32e7a717bedc390c24b8abd27bc0da8560f0b0628fe6cc8fb707fab84927edc66bfdd51a7075ee8165bfc68cc5b2fbecda9118f4bafb72749e76e739f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
44a49c725aa13fa8872e7b11302cafbb

SHA1
6d3968b545fe397b1b238a6cabb9e6a6d7b345f8

SHA256
3fc5a9fe9dce532db72d5554f1322b506d08a830805c7f50a65a76536eec8c1c

SHA512
7532ccb238bfebb24dd9b21468698930228de5728c841104d222dbacaf290959476af810d88e105fe5037e2b260eecff6cfeada7fcd442d25bd2a727d8960322

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bc15af16915afb2f15ce1ddb1cbbefb8

SHA1
0a6b9db67732a8236c8525e26da479f44e1e3a03

SHA256
1037c788dadc29871a1811cd728f162340805223b8d5f9b6cdccf47aa2fc38e8

SHA512
e4e942c10f67c40cba5dc754fef4457ec1295c4fa0fa958673c4ec9858e9939e3da3eb4f079594ee8afa95d8d98b8a771b3ac0c91c4728e7b6ac7f1fc27aa884

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fa52b70620bd29c6e3eba23ba7ccb863

SHA1
5aba2858cb230f233457d3cc4ff22efcc4d2a341

SHA256
30aa13c3da509520f9430a5dea366b25f6be3cc761e924380b93da7228f79061

SHA512
c0db36a3401edb0fcabdd98c1e5bad94e387b0935257d5d8ab8223dec7aa06c33e9ffa3088166b9c23a5a46e63507bb96ac1ed7d52bc8b821c148c41e05044dc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8fc465323309def3fcc363d208dcfd95

SHA1
bb91febe83bd288b6409831ede99da99c959034a

SHA256
b60ac3042e0cd649abf3cf7d61b0b03cd7ca8a65bfcb8161f3a96d8fa824a790

SHA512
e08b50e59547c3ead36cc95b9e25b3529f52ca1e0cebc35913b7c57dab47f97b9be3e7eb447af55a02f39d066ce40f67f6042f2b15c5682120091fa11129e724

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
842153817fbb10a73cb7590e7a9c54f0

SHA1
9623687e201709e211edf5aa9519825eca49a167

SHA256
f7e077e3b1c259cb99ed3205b04d6acfcab6d3f7ae44253754ec455c63b86ebb

SHA512
46c746d18ea5d4b3d514ecbb35c01bd402f6c6557456c2a801bf5e8727d5ad7e1dae3fdfd050fee1753c81d6de6bf6bfd38f8e7d023341ed93df2567d38828bd

Download Submit
memory/828-455-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/828-565-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/828-464-0x0000000000940000-0x00000000009A0000-memory.dmp

Filesize
384KB

Download
memory/1000-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1000-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1740-585-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1740-467-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2148-163-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2148-428-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/2148-169-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2148-162-0x0000000140000000-0x00000001401E6000-memory.dmp

Filesize
1.9MB

Download
memory/2196-439-0x0000000140000000-0x00000001401D1000-memory.dmp

Filesize
1.8MB

Download
memory/2196-483-0x0000000140000000-0x00000001401D1000-memory.dmp

Filesize
1.8MB

Download
memory/2200-485-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2240-1-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/2240-263-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2240-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2240-124-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2240-7-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/2240-6-0x0000000000890000-0x00000000008F7000-memory.dmp

Filesize
412KB

Download
memory/2704-489-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2848-133-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2848-128-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2848-139-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2848-137-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2848-132-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2848-125-0x0000000002250000-0x00000000022B0000-memory.dmp

Filesize
384KB

Download
memory/2904-424-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2904-158-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2904-149-0x0000000140000000-0x000000014020A000-memory.dmp

Filesize
2.0MB

Download
memory/2904-146-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3144-404-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3144-142-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/3160-593-0x000001E4689B0000-0x000001E4689C0000-memory.dmp

Filesize
64KB

Download
memory/3160-581-0x000001E467E90000-0x000001E467EA0000-memory.dmp

Filesize
64KB

Download
memory/3160-594-0x000001E4689B0000-0x000001E4689C0000-memory.dmp

Filesize
64KB

Download
memory/3160-613-0x000001E4695B0000-0x000001E4695C0000-memory.dmp

Filesize
64KB

Download
memory/3160-580-0x000001E467E80000-0x000001E467E90000-memory.dmp

Filesize
64KB

Download
memory/3160-582-0x000001E468990000-0x000001E468991000-memory.dmp

Filesize
4KB

Download
memory/3160-592-0x000001E467E80000-0x000001E467E90000-memory.dmp

Filesize
64KB

Download
memory/3160-584-0x000001E4689B0000-0x000001E4689C0000-memory.dmp

Filesize
64KB

Download
memory/3160-607-0x000001E4689B0000-0x000001E4689C0000-memory.dmp

Filesize
64KB

Download
memory/3160-606-0x000001E467E80000-0x000001E467E90000-memory.dmp

Filesize
64KB

Download
memory/3160-612-0x000001E467E80000-0x000001E467E90000-memory.dmp

Filesize
64KB

Download
memory/3160-583-0x000001E4689B0000-0x000001E4689C0000-memory.dmp

Filesize
64KB

Download
memory/3176-258-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3176-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3360-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3360-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3360-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3360-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3468-475-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3468-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-611-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3664-480-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3792-450-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3792-442-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3792-488-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4024-12-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/4024-141-0x0000000140000000-0x00000001401E5000-memory.dmp

Filesize
1.9MB

Download
memory/4280-51-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4280-53-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/4280-92-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4280-91-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4280-147-0x0000000140000000-0x00000001401E4000-memory.dmp

Filesize
1.9MB

Download
memory/4284-610-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4284-477-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4336-101-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4336-108-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4336-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4336-100-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4444-185-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/4444-432-0x0000000140000000-0x00000001401D0000-memory.dmp

Filesize
1.8MB

Download
memory/4688-471-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4688-470-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5068-174-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download
memory/5068-175-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/5068-180-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/5068-429-0x0000000000400000-0x00000000005D2000-memory.dmp

Filesize
1.8MB

Download