69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
Size

677KB
MD5

9c229fbe51807636aa95a180492305f3
SHA1

ba945c3224765e1eec4b70cb99f1f58ae682edf1
SHA256

69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f
SHA512

a82386b1959fe7ca122af5a901929bfcf90df37d9bb7f7321dce8ed1fc23e90f91e1a0749b0a80be6daf90dbc70c49abaf1e0c934a7e4171f9d1e0666a20dd40
SSDEEP

12288:vvXk1iXc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:Xk1isqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4592	alg.exe
732	DiagnosticsHub.StandardCollector.Service.exe
1364	fxssvc.exe
1840	elevation_service.exe
4048	elevation_service.exe
1704	maintenanceservice.exe
3276	OSE.EXE
1960	msdtc.exe
1908	PerceptionSimulationService.exe
2408	perfhost.exe
3028	locator.exe
5080	SensorDataService.exe
1812	snmptrap.exe
3680	spectrum.exe
2988	ssh-agent.exe
4332	TieringEngineService.exe
3744	AgentService.exe
3932	vds.exe
1524	vssvc.exe
1680	wbengine.exe
4536	WmiApSrv.exe
3204	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\14a5c025293b476c.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cddcf7a860a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054c803a960a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000034c0bda960a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000267914a960a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007faf6ca960a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ab7d1a860a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001ccc5a860a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cf84c2a960a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
732	DiagnosticsHub.StandardCollector.Service.exe
732	DiagnosticsHub.StandardCollector.Service.exe
732	DiagnosticsHub.StandardCollector.Service.exe
732	DiagnosticsHub.StandardCollector.Service.exe
732	DiagnosticsHub.StandardCollector.Service.exe
732	DiagnosticsHub.StandardCollector.Service.exe
1840	elevation_service.exe
1840	elevation_service.exe
1840	elevation_service.exe
1840	elevation_service.exe
1840	elevation_service.exe
1840	elevation_service.exe
1840	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2948	69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
Token: SeAuditPrivilege	1364	fxssvc.exe
Token: SeDebugPrivilege	732	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1840	elevation_service.exe
Token: SeRestorePrivilege	4332	TieringEngineService.exe
Token: SeManageVolumePrivilege	4332	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3744	AgentService.exe
Token: SeBackupPrivilege	1524	vssvc.exe
Token: SeRestorePrivilege	1524	vssvc.exe
Token: SeAuditPrivilege	1524	vssvc.exe
Token: SeBackupPrivilege	1680	wbengine.exe
Token: SeRestorePrivilege	1680	wbengine.exe
Token: SeSecurityPrivilege	1680	wbengine.exe
Token: 33	3204	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3204	SearchIndexer.exe
Token: SeDebugPrivilege	1840	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 3944	3204	SearchIndexer.exe	118
PID 3204 wrote to memory of 3944	3204	SearchIndexer.exe	118
PID 3204 wrote to memory of 1144	3204	SearchIndexer.exe	119
PID 3204 wrote to memory of 1144	3204	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe
"C:\Users\Admin\AppData\Local\Temp\69b6d024188991ae21b5675897c4c70d48512d25292d4ef46256345898703a0f.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4592

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1536

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4048

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1704

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3276

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1960

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1908

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2408

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5080

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1812

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2116

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3944
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
  2⤵
  - Modifies data under HKEY_USERS
  PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0e51e31fb4b790fb563af32bae16311d

SHA1
6ec6903ec21704c86838922a0e40ad8f39466043

SHA256
338d4676181161853462db6c41b61d985df9745ec2ade1a6ef8ddfd8dcb73804

SHA512
e6bc85dd5a873e5a855493ca2bd5b1630535469e726b16c20ce4cd265005b14897edbd3230d64d7e311b4be0705d7589a74c5b102295808da6764d153973fbf0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
e26a20f275f4b894507e08938b97962f

SHA1
df3d8f8d949c02e087d958a7118ad5b04c622837

SHA256
60db159a191a5e5ba372110f0c4e2d0c69e3819ba37153afd7c396b7fabe148e

SHA512
299f1013fd294793eeb5bb8ae1359d6446496f8824e0f209ed897f0597007705ac1ad77ddb8a4ccc8d3a02329e33ecef7c0946053843c47cf4b6464bb50cf7d9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
05f4cfb3ea5c9e4d0ba90278e19373ce

SHA1
fcebcecd74f942991b347f76345d34eed80bf8d2

SHA256
214acde759078f4ffa3116ffd2cef389abe9b0de449ec072ac652cdd731090da

SHA512
cbe24c4666edb3c70d8c6d6f5834d5838be089cb83f543f913ec7246b773595e7a1c7bd572d336af72969f0ce118ff70906b20e6fc0fcaaae234f2e0ac4da137

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d2ba245a5cf6556a21d4e08a390ffdce

SHA1
1edd495a7ebe6dad5ea5c8b8a05c83e323753f7e

SHA256
f5c25f0fa6f1850bc6a0ad40c27348c186816ead10fba3665f869e6b7bda7990

SHA512
d08d80ba5122cb4f614bb69ff09e4d09a98a7cbd7e677dbb0a8216374ce3dbbe7b043d12eeb6511e5cbd2f39ebc54d861fb1513185d17f3e44d66506ebeff132

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
63f680dc4426a9123d6ee139f094d208

SHA1
34fdb738a10c5b6efb6fa5bdbc15518d496bc9f9

SHA256
e40cf5cd94ddc9fb8d79d0f7f985b1fcb3842f5298ea92891bb82398fb49d409

SHA512
1146aca1fac5dddf68ef2c49988746cd70cad81b19ee1df55c3c5d3e02dead2320f4812255c3cba1d8ebb810e8564431e8fd09ccd1b241aebafd70cbb7a1496a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ca180e9ff7f8005c795aba9de610dbb1

SHA1
bdbf50951d9f1ca3807637c72dcb181ed1c55e4b

SHA256
6be97a9f431bacf39e2984e35befdd4948c68a7c898cfea76d49afd9d4975f2b

SHA512
524cb2364a0a80cdcc53699d19726d369ab8ecbb0c1422253b98b5c49435499969daf5543637a3ef75947e9da49e781ede16adb90a99cfe228faf57f705c92f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
784001f4f5eb2e91e21a6b58b0590ced

SHA1
faba142d274fa3fd06ba68ec8e8a8ed9823d1744

SHA256
b77033fbf521ac51225a34a45cf5c42e2c716815799944af94594597502f2029

SHA512
4c9b67131ae24a90da46d337e515ba5399e31576c826ff0a075f2377f3617993530fa9d90ebf6a73091d8500115ca4dd8603f92c3bf353ecba20add1fe2bd558

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3f9f18f6478acc89074e62cb0137130d

SHA1
904190da0da30c104a6e00a758d75370fbd23ec8

SHA256
631a068cdd30dd91ac9cc4ed1718eb23004463e57c7652b1541031ecafa8328f

SHA512
dbc7dae9721824b7a53e0be914f79c8a8d3df6066ffb2c3c1fab90839ca445af6856bf3672c36fce3af375c27bf3cddfaa2c5599662c272169f9ceba8032af48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
003076b0eefc161cab5b18af409fbe73

SHA1
fe1ceae2706f3371eb8b83077d7684d3e4b4e23a

SHA256
dd994facfd1aacac5acc0c5c25bfcc500931c9ac7c7196198d354b41604db863

SHA512
1479a38a015831488422b703f96733b69106d97a86f727663c0213c4321693674c85fcd186229d99044c1629891ce6f7807a93035caf3dd93216a5277d06c004

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
64b361666049b0bbc89ee070ea685564

SHA1
d232c48090754759b78d65827729fd02f7e6e236

SHA256
080ceeb512d80d863ebcddd3685699e6ed4a21e3ec58eef60b7ebff0e34feb91

SHA512
9eeee01f7363c15fad497210bb22a822ff8ad1acead481ffae27c6c120e882a4fe0a997b2d75712a2643cc88082ffa2da24ebe4afd1bd9ae69ac31ac978bab20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c65c69781382b9014806522d08adaaab

SHA1
700648314caa15f14289c0d7ee4e988432e41828

SHA256
7251189ff0f0dfdb45177d439cd940788cda18f6763ad763f6c6c7786cbb911c

SHA512
7b9b2830098f55142a2c9480d9b3e5e96034da9cfd875be01e30e021a9cd52df8293e7fa4008999f7c97153e5b14b0effed8dcaaf355534aa29facaa1587b857

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
bbf4968f9fa493f28567abe338dea1b9

SHA1
ffa1dffa53dd2af5598268b78d22b040f5275b5a

SHA256
17ba22a68b4f48699254592ef4f7f3dc0506c7b331fcdde33a60731ddec18271

SHA512
777deeeec749acaac40b3562d7329c33ac4578d78e71e0a252ef0efc83ce45536e07ec3f1e6cc682fb6ef0ba828d2095c6b9b77be82b41e56dd0ed2730b7c99d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
ce37c11f17e32141fc92bf83cfd46242

SHA1
58070eabd260b42c48e721ce451c7bbc3f85a0f2

SHA256
2b64d8477f9189622c592a82c6fa16ea9302d2ab249946083c189f72be2fb716

SHA512
0c93af68ef3350c8e938ea74192ea4e15ffc2895854b840895cee78609b21e1719c83f047d440e687f632dc0bb31847537dadbd807620db0af8e9fecf5f9a93e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e01c42633e54cc43c4157dbcb79c475e

SHA1
db12bb7c21190ac5398b35ce81f573fa34a7a0ee

SHA256
67df3d3c7126052528545e876f008c00b787c1a009db18f46415c3a58a383665

SHA512
e42e06de8f367b4e86056fbd189e0c294126f82c67ad03a7f9e516c13d3abb65aa20d38950d8a49c8f5b4482f061bf787f664d63ece16d23c786c3cff33f274a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
8d07d4cc8c598d91f641696bbcbcb032

SHA1
b6b8f4582af50e87cc67f3e4dafe231aebaed94b

SHA256
3f39e4313bb74f0dfbdeb5df36623b9f37c626f5d2386ba76afb0300d7d5baa7

SHA512
5adfca0a5b83405848263e67721f163614eea30ec339badf27abcb24d54d8e8dfe4bc6c4830194bdf41e33972c04f0a883f7315a01f201af9c401f11a9fadea3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
cae3504a2b8943a5df1ebbf699a0564a

SHA1
7ffafd114ed794b4fb75b5c8aabd3e561f6c53a0

SHA256
b3dcb8213a49dfd74ca5020ce3200af0e34cac3546f5bcf6bb9f1869fdf35001

SHA512
005eaa689a0d46e0e5e26e35efe7f7028f95bf2a021d96050ecc32f7f1de7b538cdea5300f42775b0a74006b83b8867fef5cb48303a10a7a87640977872c89c8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
f6787448611fdf287f39f4e39cd59a63

SHA1
db79ed0ee76b7085e0543376a12304bd7288fc8c

SHA256
f3aaf27bf4d78d113abfcfa329e82172fb3ace2f8fcf18ae97a06f0b7f73fd38

SHA512
5d75326bc765d7433cdf62b0592855252cde29806cdb6aec4f7061bbe5f1e5c3fcf5d595254daea5a6f71f9d192c7b8e0eae77f53f87f591bf071ce22dd76397

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
fb2d72e5736ffd282a5607d341244e4a

SHA1
023c330654a036ee27a4b1d7cceb6f63eeeff1c4

SHA256
df418b8cb515b5c3be38f3474030195a8900381eb5f56af6853561283ae99b2d

SHA512
9dd2f3490d1336a3f9cee6f0b36b18c56a733a4877e9263f0fbba28e81632ece513dbf68947c7775235971e4bb0c5404b048d65d56225dfd1f2c222cf94bf843

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
f2177883d23b9883b21d1ba901845ea2

SHA1
4ce0572e5da4dd163c22a8da2af9ba18ea491160

SHA256
5574f0b566aad0dcd6575d218aa6d238a986a6a282d499259ed3ac6fb1a180b7

SHA512
902d4d6155988cb45a94c3889e70e5d946eec3c99ae13cee6053bb45f30430de64f4d16be2eadefd423bd884f5c46e5d532089a15a2b76f420b302247042c45c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d886289716f6b787ab0ee640f8f57149

SHA1
491be5d7d805b3357465c83873b61042abd00c1f

SHA256
21f1ae20140178010c0dfab8c74f3c473603824074213bf2d8864805b600bfdb

SHA512
06d6822855423a34c436a6c63389f9c3a94ba06450fdaa8a38391a06ca6b904225a242841e812605bb62614371e190a96fe426b6e5329a85a2d216a476fa6d2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
88555b28ae87288c961476963924c86a

SHA1
1a84a86fe2b11520498d1664c34f63c5e6edb571

SHA256
3d1fd1787cc2e74339f2f5a89b93084b95a4376d01974c7016f192b884d149a2

SHA512
8183077f23e2b0d550daa619fbc1c45b751c67d5f2efbe5e7c9f531dc0f70b421eb39323346dd2cb0bdddf1139f2eae7f3d6fa1944ea19a548c3fd2aa930b514

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
127fb35c28d60201d4cbabf8f838ead3

SHA1
8b7df87568757f5cb2e648279f74275db9a59215

SHA256
07095dd6ec674d26c1b646c8653adb2a2c4069bd10c13597aee3e19bd4503689

SHA512
d15f0bbc34748043103582a6c5e99edfb796eb601fc3fb711d2b4ec000a0ac1f9a42d33b6d96e5c825db9c72cbd9276d8cd3ac572cbec14f852f6730cfbe4946

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
241f413e0cfbba012e6e1c82b4aa20c5

SHA1
ec94f766b51f376c4e353ac792a41f8ea415fd86

SHA256
5b809ce682c7cc753da060d108a54dc1a5993e5bccf4b8555f6351a505a217d3

SHA512
2087f6af76d9c6176eca3862a110e53b48844f0f2a94c04c5599e07ee511f01b4a1a8992476c23bebc6f984d65451bf3d925f92532e768892e82629a31f4e08e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7fd81c6f72c7595b968f26f1826dc38a

SHA1
f8b51c23638b064cc1d673d5357864dbf77c8e16

SHA256
edb69730b9c3afa1180fdc26812d265d89d5f979beda71c0f1508a11a8e63582

SHA512
6f4b99a4dc198785b7dd0b12ddd2f8ff2b49d03651724902f67b6539177ee31ee42b7ced2597be3f020458ee0644fbac5ed549204cadfd759ee18b62170bac92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7bbc863f2ab6768139926c5ead2d3f7b

SHA1
43147856486151632b33c16d67032c6678bb2880

SHA256
0a9eeadaff2a3564b043220fc52919126ae2a3020715b57a145c19f1c026e424

SHA512
2daee7883bd4a68d7f916f63aba80aabcd32e83a6be53f3ff77c47c10601978f3a35547321b1a5402e0c0d187cf9faaac26624b7846285b8621469154dbcae44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6f2967adf10fb18c48b5d7cbb2b98a6a

SHA1
2a984492b56bb055c394c91e22ad607566d2df5a

SHA256
c3cfc8a71fe5212820a54ef89a45034eb4e118aac2e7f3166577e4828b79de60

SHA512
4433bf8f8614a60196bcce4f86c169f43e7454eaeb522ce7c65d6700d2e1ca4529f8735cd764834611498e0b0a47ba7d9c3abbcd88b2a8ff19bb8f9f1ce64a05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a78b7cbddbd7d760f8965fb01370d1b0

SHA1
f4b35ce4d7e3017909d3b0e22f3ba03cc0e21074

SHA256
8c063dc696d5d76b0b9c0e9f172bfd569b34535d8f562967f92a72b770fa4eb0

SHA512
ad59c4be9b3c7393b81b6b4400840b3e4814841002c83109fea1a209644d02aa0b9996e4b04ea113b1d79473c81d4b56989e141702359b813e9b3455e50c8057

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
640e695865d98ea78f00828dd965943c

SHA1
7f885b00af82fd8a616cd4717690233929906997

SHA256
aea8023bcefc1286b09b9e93b136641e770afb365f4d228b86477b0949ef6a5e

SHA512
28224ebcf60f318dba2c1a26f850ebfe06c1535b293254421a860f6b60e2de39008827d1a680ed40186d5870431d818b0fc06a299e98dc969b65b973af836250

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d40a66cac791c50adfd22c5a3a72bd6d

SHA1
116895591e6fbf1c22d3757f31b852f08f3efb16

SHA256
809b1fb7a689941640ed625f1c9e9390429f80aea82445d2cf1a313e9fa89067

SHA512
f1110d0bdcb358575cd33ca84146266bbfbe660e5690a125536c94a1d15c23b6455db2eaa31f6e26336b25e77bc0742bfdec72daf2de55f4a948df3c07d0932a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a4498066e5eb912368ec7575cb332043

SHA1
11bd87f3f53777845ad62308f2c94959b86882b4

SHA256
c8b1eda003a9dca3ff86aa398d10147f689581caa012ff61a40a267aa9140255

SHA512
a0d267336a29600a6e479e46ed40414ddb1105536730983a66a763af71cee814254098e25e580830bfb25c885462bb713b1dbc7eaef1047a6ba351ad5ee26ca4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4e9b07c7f30593bc88c35438a7b86aed

SHA1
a7a8d79571ef9e0c8da5c1a31892e6cfda168ca5

SHA256
bab82fcddb60f36668cdc59b33ca95f604d95aac78c19827a271b9c3d1552273

SHA512
dec476fe50c25751930a79701585cadd8c779aa5ea88951b8a5438d222770543d208224c0ece04332a5d7a38809a8f5751f78b642e7b6c91bb4ede41c180be40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5a137d0ab8a80ed841cf91db4a98bcff

SHA1
feba90b50e212145adad60097596a74c77327926

SHA256
50163bfed361dc0ed57e308b6bcb921c79497af013284f72b2e6ce2e1621f619

SHA512
8dfbf27c36e60c7320d04ba2a4f00ceef8adffe400b74b21f88b59b72199fec50df5d6fbf19ac8ee9a4e3ecd56f6da11d184e6e6f868dbe279cb5255593e2d4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
78b4670400979431ba19a4412ddfdf68

SHA1
dd4f150042c8e4f50a5d4672f87b6e7ea77d889b

SHA256
ce2f11bb1868045666c14f1c8a6c30232e39793c97eea12485456c1a5bab0b96

SHA512
4e4bb7078a0d5cef381bcb039b6244f0c18306fb0717eebae31034fb044c4f2e18fd9540a38d4e68b0398f51c3e57469e149eafb61b706345b6a85bd825e1101

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
81b70720ee75b7b53ac8a35b9a8df08a

SHA1
190d532ac108951a9f49e079b2bfd1cea6cd23ea

SHA256
8840485e0814da1197d513b218fc5cd10f6edc6d61c8ef9b9535aa53390a0f82

SHA512
c56cb1e693a4139396ca5919d6155be17b4b1ae4484155c0d1125ac36996c0433e48085670c258ff7569e27123ed29ec7d5d1238f1464e821efad22e4c7737c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
caa462bb43f86f8ddcd7922c227d0884

SHA1
cba0634e435d4617f3e9e0bee6bd610e669a55a8

SHA256
ca89a6ea58661412baa18140d2e2b19324dcf5ae2ad82ae9f63e193801050c41

SHA512
88edbf056449709774ff9147906ce62c71d4fd3feaa96ca5b2c814d814ce705a7227135db0f8d7871ad623b50affbd249160751676f6379703632ef5b072eda2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d704aefe42d518a35ccc1b65ae551722

SHA1
d577436c24a99329d102b4af27e0f98a917c734d

SHA256
6bd8cde1f7695da07a76a66b73ae25fc85a006a8c1e4e04503ca15c98e556f2a

SHA512
713ca67d2c8469a4ceb5d9b8902c2b3c3aef4a0aaeae7cba8d3928eed572ae574e74b4ad99a51777f34402389eb11447f260bf81db14e948a473ec682e463b0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
699dd0d0922341f19a19c87e820f1567

SHA1
ec39e8ecbced9606270751d5f3c4c53ada63a0f1

SHA256
b68dddef7cfcfec43e025058c982fec4a86454f950867cae593cc52ae2071753

SHA512
cebf39a33593a9f6ef8d2d8d9f3593ce91dfac2983090204120caa82d7ef6b2c025306a949283d770571430ba836b45ccc6263648aca389856c94ccab032f9ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0b46a46c9633413bb0363d409fef6231

SHA1
06fbde099f70aa049699300b821919b1577c298a

SHA256
72d34b6f31271edd01e7b5e79de8dac0488852c1d9ba699a185664c23fa690e0

SHA512
a6541e70ed410cea8336364bc9b0ca8d38f57b883b77bc9aa6cff570034f83ccc9e88d6f3408489b1ff70a8594b7b298d9da818b6d50c0bf40d1d7e3c1a53146

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
36d94c393288a48367139e66fb915e70

SHA1
fc3d2d4c189cb3ec3fa70f11dc56c39e594bc3c8

SHA256
6aa5ca61ed1abcc4b030b0781b8aafcad3635e3a95882f4d096c757115732b95

SHA512
00f377b393ee56d62bbcff74d7c2a0e5c9874e98b7d96c780ab79e176cdbceea55d36cdf12e2aed121d3c006e5ab1cb9f0c28d7304a24b76119cb0111d823c51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
54eab26c6796d14b180b87632a9f539f

SHA1
65f73227f2f094f79129c899d6b79ea5fd0074c5

SHA256
617c3ba10633d0fe416f83ac8e4f57ab6b5b2ed9c7ecd9dfeb63cfffaa31b54a

SHA512
566723212508d3301f34b0dbce2ffbbabcfe86b49bcb9d6a13bc6d6cacc39b733187977d24c2cb438c77059c22520d7296d3f4fb2b712e6ba799bd726c8e3250

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
b2a8ed46b9807caecf36dd7536977908

SHA1
35e1013df1c8e49b148b852f9021ed204f46da52

SHA256
8ceaf057e44be08d06bcf16f5b8249a9b0cecd4c963b0b0948581871e83a1611

SHA512
5bfe9c763e271724f68ce41d82d9a7c88d40aed4401907fb192b0a5187c016bb74cb3dbf577d9887fcff9b764bde438753c761336be4cd0ebd00302af41a27b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e21de67604b8b062be7358e7048d40f9

SHA1
bdcee6fdc7a937b1f4705af89cc076131c79e85f

SHA256
9e1a827071ba815cc95ea3d159c8328fe7b7ca68906c35d2086f992b87e958c2

SHA512
f54982bdbb0a9b8c5303069e23bc495a9c1f282e3c80b578da6e814c792e9a890545b6c986c6571668ceb5bc1afdfd68915a3f91819ea8f5c9877e4f11ae3b9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
61b3084f4111bd8d347958e7b9fcf6a9

SHA1
73b688bfafaff14e0c77037321a71339192d1000

SHA256
75253ef5b68b6ec68c261db1213854549674bdce4574746dc94c50d2a43ff470

SHA512
9e9f2f0e583de0fbd9151fcd1563588745da6c1f8b4906a12a0cc029f62e6e878abe6eeb507ab813175ea9cc50003a235db6db9432480d76da54ac65f138da0d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c97decb849a6180e5a09855f100051c7

SHA1
343e55121b7d18535884d9170f1804c2e10cc465

SHA256
a9f743e0c1a2ccb0314e1d353142807c739df0bdf7725b6840c8fad12a128576

SHA512
e978763246c37558130b286911e91866c68280db3b5849c12e96ab968383a047e30ef9dfdca4d78e6e364fc8d956a80876a41fae641b63fa90342e0a8f388f83

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
512cf5da6a8113c75444dc5b3142cf5d

SHA1
3f725e4a5d627baa091aeb6b0e2ec58317ead07d

SHA256
22f1567939bb8a42c82f055047e70842c788e36b99ac56652d00d9552799fcf3

SHA512
1496699b444f192c02b18a8ea51106e56e300b55c8a73f7d868c4652652ae10a98a8e4322c1f0e40b2806311b90db58f03abece11b0182a63f068d096dc9e85f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
fc53d82bddbb10b36b08cf4a84385a76

SHA1
1e0b1b851455c5c178bb72880bbadc16e606417b

SHA256
c52f368050f2b2849a86bb014f1a9370195a278b607a8ef90c15d86ca2e6fa13

SHA512
50c226f3389baf8a974a953c79730eda6a1d55e06dfd579966fffd91c94f6afeef6a5ff83d926f9ce1698e11fd4c17ba9e2261ca934701c2ae35a356d70d9cf3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
97695f910928c95a2abf3061ed2e7d05

SHA1
0a81ae1ff2b2409bd601b12cd7bd7f8e1be3cdb3

SHA256
21a4d5fcf846c9db9453913a6ab2b24cb07aef932325f5e95a89af6cadc03f4b

SHA512
c083f9a5b03c2c0c9c3eda67724aa32f50c004014e78d9dc2293f63bb48a4588e82a0356d8cc0ffe642193aa5e09274ffe91ba85b335b5bc71c373af6af61577

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bc38e33720a43cac39106d8440fb8faf

SHA1
b0f5025e088c33c89832fff502e4e458b73427a9

SHA256
850c6f07bb3ca7cedcada391dec66cd6910dbe6ed3e4bf502db2709077e77559

SHA512
edf7c263f3eef3517f0fc994c1356d746a0eed5b59f4f421fe5d024cc9032293756d67f458b3f4d6e3509a3e8a6204cf51510707f660463b9a18598a62291d48

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3ecccbb2fb80e99b5a75f2bed078bc6f

SHA1
d94091b41920668eecc3d03149f76ba758210ddd

SHA256
0cb47e0c95cabef40a0591ed6ddc39071ca830ccef6db091120bcf72430f35ab

SHA512
5bee618b02cfec8ed252481cabbbb58761da8a00917472e08d01dc4752d76df3dae8500458512814dc24ddf9c1f7dacdb6712da0e85d65858382dca287918058

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aaf12dc0cdd10b68d36b5a833e0d0455

SHA1
b12ce37b397442a5598b0e9df940b5cb3a424172

SHA256
df62d670f234e1661ccaf5450652d191d0842472ce279f96108f75784c683a1d

SHA512
dc9682128f8b3764622a6684e1d36f3e4bca2ec65f361119b2aa7876e748ed24fd5f3e5bc9551420557ba28b5c6d9bba993f5c399097cdeecba42fdae26cc515

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e0d235630978d45b8695f299f665c56b

SHA1
1a262b4d074b27ae7f10adc9af3064c79b5bcbe4

SHA256
23fa4319a0f0570d2a60cd8585648242326dc615a65bcba5e790c29e6780a215

SHA512
5ab5eb5c220471bdcf675a109317e92e797bf6ae5f8d6ffb65712416840ae4daba551a8325180250413fdbac705b3f4369beac40b58c571de661ae1f66fca59b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
51387124d56caaa7fb1a340bddacba8a

SHA1
3949b6180e5364cc16646c0261d11fbf7d7d3d46

SHA256
239fc05f9a92f5784e375e92ffe4174c1a05fdbf78b1c4733dcc806fca41a248

SHA512
28707861920b8e78139ffc823cc0e3f950eb801a12f309bf75a7cf8363d4f1f7121ef721f4f95d4690230e64ec43fa35a761e5e142cd4628a772e0074ba72c1e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
cce08199564859ea00af5c8e8cceaeca

SHA1
92501914616cc4d1dd5e564c0d755ad7ece929ff

SHA256
a5a0d05269d2752d5c1e83dc362034e1da6b18ca7aa78dad9470ef3abaae5943

SHA512
c91525faa17eb9e02a5f01585b1405fee2ae92ee45f0ef409319c2112317f82c67af1a6945518cf491c5409bb0be243af09dd206bd8593c7906f1a27141402b7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0268931dc7cfdcca9ba7c6043cb9e324

SHA1
4fee53a94dd8caa48045cd8e79ae1a7982ca5c6d

SHA256
05a3f18e774c4090cfc6e6e54ee217866ffc79a76777df7366f9ca5dace83428

SHA512
d895479f69bd8702393be20218ae623beb3389c610d803307d59357a7bd62aa814a209907f088cd638dddabcdb067da7585122be773b427ee7333af7eee619c9

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f308308ad36eba194119b3b8e39456e7

SHA1
16f41324959fb58dd87ba39826d4261d056c9295

SHA256
e090fea8be9b58251078110346e42b2f1b8778724b8033528160bc18b71d71d3

SHA512
b80466490557e0193811306e5ff3ba2df7da0f044445c442ccb8dace77aa829f24151a7c867e6111e2e4fc052d421e4ff46b10c52ad05b3716663bfed6487d37

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
a636669f4af4543001e15244f2867447

SHA1
8d2c0bc85aee1cb9b549be6bb3d5cd4836e9d5b9

SHA256
5190d3a7405106c476c0d0c73295f327634ec9c89b08ca60074b196e4e805b36

SHA512
7e7adf529f48d083e7d5bcba0c2d227afe28030b5c580ee80ea9b335c92f6e15bcc78d2808c4437528e9acf90c8b2d198ecac3f7096a42bdaa7c9c62dc5ab6e1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a15c362bb0cc331e80cbfc9b2bd9d0c2

SHA1
37f0c93c63e6fc1e76210f13733497b48feb8d1c

SHA256
fc07d66f07d6cf0ea5c347b598cdd684d1ba63a63e1346e4ceeb3f67f5564ee6

SHA512
52315fe5e097aaca683887fcb865e707a92e9619dcae4259468c757d5206794ab3e006fcfccad260be227a2d683255e339718802336c7693dd9980a1ca222a32

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6382c3914896e0b183ca88ee207a0678

SHA1
7114c0288bca27ca277289e4404a683674d310d9

SHA256
458665bfced222c2438922bdc6e93c590511a0f1ce13553abf5423b7ff7ef67e

SHA512
3a12f6981ccb1583e155e90d789f6ebb08533d81c291169d3541a97b78bb7aa2cd7009115e785a88d7ccee2d11cbd93a4aea5f0bf21b2a048b367b017d54b3be

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
f8bb4876569eb7f0477a034aac5a6186

SHA1
4d75788b1819fc2d528688b5ee248166835549c2

SHA256
d51715cbd2a50b777bddbd59ba454125a99dc53bd99d11ca33cc6cd51e36f58a

SHA512
0cf6cdf8b960b46b4c7d42dfde846075847d93d9130f99f61fac93425456d90c451b751c58a8e9a6ed7947cd0dceeb0bf96ddb6325a1a92c6a20c349172e5688

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6d2f0ce734902645efbc587418e5521c

SHA1
81a714cf4f99bc30c66aa46e45cf5eded1bde687

SHA256
6db5bddc8dcf95223756a76b2f856a29bb49974378b6921b246681d1cd54a626

SHA512
f66a33e1fe27fbe89be2ca2f01b60a7071625244a7e9c236f7214a5106bc9dbb37d9b7ea395c32f0d17ff8689a1438bd1493308f393f64bb603cc0fbc5c46c75

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3e50fbe30a3ff3adbf39e71fa41a67af

SHA1
eded338a908ef4c2e674a5df619b06f32b3427fb

SHA256
e465f1fa53e84c50acc8f94160c87f2cf541887192d35a91f7bd882228511d78

SHA512
af89b479c5ff26124518b31aa54f5d5bd14eee99cd794533599dff15ef77a817573d04305eb937ab50c992a1e0ef3ee619769fd2348f0b687c22fdb66633adca

Download Submit
memory/732-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/732-22-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/732-16-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/732-240-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1364-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1364-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1524-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1524-518-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1680-519-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1680-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1704-58-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1704-64-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1704-69-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1704-71-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1704-57-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1812-287-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1812-435-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1840-243-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1840-40-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1840-42-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1840-34-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1908-256-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1908-260-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1908-266-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1908-324-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1960-320-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1960-252-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2408-271-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/2408-328-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2408-270-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2948-6-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/2948-2-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/2948-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2948-29-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/2988-302-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2988-513-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3028-332-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3028-280-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3204-343-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3204-522-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3276-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3276-245-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3276-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3276-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3680-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3680-509-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3744-318-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3744-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3932-517-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3932-321-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4048-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4048-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4048-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4048-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4332-313-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4332-514-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4536-333-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4536-520-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4592-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4592-239-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5080-510-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5080-337-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download