882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
Size

5.8MB
MD5

abcf08553e87d769457157ce669e7e8a
SHA1

1db88a0b764a4206e7bbff898877c150fadc453b
SHA256

882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985
SHA512

c645ead07a947fc9ae170f99cbb0627e0f65d25313e8efb35968fc8511904ed9774914f62a5d10d492aecc618c5a5c505fb7a4083b6a7f9e2d1a7895048d17c2
SSDEEP

98304:mNDwSlUk9KPsUxfAdNmTVi+qkPZKOBuyaoY7cjGjj2jF:m1Uk9KmdNmTsOBuyaopjGj8F

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4300	alg.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
3080	fxssvc.exe
2008	elevation_service.exe
2348	elevation_service.exe
1260	maintenanceservice.exe
3412	OSE.EXE
4428	msdtc.exe
556	PerceptionSimulationService.exe
2384	perfhost.exe
4984	locator.exe
1324	SensorDataService.exe
3632	snmptrap.exe
2516	spectrum.exe
1140	ssh-agent.exe
1168	TieringEngineService.exe
5096	AgentService.exe
1532	vds.exe
2736	vssvc.exe
3708	wbengine.exe
3772	WmiApSrv.exe
4120	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5b420fbe8beeeac9.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F3190C87-06A4-407A-A58A-3F71181B4541}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec106a4442bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000010f4894342bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ac9c04342bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f64e274442bbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f18b034442bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbf2a84342bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d68a224442bbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba738b4442bbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
1600	DiagnosticsHub.StandardCollector.Service.exe
2008	elevation_service.exe
2008	elevation_service.exe
2008	elevation_service.exe
2008	elevation_service.exe
2008	elevation_service.exe
2008	elevation_service.exe
2008	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
Token: SeAuditPrivilege	3080	fxssvc.exe
Token: SeDebugPrivilege	1600	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2008	elevation_service.exe
Token: SeRestorePrivilege	1168	TieringEngineService.exe
Token: SeManageVolumePrivilege	1168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5096	AgentService.exe
Token: SeBackupPrivilege	2736	vssvc.exe
Token: SeRestorePrivilege	2736	vssvc.exe
Token: SeAuditPrivilege	2736	vssvc.exe
Token: SeBackupPrivilege	3708	wbengine.exe
Token: SeRestorePrivilege	3708	wbengine.exe
Token: SeSecurityPrivilege	3708	wbengine.exe
Token: 33	4120	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4120	SearchIndexer.exe
Token: SeDebugPrivilege	2008	elevation_service.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 2308	1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe	82
PID 1740 wrote to memory of 2308	1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe	82
PID 1740 wrote to memory of 2308	1740	882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe	82
PID 4120 wrote to memory of 2532	4120	SearchIndexer.exe	116
PID 4120 wrote to memory of 2532	4120	SearchIndexer.exe	116
PID 4120 wrote to memory of 224	4120	SearchIndexer.exe	117
PID 4120 wrote to memory of 224	4120	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
"C:\Users\Admin\AppData\Local\Temp\882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Users\Admin\AppData\Local\Temp\882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe
  "C:\Users\Admin\AppData\Local\Temp\882d5339d2392bac42d9255ab7df082956d5b0b251b324b278cabb203613a985.exe" --type=collab-renderer --proc=1740
  2⤵
  PID:2308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2564

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3080

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1260

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4428

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1324

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3708

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a4c2b2a5cc3c6c8f57c7d037cfae1658

SHA1
5e54acdbc56a62214467d470364956b90aac3dd5

SHA256
225bceaabd6de08f1218ee39d237fdca17659ae6b86b16753debb65fd97a86b4

SHA512
b93e21a911d213d462a3171df3b6a6fedda37b65939e25c07d84e169226249dffa3e3ad1af7e6b87929d7c4fc793246995d16cd83a20680de8b390ccb7299998

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
b28e36347cac65acd2e8e6c765bc49c8

SHA1
8c9a4542a5711d74ff8c0884365e800f97da404e

SHA256
920e14ecc1080fc58822b2e9b43e9505434f6b7b3af0e18f26d10deecbb95373

SHA512
6b5a208f796fc95b0ca3a06b641189ebcc67217f191c1195024a82b83e2f31368317ad84e0158667ba5830ce99bcf4d09c2d17ea0837b146cb357717eb2a4b27

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d2877a9be8e16cd9b585e8d7a366cfb6

SHA1
11a23f597b466c12c326f2579eb219caabee686a

SHA256
462da18abd34ff75b84b04e4a036f7769b93d093697dd88d0210889da48f3a37

SHA512
6e6161c910b95724bf4a560632b0f8d7da64b669ac00be63cdaf8f702ff5c9881091a4aca4de6af5047b8005a0341ec1efc555cc3accaf917263d87fb55b7fbc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c7cdad2ba063a2521c4d4c67c6f6e6a9

SHA1
cdc42de25b591476c9129d20d1484b38db04f16a

SHA256
3ae817791ad646b82361b0b200e4c66baa046b152ba03116a8c421e0bf780a97

SHA512
d3d812eaf8c0d5b7a6a021c89708444002557681be78a0790a2f6113bb775d91890fc6d5f48a5140d6fd8375d63fac4148411c5ec1a103880a5fbc96f06cc8fa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
351d9336147034e30f491da521f39d2f

SHA1
3711b9f883f3f59c3bfd31f2a85155262176c9be

SHA256
43396a24ed49f2a588b12dd8c92395b0f9dbc34a5264878bbd75f431e6f9ae08

SHA512
b636e079582b26e60c424aa8707648aa632cc0de41568b82a387f3c0bc89ad4de9a3680536b28fe58dbb701b850a9fb8ec22c0c0b2e44032755c3c73991b6589

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9bf5a1d0e02a856c42df6e02a74217e2

SHA1
b61fcc63720eb185e37ff3bfa01445e58985fff2

SHA256
d7fb222a9dedcb2eb53f199abc455a05dd6d3ef1665c11b4a94ed6435fe336ac

SHA512
1ac297d986d8b6cad319948e81f4ad14a25983dc00a8aaa54272fa40e7a3d7ef9e6ad236e05afe68fd19283bcb3f6428081ab93ade29d56f981a17e9c9d94ba1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
aaec098235ece30bd9a0bfe673ac12dd

SHA1
9963ed2b1b50033bf725ec28ee2d0a16b001fbf7

SHA256
e0678d1cc92864934ef9706be23d40e43897612278b70284692b003517de44e2

SHA512
f674f278d0eb1326bffa52adf0d2f7544940d93e544a9453ae0f4d4ceebc4f8041500ef615e2cc463d858d8b9f424e686c3c9eddcf6f5a80191d5c0b1a2e2783

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
efdb1b9c89fd72dba02116be96fbff5f

SHA1
a02f167d0ab68234cdb2c415b8f9962503febbb3

SHA256
02104d0755a4d79cf78053ab4989039866287a3db64749a293346718691a61cf

SHA512
ae46f2442d710b4348a5c2b8766c1b104e3a0e10205ad618bb1dfad0cc0e3de038b56ea517cc2ba037a40c840a749d2e5ef96eaa945af5b4c341f3811b56aaff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b56ae7372fa3dad7d4cbffb55a964852

SHA1
25391854bd0c665db08c31cd964b0d63c5081dc8

SHA256
a8416c78ddd0988a3170d651f8811eb1a1948e478da65036f18481376e94db87

SHA512
312bca842c52c0a490ca9a9dcb30cf3cdf56c89e1c821c8fca626700a0a462bc284dba54d3a6bf6401fb6f1fff8f6196c5d5735cd2063e068f68729a0c1ae977

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d2e6f63acee16787f5dd614bc504c5ad

SHA1
ff649f2855d6d96ae85bdf6d6ac89179ab97ce21

SHA256
316f5ad61b938411e4e007cc914c669308d075f8a6aacee8c4a4aa27c7acf020

SHA512
7afad0eec0d25cc5cf080194b22ebe8265fe09952896d1d7eca2452f2ec15bcc3b91a25a019f9b833088c0c72fba7f4e6d5b4f2715c2fc28b81359872666f67e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
156bc422292f10304c0eed6b7d59f3ef

SHA1
0090a74d91711bce958d1e4a89201c061562bb63

SHA256
48d645bba3acf54ce3bcfff9cd2af11a6a6b7d0c3e6ad9da72186a5f338f4f0d

SHA512
928ad38b35a2cf5cde1c6ed7881a4a37468407b6a0829a610287d57b5687f05973f594d975c49ea4979cd3329138fd01506cc880c1f6f5f44f71f1b5b5c3b254

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aa877e48c951df73ef13d5593821daf5

SHA1
ef9ec332508bd881cc006616ed01c423185f596f

SHA256
6602b5ca2bfff1e2ea9bb331f9ab620449cd77d582b4a17de0a3933bc6636b33

SHA512
0f802ed636977cb705c5487a126519f59a2ed2a7fcf27cee29f20bab3020d7cec070feed8edc545602dd09987435ce60ae34bdd9fd8886842e98cc964bf86508

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
91d7d2062aeb1ab7f4730dbc96560551

SHA1
d24aca9a335fdd96883443e906cea33e0ffce6a3

SHA256
fa4c0686e824b23334856a36ef83e54f52eb87c5415aca700243964ae1a54488

SHA512
6bb1d057795e1ce4d32e2b361a973200c4b06e83265793b6a57ebe40ace6dc38857032acaab3f4ebb82a575df9385966aa44aee10560ff04a1fd5288020a8bc5

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f09841b0a51e39bb331e3c2829d0fb8b

SHA1
b45fb9984d49186dbcdfc404bee1c92504a762a9

SHA256
70bff0eff1f7612f626ef9c16d1afc5cf029c9c783fa829cec81b94e1a3a83df

SHA512
b43d0764dd771b50b699feed88b36290bd5d211b87534d3ae69c00781b409acbbd16f36ffc2f32e0438725688a11458afcfc1b439249b38bd9b0686c992e0ff0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ec19c7b9ab049c801ba34f3c73cc4211

SHA1
ff30ac63e389a62db998e61e922a064fdc45faa8

SHA256
7cb3db08347ca2e464909f655646aaae31741e5b46c06eec9968bbb8f0155108

SHA512
aff817f4c44fdbf7a592a2c338953f3d8fc6ec7ae6493e6340bdc76c5a04f343ff6841da27c44f3154b4bd249f2bed1d8a04ec2ff10f0af4d7a6baf5f6248926

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a5343736bbff66b8506104451fe3ec10

SHA1
cbe359c0d5aa15b43724ae8153055a7e65bc47a0

SHA256
c0d31184ad0b1dedb5fcd73f7fb610b5dbf741bdc7fc8557a6dfcd2662c69fc9

SHA512
b17df4a031c1c7a7aed8d75126a8489840a2d2f96ff224bc6d2b7c4fd04502194e91c9735023024daa4d28af9c25f1f7ef530649e90134bb5eb12a07952edcc2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
38c4d1fb4cad250da8cbb4d3204cf0ec

SHA1
1101c995324828975f253498207bc0573294e4d5

SHA256
cfa68f8b9bd9832d248acbfc258112fde4a6168bb1d1860d992216cda3036e60

SHA512
12033015cb51f38eb972a26d3ad48c121b97955bf21b1e756dbd72c176a1140c84a1557ddfc6fb01acbfb164c0938da95dd602b30faf14f69f15f66e9d6b4840

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e6597d1cdd3ea7fc14dd4215ff6527cf

SHA1
119326127a73ec01beeb551815a2163abaddec8b

SHA256
36880e5995bb0012d93ff3e48772865cb1c6578866c6b90fbb006a9c36dd783a

SHA512
c375d3bcd20a756691e61a854be0578bea10636051968ba2ba07f7b8ca3738cbf7d8b4e910c785cc384e820159cbc69dcdd70d97c53e248feea341188b24962a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c77e192f1e6a2bd3ccededc538294895

SHA1
aaf05aa1d544473f0dabf54352db61eae677eff7

SHA256
de439e94ced50990dbf7af284d44a3503d6b9a950c7c892659ac328e59248ce8

SHA512
ab1d1e0b19aab32f5e2547d06bcf082215c0be9c056d34582986bbc527da7b5f2a6fe81a291f3f8e7614d3f1a62819f766f964d770a07ff5a59b1aed4bf5afe0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bb0cd9039b7267cd1e4d44c824e1db62

SHA1
eba2be341d89d032644ebe3529988e6e2921ad6c

SHA256
0a52e23debe8b2f2fb5132471e1e20307dc7b413710ae4d4e7d4bc14b13c0dbf

SHA512
96b8d1ef9b536c2f26dc0ac9ba2c93935fe22db700191666e8f5a7d8b881acf1340741b9b789dd38c533ac0d8cb874a31ae7291ac57f0021fc781660cc237255

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2cf9bef5b1df000f171e20d8afbb2752

SHA1
98b20ccad82e9f44759ce8143993ef58c0d3e03f

SHA256
c0d5019dafcf95ec1033793ca4522d3dc0ba95c71f5a41597dddbd4879a5d195

SHA512
74be504cbd9e51f2035f73a3cb136ab5e5f346c4413ef36f7d5e168874fc1ab89d449961dabe22c1809dc48e56139189a04c23125844bbc54ce0bfaa07d5c6c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
17aa7b1eee3d4b4f10b644d43ff9ff00

SHA1
acd125bd46a0aec77f282d84a67e8633bd990824

SHA256
3d0f3d2087e5db78c6c9014c9acee7d66764477bc9b21419c604b843105e9158

SHA512
2b74ceaa717d3818aeeb61560291a49354f6eea10dc245c2df655e312b426d4291b763d856fac1ca1c2e32bb564b31a32361698899d925bc1f740f4b88c62f10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cd6d10c8c9abb50fdf3427c9696b1e37

SHA1
8c2d19b84d4db1fa7a7e3ede7be784ac4b9cdbfb

SHA256
be0a289ea45db5ecf32045915b38ae134eb19430db7eb9601a416a8c6f6ca1fe

SHA512
31273339e10b3b4ee508754c9a461e41e269ea379b80f764642dd003376d7e45abe54da48c5df6b4752c3abefc7e3d622e0803f66a736df3929a53d2a80071e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
293bd33c0e6eab0d207fb4d60c082b06

SHA1
031622f2fc1c17463cc4b1765993e15801f5d1b0

SHA256
206bc705398715f445b22543ad35761d85095ec7474a148b5df22ee4bb8f21bb

SHA512
8ac0d1b87f191d462285d42d7d58fda1368639eeef240f1072c6caa62d9964a76436098405ba8992f56c635935aef6fbb1fb329cfb91a7fe370c512350a18180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
656ec734900392de4f7250b1c8069977

SHA1
10cd5531f375d833d1934c4cd6116e827152645b

SHA256
ddc11a5e7f3d9d92f025fc4504dab25fbc5243f862a308883d98c1cee2cc937e

SHA512
951a5250333012f1c219e63a44a50b4952ea351a97fb0f22c57a8bbcfb09f54ddb76d1563dd3f312c4a26ffabf1ab406a92823c74a558c19fb008ae4dd2dca6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4f48571f1a245246b0e879b61481b5c9

SHA1
27087022f0fb6d4b4f2671f4f1a8bbbc3897b4fb

SHA256
04cf528a2da2c9bc4914b82b7fde1e0dff68b680338b569f45a86fb087d89a84

SHA512
f067fef4c25b701f0273b94790301f8fc368b5d1e9e1391b08be7868abbc24cb7f435a3dff1e46fe270c518ace500813752f346f1e3844907a6508ade8cfa543

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ddd7b1a0df97e2286ce0367f2f3101e6

SHA1
47fbf9ff15aaa108f11489579135ab9f7a183db1

SHA256
1e14d4325f0436d4aa45cc82822aa170b61d7b67a07a7a87f1e257b577fe7793

SHA512
93cc6d2a963ce2db3e201148479ae5c7305ab60f14144486ee229ed7d2a7d1f51dd9c1e1f24f40db20379e4ac9d944163be44cf2dfe8f4c2f94cc43f0a622904

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c10f11d07eceeef4206dbba0516988eb

SHA1
cd330c25cb3758cff6d154ba697621a169a712dc

SHA256
4882b450c8787bf1dff6f7777ef1183bd32167cd9c66fe4641b1a19afc5940f3

SHA512
41e85739976f25e6aea4b39761c667393901327a9b1d084b31707ec394f4c086ecba29dab189d2f7b42e4e6c0d1ffd6afeac394e8d29044c36ebdec3cf44401d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3e15963f8c234a0d7707a10b57104df2

SHA1
3b06e9a2fb0dca3422929198ac53243591ca818c

SHA256
158e9c0483cf4a6bb43073f44c15ca41c72d83773ea0ee82eac90a1e6a1bf870

SHA512
2acf62cae4d9a3eda67f17d83d15c9a14ba253cbf20cc5cd1f2d2f9d52a95300edb8c08acad1a88f469aafb15efc085fe1d6105c5bc7c0ed595f7e3ae49dfc1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
38ae662450337f3fc296636a95d5028e

SHA1
7253962da6fa4c4a3b60d951c43ebe2c88ef969b

SHA256
21dc75440f86b8046a72c3cfd752e49dc0975d05d0225b79b18e7ec26ad3f595

SHA512
3e9290404cd04086f86233e48814fad51a6fb6b7852d5d2325e35309064252fa7eb06724627a0557455f0de33f9711c11a9db4c5ad661ea7c1dd06967ab01fc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
114a84cf37f01128901d8f0c74cafdf3

SHA1
f63bdbd2ffc069e6ea61eb26dfc70eff3c0a9d9f

SHA256
7a7feb46e08d3acc56d19e4a9975bb23fb488e1d12109b439362a28926a2b17b

SHA512
e44c23e2347a0c4e8675239ca78ea884e89709087faf2946075b75af75d2ec59fb8483be65b6b4142e75df6389d67b6dfed7e45323e8c9b6b33cbe2c53e6ca75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
64c87fac2f8396a3f61a1be689c83d30

SHA1
0eeebf0149d075069d84f2258d5673755ffb1f6c

SHA256
b3475527b27c189abee151483a08e441f1a14b567bbc0457909e25498e523310

SHA512
f60b8960b90603333e4be3577cebf7708de937d870ffbf22a9aef47fc8761055aab89a6372ceee9d0d38dcee328dbe314e5b1753a236d23017b3725028c9c934

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bde0297c569a2355830129daa4d3dbdb

SHA1
14cdeff430f64aaae2cb94927d727d07712e98d9

SHA256
93f6c897947846661a6b2b8a34b84da3e1c38ad0a822cae13b04c4c525a2e118

SHA512
89bffe07b45c3c399c176f85368cc0ef8f54f095f5a4c2fabb739fa1218ce945fc430aafefcf10108f208e5fd254fc7eb4d65d4e92c5f4f45d0079d85e08b372

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9edad067110768c4ce6853c50add65b0

SHA1
383e831d2ce90be45cac7d1041455a0e0b4ae338

SHA256
a3b41de519a82362b154e024c29c07fa849134adec128b5c4a669358e2289c07

SHA512
3d7bb144a64fb48dedc0569a3e223ab0110c4dcbe9eff69ccafc375fb884e69fd1ab894ba504f4b195aa28e72ca8741126143678c0acabbb06e6d3876bd4fdab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
325ccb0342f7652089ea7880a69256d3

SHA1
b76021ef3f48190af1ef616f4eb15a8e46bc7a90

SHA256
931ae8877a2fc4c917739bea737e34d6fb872e6b2f63c803b0cc13489e58caeb

SHA512
c1a62dbcc28b0c1f00ba29901e559cae1d194e7bffacd94bb663e6c08a08fb9877d7f03bd3ba192071f85a0960cc4e098d65512de34431ac0e5676cd4cc57adb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
11e8765ccd3f78c73b39d0c154e95d54

SHA1
658a873e967adce3b6bda95d7094dfe6865fe2b0

SHA256
31dc6e9b4f5be128fab53782ccfced2704bd9eb8361a182062356663768bd627

SHA512
a0d1fde1e867756ab0cefded2b0936d1f052cfefd44c861795ff8ca37db049cab7d8631687867a3368553ccd0c1aad13dedf9f264edb8ebbcec01376d0a3bcf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
adb870a85e6521503dd3a75c8f018a70

SHA1
371717770bc64651a055a4a0387a4288b387dfdf

SHA256
bf7f7f46a497b5fd6f9d0465276e46ec3ca334c035c089b3442a1bd5f9ca1a5d

SHA512
e26889c674c251b9a93f73e646738b91ce4c6816fcdf472363dff6b31d1b1f3f4ed7ebd4ea6bed71952f97caf01ad83c2a21ffdfbfc775c117e5b96be27c075a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
c1bb0b4fa749cbb3fee53b4fd66f3b52

SHA1
d13d2839680ba2743541c817df03b8ae7ea0dc12

SHA256
b9a4e9a5912cce3bf08fdc703a553e0ec6b39f6a5d9462fefdf9534a181b4e7e

SHA512
1f371905cff0bebcfda68d85d34e748f6b08e3c7737ae06dad7b56d817cdb9aa98227b9cd849102806210c49f961d2dcec3913549727e1390d5c9ba665235582

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
dc39502dbb113f8c5c22ba42b3914468

SHA1
168dcfefde25abfbb1a600c31084af06314e12ba

SHA256
eec9494af5a81d5a709897cca352ecff36fb5303cdc942e0d143bde6029b0822

SHA512
5ebe6c5da3ef157054bf9cb3e2f15a6fa07c47119d7c325fa40fd39df52b551c4f7303c4c402f62321b048b56644f5c7aaa3b8ff41b8be542bab21d47184a5dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
d20ed2a27b76c9a767997a5b5b81bbbf

SHA1
29f51ede1cd2803201e881032abd75fb88d26978

SHA256
6422e80b64ac5a23476b7c6f36fa282ed9fad7cd2fa063f3e16179d74265ee6b

SHA512
57503855e14c6e0fda824ff6f8df44523576ada69ce21da34351b91d0300abc58f216d42ab3739e0d6e6211e05a30b4b98cc230c7b06b4735bdb85ce5413677d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9fee5a21b5651049f3b8266bf87227c8

SHA1
0f2992cb0440475fadea2ad91dd13c56c7861a81

SHA256
111e609ac5f313969d43cb50f70a46c120204d5e9e926fea660b64f5038ab95f

SHA512
7416f7223da1990844b5e5402b640e282f6c6ed0455825ad550734850f46a978f139c3f422195ae68a3674fb235f1c3dc436b6e1f3fb848e8b392b3bf68caae0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
4f5aa91b475a9d3ee946785db1f36680

SHA1
0adb1389477b5fd034f1e59eb1303725977343bb

SHA256
031503377c2ada70746c85abd1dc96af1b20bf55e0c8bbcf19c9504662fb229e

SHA512
f4cf353263640e8a65cb5e317e1ac907ee17924231336dc974c36279a775d8106b0b7bd3cdc14dc0685f078f2b1ecfd6254955534019c69497590ade5f33d670

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e42cde6942d49936e31cce44b9a2fd2f

SHA1
a1d432f51e971cb9376a926410478492d4747226

SHA256
402c89ac4433bb64f3170f761ad87537c0df482f740c7ff9a4f7a2354c614d53

SHA512
6c9ce807ddcbd4b7a0f6abd9a729b57428118033dbb69936203419d55480af8357c4f47c7f59c20c38eb66479f0d5fbb44aaa9f4fdb5bde85a7d57baee61b6a3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
955dbf3ec4acf99deec82c88fb1b095b

SHA1
d75ed2727186cffec90deef3cead2b006e9cf719

SHA256
5495a261dfeaaac232873e69ab9d93aa1c83f1b4acd99529c92afdd1f626b071

SHA512
3ab64928d3c7d0740fbfae80b911733b5462dcb2e54a14f2ddbaf44278909ba25ff642a318c9d020e9628f3091ef8dc709dd0adac4b626bf6f22a11df08160c9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a8c507d6c41872067d3a00dec148aa76

SHA1
171541991f83bed7979da04213399a118e115e00

SHA256
ebdc1c8355c33419528bf75e57c3d859adcc61b9876e465d1d3f3dcc6b40f43c

SHA512
012a6c7b97772524eeb240527339314b2c03be3f314dc3880522c1b83dfcc1c63600233cb9fdc7e8fb6862b9cad4219903dc63549278667a5a19301bfef670cf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
0ecac5368e4e4383fc71dd23af19e046

SHA1
ccd34bdaef32afa0a04a0e605411409f3a46f787

SHA256
83ec1bb050fa5fb7f30ee3eef94e0f2ef83d61f5d3a51fa1d66fd5208a6252db

SHA512
d4dd0c9e6cbf453876e853e4bcda7e1a2298d707ae320dd7b2e8fc115828c6dd7ef798a127d90d055d39e61a129983d7c4d0d90b88fa850f9072815e44287f07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
be5c099af74fe076aed9c6420f27d914

SHA1
48168be10afbe2b591ff260de7e262feb229790e

SHA256
17d077f5acbaa4f61bd91d1fcbaaf4e211962f16bf3d597d7c6d48170770418d

SHA512
3e4cb2105f02c344d5c37ba3481a68f029c0efe296fe3689a46d1d6f26f2552e4d8d8dac29d4d8c4c6e30e6ced798bf8f8ad0a17359598868071009581e08ea6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1410907dfc7745f840ca8a1b225ceb33

SHA1
cb2eea00d16e31fe82ae0b5c98cf8123ecbc94bf

SHA256
ecb7bb213422c493cb8f3f4d41e79c35a05560331e0e45c326eb00aae71480a1

SHA512
315b4179c9c62e69c1a2420c440ee9df287111827caf4fda330abb26bdefb60a3aee6c13626c95952f5d7fe42d3dc9928d3f8ae43527c8ad0b1b8622c8331795

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6b8c5413e1149ebe50816dea21eb5d4a

SHA1
770ed34f9713577a9ffb97aa2f322f57578f98db

SHA256
44d9cbca1327170cfa4165f05f70f844734aa00cf2848dfbb70aded6f520d398

SHA512
4c4616eeb5f7ef7ba04543ac436a5c713fd25408642aa89d5f84d12801a8f2e0584ddbad7bde35075d19cf91715850e2b26cb92a503c4e032a5c5f49f10c3435

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e664a6c3fd01fc98b8b796d6678d206c

SHA1
4fe323532f3e096e055f4bcf3fe1e4aaf210783f

SHA256
94535ab5ff3b1d521fa75318d51aa1b9ec49e12a9c39a792487f94c149836c5f

SHA512
16d4ba5ab79f026bcbb7f06a0c4cd9adebddaa31f9dd0282d60ff1430a956e04f2a7801f52368f41a1e8214a76989dc9daeeca37251640323d535fa4099a0f14

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6bb0ee4e69991b0117052450e071bbc4

SHA1
3b06f28ab24568395a0918765c8d7c1290d7881f

SHA256
6cb3676e297e148041a37f9cae6b6bad9ee11ea076e34d125aed5b8826d765d2

SHA512
960dfc5279ed8b66ab9ba10948bf393f3106ce37a87db2e22995a5e8b54a89696c16be9e55531a811f27327ad77797bff93506ebce6273b201ea2b3e5a04bc8e

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ec44227620c8e699eff8d214daff034c

SHA1
4c20735bb629bb68d45dce2295d67f6132bdb717

SHA256
e21401fb58a7b01555e524a073343c85e3cdc85e88751b6d600d6e06a0c5bb5e

SHA512
7929175fa6f4cab08e3f383641785aabe166bd30fa2951afeb0fdb9957b2c03a26f9752306b65ceffcacde1e75c3151b4bda509b9a5a631d2dcabc9a3023b044

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4342497cda6113c96f0a9de44eef4431

SHA1
6dfbbbeab789f372900976220567cbb056be6588

SHA256
3db34b98b2ee9e3f86410468ab9de5e684eedde38abda4b9269c9d41f05d1616

SHA512
a6c6422811af9f5c797bbe2a8eef36f855fd4d5c45e49c27d5a63c2910a21a64f79f6908e3b41c42bc26918fa840e6551d8840ff671e66ee07d3b54cf4ef9c0c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e242b8a1bbb2312a6c1b3ec6cbb079dc

SHA1
8d9d230f67d91c00106c4851f737a063d5b8e6d1

SHA256
f9b521ac8351411f5e81d3a24905c4baa6e940d504fb6c598d20d2c03d6148b9

SHA512
a2ac03f7e2e20e272306bd8c3904306ae159c455ca713ac8928e33688d7b8f4e8eb6713962bcf7b480642a59baa67233c59da4f877ec47038f61575db6dc59bd

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e2de18c5307d08e119696b1ec0251b5b

SHA1
2993d113174ee2ee5307e3ab8367393c13ad0808

SHA256
739b1a8d950c7e2ef84b1808686b5b2c297083a21bead1754861d62dc12138fd

SHA512
2aa9301aa82551929484c12e9a01002d3731b5f7e481823e9ecd0b67d837821dd4801a34f97ac8465a4ae618e085d32d6701c49ba63ad24682272699c9a86d09

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
bb1a9fc56967d5be5c87afe912d59262

SHA1
2a5fd35f9114eca6966ac335e8e5e4a69ec7f3ce

SHA256
f423320cb501dfe2cda73b7615fa8affd705aba6edcd0804e41d862d70d2f798

SHA512
1821c5761842d1254ca4ce179c053c5def052cf5433dab0f349e3a134f46a0dc7404dfec082ef5231628337a891cd393d395d1a1b24aece81db247fea924d3ca

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
564108e6e72fc9d747f3e79b2d73a00b

SHA1
9f1407d78358d0a2fe9ce81034c060bc4d5d682d

SHA256
95e7114380e52a32b62fbf9c2f98c5cf706dc221b9c1f35c0c5e26fbcacc9bf7

SHA512
6e46eafd47b4550b8ba0b9c0105191c2ef206636914276839f87d631ae850d63b278070d6848d6a168f84d48ea9d921087f646cb829be1a4488abc82897590b0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
d9cccd127326772ab3ab7179da017313

SHA1
d0adc44397eefb9c56c6196bca53dd34f87d92f5

SHA256
1f8d2992186ecd6657173d90acbb37f7607a499bc986a362f113f544ba2e7421

SHA512
86e1a5baf765bffa4f70840d3d2a9947a620660d7a97bef0fd31aa158aff282d111beaf9f0629b97933bfb7049286d146bbebd1ca014b923818aa1275444990b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2a0d44de039fb3e880d43ef6c60a26eb

SHA1
13a440d779b2f8391102fedee0ee01f7d3bae6d2

SHA256
9dfb2420ea55f27ed711a9fcf1256cff5eca2f25c2ecbc6309f6f571349a8076

SHA512
93c37076961d85990999c6b5c7ff5b14ea4c6ff00822d05da07de3e20da6f558c67eba8a7a0f878fdbe4668874bd76767206806d579721dc7c5333cfb9bd7218

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ad8c94b4ae13d5fdf021ecc062772240

SHA1
ddafa30db6d523ba3e7d1ca58842d63d3e458662

SHA256
2bc6eb98a18fdc4d741e0e412a134e798271b400a5027b8fa294f1162ccf7796

SHA512
36fb4adf9ca6c27953225b69a419cbe33eebed7fb4dac9d43b17e880af4c89e2e9d55897e488a51874884ce74e0d632f5083204ac151dcee9a11c51e166810d7

Download Submit
memory/556-276-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/556-335-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/556-267-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1140-508-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1140-313-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1168-324-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1168-509-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1260-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1260-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1260-68-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1260-69-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1260-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1324-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1324-507-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1324-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1532-512-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1532-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1600-24-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1600-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1600-30-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1600-251-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1740-0-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/1740-6-0x00000000025D0000-0x0000000002637000-memory.dmp

Filesize
412KB

Download
memory/1740-1-0x00000000025D0000-0x0000000002637000-memory.dmp

Filesize
412KB

Download
memory/1740-65-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/2008-254-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2008-48-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2008-41-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2008-42-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/2308-19-0x0000000000D80000-0x0000000000DE7000-memory.dmp

Filesize
412KB

Download
memory/2308-14-0x0000000000D80000-0x0000000000DE7000-memory.dmp

Filesize
412KB

Download
memory/2308-39-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/2308-21-0x0000000000400000-0x00000000009CF000-memory.dmp

Filesize
5.8MB

Download
memory/2348-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-255-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2384-278-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2384-339-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2516-301-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2516-506-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2736-336-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2736-513-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3080-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3080-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3412-79-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3412-256-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3412-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3412-85-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3632-298-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3632-431-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3708-514-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3708-340-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3772-515-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3772-344-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4120-352-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4120-516-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4300-250-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4300-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4428-263-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4428-331-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4984-343-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4984-291-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5096-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5096-328-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download