f4cf75135975dc21b200abc82d72012f03858002f71c9ef8a29d5793611175c6

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
Size

11.2MB
MD5

a986fb567b4821b6f922eea47a83e336
SHA1

c476096ae7e42a5ce1b4b1a8aadce997c6a9ed6c
SHA256

f4cf75135975dc21b200abc82d72012f03858002f71c9ef8a29d5793611175c6
SHA512

6f71202e7e892d01dfb786871d2a97013439cfeadb8d6df4d0ccf2c4f8c1ebc04ce297f113718e81e60d874fe7f6471a6533bf7d0e26669f0da38020b955de65
SSDEEP

98304:AXeywEJ3gHj2JRjfFHBYeq74enEVvytrbSP3UubTbmjgt:fw62JRjfFueq74hVkuNLV

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1180	alg.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
2264	fxssvc.exe
1520	elevation_service.exe
1072	elevation_service.exe
1292	maintenanceservice.exe
4772	msdtc.exe
3412	OSE.EXE
216	PerceptionSimulationService.exe
1268	perfhost.exe
4848	locator.exe
3468	SensorDataService.exe
464	snmptrap.exe
3232	spectrum.exe
3416	ssh-agent.exe
432	TieringEngineService.exe
4020	AgentService.exe
3636	vds.exe
804	vssvc.exe
1792	wbengine.exe
1872	WmiApSrv.exe
4036	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fc5c8c75c3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022219a7b49beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000de27ff7a49beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd6e027a49beda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2f90b7a49beda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f9c9be7a49beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4608	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
4608	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
4608	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
4608	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe
1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4608	2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
Token: SeAuditPrivilege	2264	fxssvc.exe
Token: SeRestorePrivilege	432	TieringEngineService.exe
Token: SeManageVolumePrivilege	432	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4020	AgentService.exe
Token: SeBackupPrivilege	804	vssvc.exe
Token: SeRestorePrivilege	804	vssvc.exe
Token: SeAuditPrivilege	804	vssvc.exe
Token: SeBackupPrivilege	1792	wbengine.exe
Token: SeRestorePrivilege	1792	wbengine.exe
Token: SeSecurityPrivilege	1792	wbengine.exe
Token: 33	4036	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4036	SearchIndexer.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1180	alg.exe
Token: SeDebugPrivilege	1536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1152	4036	SearchIndexer.exe	111
PID 4036 wrote to memory of 1152	4036	SearchIndexer.exe	111
PID 4036 wrote to memory of 552	4036	SearchIndexer.exe	112
PID 4036 wrote to memory of 552	4036	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_a986fb567b4821b6f922eea47a83e336_snatch.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1868

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1292

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4772

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:216

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3468

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3232

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4592

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1792

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1152
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
13441980b6d8ab2c06ef122305cca211

SHA1
09cfe7aee9d7192127014b65e0f09fc5915d37a8

SHA256
0c239584f2819c1b5b3f3a78e639228b0330df3d74efb3ea3fb9b661a15b504a

SHA512
efacbee7f378ba9660fce39baa4f6b966e2cffd2dfe32b05d2fc407851e7a46c1458af4e061a0273df17650cba538b624d5763c51a65173964b614fc9d059fe2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
af25ef441557652f231a613be3558d86

SHA1
e465704ac8021f9e82b2133cc4ea1af68eeb243a

SHA256
c22623dd23594ad660ba70f50797a7d8aa9a03d8c016df2db4fd2ab825e729f9

SHA512
af98d8716f35e49ba389d142a78ca3b76d67f830e821095880b986e348a4573cd5774493f46e05d99ae4e7ce6dad8bc4d1941f965d88bb50f838c262e442fa46

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
3dde9fbd4f369893c73ed0579e852167

SHA1
b233cccfc7c2facec3b5fa1f4eb11577318ff865

SHA256
ca732fe5b2108537fada474f9d81eb028847517107413e16867acee8bd73453f

SHA512
b2d4d7146fd515a4316b1da50ce7f67b86bb6b7a4a2f488c4ffaa3bceb6267f6dc26f15db506c8a65869733234f757af084b3c4d67de2731ed9281d34f490d77

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a05c387ca723eae2d60faa6da463bb0a

SHA1
4f24aa5f4bdf543ce409138ad6a1554d40de8169

SHA256
63dee98de61d6feb897856e656e4145cb1bca283b83d750741e2e13d92195c6f

SHA512
b3263d5667d2852a15cb92f0a40bc4d4e9e0971716bf5cafea753c7f9ec5427d57afd79ea0a1c924c7511d1b9c3e3cf387e5f9d769532f45ef421b9f358f1ed6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6b657c44d4dc1ee2f655c364e3244275

SHA1
773bf7a6886a6dcd150ecf5e2eeeadbd1d307304

SHA256
30676e473e439aa5fdf9327c227758d3ef574898664b9828f820e3bdeddd3c2e

SHA512
036cab39d84a3382997c5043878f03d0a1dde09b67fa99b1ffdca46edebfa03c668928f8ab58ab2eaa4aee5eadd8852ccaf54cbce4b86c51024a9c33506e1543

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
cea15ce81900da41c9b805892a0ea10e

SHA1
1cde966248ad222062775e02d72b0270e690e8ca

SHA256
c871201e39ebd4d84da79441823086975c0ccd0812cc09482776a88dd651b09a

SHA512
5e8e9ff509ff620d69978d4fd8f7ef027749b4bf106c583c7c48d05dd150cac8e23baf30973d61d06557b25c309b2e4e254f20abf56ec49e58e6cf77f70201a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
1f8aa3ee9842a581ce76338e2860b7c1

SHA1
4eac03d98f154e5f8ecbfbdf56402e9720ad789c

SHA256
15d8b2ea18cb2f90b18b74a440409c435f97a641f57043c471b04104beff4a69

SHA512
816431a3b087565fc831dfa2d1ca68b7d6b1bd17bd1ac714e8a31f8dbdc7d0ac58011a0f42ff9c41ee3793e45b650429a7efff485c999351eb159e6192f3bc6e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b2bd8ecc1143534e62311bb05010b0fb

SHA1
8e5694dd88a92f2ee4c72de1e999ddea32256781

SHA256
462a3d147d23d3ef3dc7abdaf14c00212fae4dc5127c18811324f6c1b255103a

SHA512
65dc8cf35eec1361474985e49cecc827245c749112c02521beef0efe5a4bb47db3f5612c4ad77a5601c6b3e67d2628078470a99e5ad9bbfab99a00690be46079

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
0e2522ae854ad3c69546efb6f7a24d6e

SHA1
05ccf9ecd06bb34f245bccaf99ef75262ced4919

SHA256
3493c8cdbb99d7c8ef89e29be471d254117f63ed2be8757b681ed6dd7a32ae7f

SHA512
58dfc7de9faf4aaac904c3a652f7e41308b71fd99c20e33c1bf4612fda4304ce87731278ef2f40b4e720cb5cdeb6079954088e49bb4ebdb61ec6226b62099f8f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ffc37cf6cdd26a1cfe378ae30c3138c9

SHA1
07aa1c70a112c02a45f75147af63b7024843b535

SHA256
a8ba127bb782058d165080f56e31fbf9edbf987b791916c351a523902e1f6350

SHA512
679b41fa5fb8381252e7f58d5c6223e9e93fae2ab9881871b33266f79bcbf6efbc888fbef462853a12a85c98f67b74da423bc65d3da216b1e03031ce6987b04b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
862893d5761e9a3b0dc107a5dcc6d404

SHA1
c4d55f0c98e8c53da6d8f8bcef43aab6ed94f36d

SHA256
852d183b30d9e1b77f4616f010a230079265ca55a5e2510f358e7970c0401850

SHA512
dd1a22a0f9692d7da9ba75a2aa199eca2b1d1a31826ef0962036de8c2a455f5c8d976aa71ae84a25bf7c69f56dc66a17f269cd21e8d33f7d0eced862d1a128cf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c6331511cea1bb03265921ae927c503c

SHA1
82a2203bcb53c7cd58e72fbb076bad4fc1d739a6

SHA256
99885cdb8363f967601ceed506660fa1d43cb3d7f8ffbcb40895bb0d4835a89a

SHA512
16639160fc7be4d7c435f6fe0f4c1fa51a032e857c1e3cd863b94b6a9b57316b88f1e93ff617de3e0ee9206e7782974969f8d6794c673ec76ff39cad80d16569

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
2da624afda97a4a7a67a44e89c233992

SHA1
7eda519b08e69d27f9096f480dc6729be0f64e7c

SHA256
0153ed5528d2836f39da095babbf8ccbb2a7d7e7a0102f14a79b214c63d43e92

SHA512
35742154012844685f0fec54a02ba1c49b667b931f10a608bea23b6a0af631916b1e3d13981dcd92f68b4a167ba6e284755eea101bb20bac5c91624eb827741c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
50100363f5530644b53ed747a4df7f24

SHA1
c75d29810b42a52cc221e84f5d49589dcc942f5d

SHA256
994d7a968de1848af3ddfd1403cde384ec4fffaba79eea7e0cf404b034bb9441

SHA512
d8e83419a66727ef159ca6d5ab45dd7eb5a5b5f1dc9992bdbeb4bfb8ea122a5a5426a2a59e5832d442f5b40808da6d4a8fcddf68fd53b729001ff2428e8b6c07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
67450fc185b762e5e86562e629ca938a

SHA1
a6628f52a06719a96ba99157aee3695bbb92fcce

SHA256
2a2c1541d2b56572bfd2c7d598654a7626afecfedcd33f412f476cc2696c4c35

SHA512
6acb8027fae675caf2ffe678af032e95dcba62590c109d241f855661d22bcbd117b82dd5fc1ac92f6dcdeeab4e12b76f0aa96f8fb02dbcafb9eebab084482834

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d0066f42d543607189e067f805a7caa0

SHA1
2eb5fc4e754bdb5f569c7ef010b51cb7dfb57bdd

SHA256
c9b9802543d472c63695654fc836df470dc8b2fb9add2880cdbaacdd61f7b661

SHA512
490dbe62e6d59ac1cf205a87c90def66edee066911b9c00442ac94c734ba473bf308b164d1b034ce9757d725661bf52dd0575bfbd17b440473a14de3619d18ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a1c99597e1fcbc73ee48d5ac6bacef64

SHA1
7b855cddf2e4359414bc7faaacc517a691f85ca4

SHA256
9007ffde999e22e98cb0c81f01a428138ab2fd0b93f66eedfaeb3f259452ee04

SHA512
295441ab5aae98526b879f6981467253f3ec6cc93cf96934f4c8374af58fca3f4b9c87c9918c020b1862f3a1dd95862478c2cf7a36044b1dc0a9e96a730e1109

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b6ecb0fb179cd21d16c68c812f864b35

SHA1
44ed908b785e37faf15c6ef7ba8e06b1ae5952c8

SHA256
f787a1a2c17c68bbfc2b49171bc4a5b4177deea9539b36b13dce6207e5260da6

SHA512
51d2f415fbf466c53eea0bb22960d7c6fbd283033c5713c51c256fd59b6626959b57bed13076c63983477f648128221bcf7037bab81d4d5a1f8b08b9c5a1e3d8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6bb07f5b1194b3636eaf04905133f4e6

SHA1
6534e82fb0311bd861b35df4ebbf2e601e920383

SHA256
2847be6155d432bea3493025c9165803d43eca60c12b09d50a90b4847d5ae03b

SHA512
3b4e2913b7038140850455f47f630fefd0b38f30e634134ebe754aaac8103b1d66f2fdf39ffa985fc2bf52e43d85fc4a70f78f3b533629816fd89c53838833bf

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
794c9db8577fb667c0806d6b232536fa

SHA1
ed8581faa20511523be0b50ae1889baf8f95985a

SHA256
d53c66806e448ff88649593030425eb0f8a48a140ae5a79b56699845979d4a59

SHA512
d18e60a16d7b88d6de72001327b6242b53104d2d9de20b88f1bafc1c6536fb2e9153834e5ba054629713f8586e2cc1e6190f381127feb3b750ad9ca88db39baa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
20f0e7cb6f7a638b5fe98378d1ee57d9

SHA1
575c06bb4a312b6c82dd7cee509a1e918cfc47b8

SHA256
a5c34647edc5635d331eec18f39493228df7c9af74133851caafe14a4be0b946

SHA512
f98b62c32355fa70b8b5cd341bc067baf65ec388f41b3f994e85be2f81a29fd9e662f9eee1833d94a6fe3e045b902df534da183454f8177703313f501a77b7ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
aeff468c87522828e1d24bf9df9b77d2

SHA1
977db62bdc560d5727869b192fd1a7ada3938fee

SHA256
f6af07074fcdb48c68439779d24eb971ea2bee0a5b8b4ca85c4de59ff8b956ab

SHA512
5c37e765b8c84f6612619bc2816c0d344c64f16099d16ecbe1783efc5563ee02a8d61e077a348661430ba98aca5e64a1de75a63081f1fbc8356036fe7c1046df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
275fbe89aa8983be3d68efbf5bc7428c

SHA1
f50a115bfc91c946616151374e4e0c1eaa981d33

SHA256
2a38cff34b883340ce3e95a322ff2fca55610390227c51c68c58be5f0053dcde

SHA512
59db39832dddf634e3a1bf0b765a0275be9b72235f623495c9b37e190c8f7b143329504a40ec91d01863423e68216fc6ac9d29a0b00106024cea6854a5155c6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
9a534229be83331e062f852693276c35

SHA1
7407d3d302326d46e35b91ed2553852600158c40

SHA256
ea4a14887fe3952aaebb072b54ec8ed6f481e9bb0c2ea0fecc7d3242c9a08e39

SHA512
4edb1d99262c83ec53febbb84c2469f88d7325e25ad07a3f8a55fe46c6229010d7621b05e56c952278a9c5fe4283ee7adfa87c533c5b7d2e6ce91ba8efce4311

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
14a5922b3599bdb119937ca20bb72f48

SHA1
0c0dca1cdd2941ee7cde6a0004f5baff63d6b84f

SHA256
74a366aaaffc4ce1044344fe734626b7002a826ed647aeefb8ab6a92f3c4d06f

SHA512
3baa41ddfe12483ced3a96214846a3f02d62b99ad9dc043db7cc575961dba0c0c5713c78386ce4bf5cfc36d33a5d43e6a1ddad8e7bdc6e4170b2e01bac8fa8d5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
af0a0869e72ed5edcecdb01371d24654

SHA1
34b5b32a9c45a532c8ca97377730822a59f3b2b2

SHA256
913966f33f5b0e799da37a31f9b378b9ea7c2888d9c3e601b665399611864ab4

SHA512
50d1cce1ff60b56187ebd998afd13c9c5fd99d0cd0451fcc0c97d60fdd44973a1404424b50b49d125623dfaef90d1487f8da004d06a16d7e97f094a80bfd8649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
af36db8b0e67c01f71db96d5b36af648

SHA1
b0807f531a150c6d567cbc8e6f79a65db185bb46

SHA256
31a2ccccc5a5424a6cea97038bacdf12c398d5570eda015e434f53d78788f414

SHA512
97b07a298ac5d2cb431711541c5eaa43f715db3573acde08686b0d946ecc526dbc9ca029634ce24038cee991a7b29c7309ec1638e47d98f9d51fdc328b3c70b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
1f6b2dbc6f460a051c172f5cb5058626

SHA1
ca04b9434a494dae9be5df6a0ee2f6bfb1ddaf80

SHA256
a58cd0c8d7721d8bc8b6285cc7990f9e92fac045840eef0397c18d382088ab6c

SHA512
5e72a8964c592eae5dbf9915e9efdb00a1d9a1e380484308352b9e06a72e2465671314c0700f8bf91995ae93590b98c3091a033244a149ac84b11e3f137f8c46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
b159d11593bbc8891a71a2a11d49e9f2

SHA1
3eda697c1917307e4dbc6f877965b200a07e3736

SHA256
1ccfa4249e8736f7fcb0ab9cfc41eff4aec4b77e958235a5f721532c11b7f4de

SHA512
88ed103b7e69903685842be4805ea06f024416e9929349f11474b130b84533991e21a71089e9a1b1073cbeacd26d49c2760779ae0cea83d216c06418aa5054ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
cd766a145b3aaf891c4558e4bc3b9637

SHA1
a3b2c252d332bbb741e87c812cf47909d8af722e

SHA256
f34da8eef6ccab42599eea4d28241d6364118fb61abdb5dc9b67c1690ff2aae6

SHA512
5edca6e01b2228cfdb063125c7eecbf112a550b2faf2212938ae682d106bafd40783d8714068ea2804e456c30ae1e7cbbe11d4f971eddd211d8b721893292b98

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
478c5e8acd544fe3f5ab86bb28b755bc

SHA1
35f18718a9ce38253aba9e8af567f18eba0d03a8

SHA256
d37a32b8e75151b95f95330bc0460bd1c1243f53de1e0215c1fe3b3ddaae36a6

SHA512
2b72d8ff4ef341e1a9a91a604c37a47beba4172bc3e38e00e61e1aa8217ac8e5118fa5b301d67bc5be803c1f18840aaf21674aaa422f90ec305077cf2ee3cdf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
94e8ca56ee11a0412ba158edbe008e07

SHA1
b7269fcf658c218659e08021ad5de6a56d29e268

SHA256
b25f7a956def694dd527ed314326161cfed0ff64a3d4bb88f4518c0056ce6050

SHA512
d9abb9ce6e86d69cda43d5ac1f3447e731b066676ee5ba959e75538df8474cc05fcef1de3da08c049a27e582d1da36e8e756e637b75e9e97857fffe2ede3e75e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ea9ca00b46234bf0e056ac2957757e6a

SHA1
852631bc9cfc9094e506aa45af062b7d763ec485

SHA256
afbc2d8321e5fdc0422f55e652ce5d8a056d625c3d29a079911f7b129e345bc0

SHA512
f8e23b5f52b64450f3934b41e7a39b85ef160ecfd65bb80bbaae47fc79cd1e44a2e452c969a04c1b8091a7b95a01e514e5d86209c1a4dd0c769d69e0fa7a9726

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
59769d3b79a41a5f072a99ad8a7d7abb

SHA1
19f57d0883ae5940b34cb4062e43bea710040992

SHA256
e8b4526042bf8456eab28a193befc8666ba0e20645a2cc9523fe81df50eae0dc

SHA512
7091ba8e65c3b9c03b3e418c74358e7df894faf42bcee1a9d3abafe57f9c4c7dd00f5c5b8f1e9d5790c6193a2698fc0528460ef5098352f625593ac6efdf6fbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
61a6e21fb20851be35affe5eae4ec784

SHA1
6a011326fc36818ed17fca907736d562c9eb7f07

SHA256
4b5fa5a42f160483048746bbcfb9af6c9a9ec66a960fa6085ef8f10b871abe28

SHA512
93a28b62101e7e3928c4702c744cfbfcf2bfd10cca5e22113612543cf898b47aff38ee6ad2ad11c444bce6853d80a5014a5e91b8ff70603cca242e890d3f98c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
aed43c21258f47912352c73213698b29

SHA1
06260ee0821005a215b5c2f8f05aaa61c6633aef

SHA256
20cf9ddd0811717b5e190e6e050c55a9770903f420fee0143144c4da62e28e6b

SHA512
f1f1b56abeba9037efd139c4082b04e31379150c730bb9369a3fbce3c1ac390ba5bc5d48d3a3ee58a95ca0c50f35fb18bb618ca2b8f4a08edaabce55baa98bc5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
72128a61b7dc9c4386d7635a0d2bf715

SHA1
680360be4f494e61b489f9d927df173ea3f9924f

SHA256
61aabf5f917ee0f8ec2acd4a64a3632cfc98ba6c2ca2642f8abc618405fbf56f

SHA512
20d9452ff80b1f3b62a7ff6c297e758306b7039c7b554e0ce05d0a750fbdbaf3d3bce38f4ff5fde346f31ed8177762e938b04a735c61e851b6cb134e812f1d92

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a5b7d828bf74742d31e0d173089bee87

SHA1
70304d5395f409ce93bfd8d29c37d34ede1c0f99

SHA256
8bd380d4a229b658360f212f5860d8b46f37d80fb5469ed7feb5acba9c326b5d

SHA512
b36015c0e37005a6fe77168f3fd935fb6274d5cfb94331255df93f9515fc1ad7f4bbd8f41c22097d117a66faa120975db82b47c8b014f7870aedd383f9e2d4dc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
ed17d27484cd3e9a404384b38f343d9e

SHA1
5ffda82ef9653bd63ab64e8b5c03c1d354a0b9ba

SHA256
5a587e7f21707bbb25b2aec3362cf9fa0986c18af287d8d65cc72fc2703e7b4f

SHA512
a0f8c311a12521ba02ec9001aaeb7bf0af28593fb428d25bdd863550221333d49b6cd2db5b4efffc31012e85aaa3274322146a95346a317f5b92403e01d89acd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
d829349be6ffca20f79f47e7104a2737

SHA1
56a8adcb82e6ee4a2eb8a1e8ee8006b9fe520cb0

SHA256
be02315a42bd14a4d136c47b1a0fc7d0b98acaa43351edf6195760cdb3818507

SHA512
4107a8d34af07bf611286a33f1a5f6b52b579e45c20660251a048d42c905647d8e14181b4d61920bb45666e3f62713ea8979abb7bdd5ca976ee7af116201ace9

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
310db27e1d4c5e7909c70edf284a5160

SHA1
b30fa38183373e425dbe0e47f241abcb639b2def

SHA256
0f20fe81d5b614f1ab6819fa68a59309922b5c05a908c5c7ecf9f8c0c3b9ca12

SHA512
ca8a6a3ca55efac855a5d02add6c289e85580baf50d40751a3ec7a15ab58cbeb6b2d4dddd0351b26a53c798a1b152598fc34dfa8aacbc24270ca905fdf73d01f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
1b5afeabfa192b0093ba31048ae951a2

SHA1
99f30bd29e588020d5d0caf5ecea110a8341bf9e

SHA256
86855736955f33284eca1f589c6fa1eee5058cab28454c70eadca6d8fa0aa028

SHA512
734880cac1efe51d0eaa8b2b35814eab2fbd36368d10fc3a4c6c289c958026e03a5f9d7f08423cd7adeaeb6f39945d6317fb8decd9cc3e73e7cc2f64a4d89d4c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e232b68a0edfc288942337e378b865d5

SHA1
b49882f52c9337c614a1efdccbbb15dd6f17fa3d

SHA256
00cd012e4e3a9fe7d2e86f335bf802512722ca7c3011d8f9ddc35c0d12ee1c56

SHA512
97bdd63e5fe73c7247c8cd797288fd980c258bf8b81063888c4fd223b8595e9956981327fcf704c7c0bab2d06b32d165765cdfb367d9ce6b8d95ffc60d9ac99a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a9f20f29a95dc4b4417f75d9447221d2

SHA1
c2a5b41647d34cf8a7a754332247cba8fd1a1df3

SHA256
fb1fb036d68d8d460a78fab15dbc19d922383633ec9a098300acd9b34250070d

SHA512
3531c52a36dbbdbebe8a7fef862f584a8469c3a117c1398d0503bbe3e960430163d394034fa799e66d5f5bb273646b2b064d27334a140bedba7b3286fa53be5d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
95a2f0a48c351b4d22924e911baa4a98

SHA1
e9b11c58505cdf1b8f82f0a1272badbb429df440

SHA256
4cb60fc37ed6d51f24d98e64125c0d32fdd4d17ec9806bc53cea01e064e9062e

SHA512
262facddedf36604177e15e419b5a48be92b0cad1355cb775026a8a4edd5683f3112c17a302b074e1ffa4bb7d4c7219e6d5cf5f6a27ee4d9b368be87d34df0a2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
9ace2544538a7534e9fcaca3a37a0d9f

SHA1
ac5eef4ab50bc76c45234af3849363290c1cbd7d

SHA256
8f447fc1da4780bdc67883587bacb39c24e4f53575b9b85d0fef186a08e21740

SHA512
5ee83913e9a10243222a3a058158af44a78f6c7db42418c2514ef4b9f5f15ee2978f931feb789d2bcbb709bcc12e3051d7064bda45da70070c27316ae7d68f8a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fcfbe35df11f77497ce1f44e89aabd67

SHA1
7c634c2c66fc94dad169e860f3bd9c51d3055507

SHA256
92276aa25cfe60e7d1dc84f036a0de02fdd1e42242013b6b60c62f612d1f53e2

SHA512
a60b74df5ab3e86689ea3ac2790ec54aafecce758d63da1a84f46cd8afeadf6dc0be743fb6b051af89699858da7827236f508528b4ebfe539621ce01fd21f3f4

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a168011d76593fc30fbc09c142c07825

SHA1
eaead307eaa25eda11ccafbd38842348a527aca5

SHA256
d1b2539a4010f7fd6e7438e67f85f0504ab71a21b5698a1fede082b9ec9d3ed4

SHA512
41e46a474e7b3dfd2c1e56745be1fff95af4a4873c5626a49a8d96b10079073df23e6f67e98726f9c0bbad9786c0caaac05d0eb9effc0e96837b6e53e7f1f0bb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0abc37ef3721f1e5b681e5296edffa00

SHA1
15ecb97c73a415180f18e0684f049f99318f8865

SHA256
8033b209161eeb182fbb415f1ddb395eceebd6678199acab8fd1775f40bbded0

SHA512
0980adabed2849828a796844ada51df07f5d32cd8b77b413e373e0a3b9109910e6f303fc676b64ecfdecc4d6508a1796ec4383a6d05e1c0637deadad9cc7b4c5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
eb2447c2906a847d763777dc6afa0223

SHA1
9a3aa319e88620bd5bc2d3bf96ecf4c312a83b1e

SHA256
a5664c909baadf9ba790a515c4d5e87f8af98deb05990917bf6bec59f576810d

SHA512
5bd700b9c765ec3caf0ccfbc6e45a01e786e8a31837c7153becfdd991d2845d5afd5a0edacff44f0a6d782d14073a61b165ac8ed7374baf6e400112e3a2dcf8c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9658772ee3c9935de3923794427a5613

SHA1
0f4d17851daaa09df37ea7844e675bcd60064508

SHA256
080fb757f6f927510828cd3bd8d9d9684bdbe82ebb3e84a118dd344ee4d55e2f

SHA512
4342f83ee889e9cf5798646cbf44039f24407814917219329541d16433a4f30d6b257c7c9b429212318d71c0d9cd3487bed72416649c6bbb1e80156a659c57c7

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
4cfe9fdafe66a7faf1259b8aeaded957

SHA1
98c6fbcdcadf19e5cf90e6619847770cbb3a63bb

SHA256
a2d9f14688ecaafeb7ecece08b8136a450096146fa0597bdb2c667726589e98f

SHA512
c4982039feae4fbfb11ab1d5b1488636b7dcea5f17de1d46be6130e31e4f815879c19b355a6e26b2fce8e8d2433f4af4b4f08de036b3f0a0b12d063c4d828c97

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
7e67767aaa46e0368cdaaf03f344e2d5

SHA1
b92faa2f3cb73869695b9d7da60e74b648bbf22e

SHA256
6f289bd1586fc81226445c7f34219bfed74ce5cf5f31077ee7837b040e334b7f

SHA512
80bf413ce7ab4fa75645a5d46048e4313b8339fc622a38df7c4dfa063a358bcaa11ee73f478fa5f298e471eb848349e27bdd00d11c22a84c425c315560d1454a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
60d31d5318d0b771d2178ce3d8066e71

SHA1
cffe2247ff7952d5b32a83c438c1a3db6ccb4a6a

SHA256
a9ea557dc69f5ee290e14d4ae0ff1853f79d64efa5206ffa301ca7b8d53f4529

SHA512
780e547ef2a11ac4a2eff019718d782337c0a840c44f57f84cd8e6764b5e6db6a6fa13ea55898f5b3991e00c3a706e74a65e6525ef661e383086240cfe99be4e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1009102b546d7eb7e8b0e5b518edc43b

SHA1
aad6be8f722d2f96246a10b6eebdc551b47199e4

SHA256
9ad726ae9fa97e6a1ea85d17e7e7a01f4c8cfc4ee834e0c440b26782e6a3c8e5

SHA512
187c12a8dce6f8f9ab7755457fa0506bfb43337030063517742bcd15ad9b7107332984e56252fabecf86ba476bf2634fb5e9c4603c24c65cb8f0f373f6a6f8f4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
0f100490749bae010c12c38e35b7220e

SHA1
753d8ced9d307304dc85d9de4e66b129f3478022

SHA256
2685a20b5dea59339ae48f58f230cc5ccca000f8e437c9e1b6400ee1a47fbc77

SHA512
1ef016fb2896599f7c83a128a2db2f17e4bd2aba8bd775b9314194f638739033fe7adb858f3f7611c59263ba764c02b53d237d9b3e8e9fc121e65d1ae48142fa

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
347e9b03089244fd80512bc325eff14e

SHA1
3502f47698586ca709a9ed34e28b3bb17d2359df

SHA256
409a5a1cbe3fcd182913865d7192a68b2aabff31ac7334e3d767f47e137d3ee7

SHA512
a81ccda6a67a386311a1bfea72a4a0f08e4a5de16cd72ead23793ca319f1f77eb7c667c0fd14e1ed5bf3062179a9b0ee888360fd5ddb9722c3c60f8914a1a400

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7bd9e5703520e64389f6f65770a1f65e

SHA1
77171c5db80585cd93f692d27e2fddb0f1bafc0a

SHA256
ee31a5033b626e2459dca1ffd433e1346e072444c46a661faab9d4e4f8438755

SHA512
ec27ae87162e3ffd3da8518b351c937fcdddc87e4ce95fc8e5eb9b39e8e48f20b3fa091f91646e0b48f5f98c2ddacde59c3d5a7816cce5ab9f5dd7db13042647

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
0d9e5fd50d835e62a9b925d83a8e03f1

SHA1
43450911c1018db6fec07f1ff457ff60b26d4fe8

SHA256
c303e88b72d7063808302013234637b57aabd9dcdbf81d379331aa1e27b8f4f3

SHA512
6c4919d0f5b6925a6e00a1e84d86100ba7d897ee21d0d63313ac34dae472b5275127479408c04e21cad44bf2a6db2f7c5eb7668fd068af2006aab54c9c9e38e9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
9036fc10d8a5867f7700c651c2eb49a3

SHA1
a618a956a9255d42dc7db7ce6af93d81c93cc5ec

SHA256
e210136b83ed5175ef18220cba2c17d97f245928e811a3ce00d9a9741483492f

SHA512
f06f5496e4c7afd4b16997d7f102c09c190d35752fe3be2535325dc6502fafcd008eebb4ef4f082b54bd3857d8ac7968076cb41acf766df3459fc62fa6fde22a

Download Submit
memory/216-205-0x0000000140000000-0x000000014017E000-memory.dmp

Filesize
1.5MB

Download
memory/432-308-0x0000000140000000-0x00000001401B5000-memory.dmp

Filesize
1.7MB

Download
memory/464-305-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/804-309-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1072-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1072-662-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1072-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1072-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1180-22-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1180-13-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1180-658-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1180-21-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/1268-302-0x0000000000400000-0x000000000056A000-memory.dmp

Filesize
1.4MB

Download
memory/1292-74-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1292-83-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1292-80-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1292-85-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/1520-56-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1520-50-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1520-203-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1520-663-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1536-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1536-659-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1536-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1536-35-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/1792-310-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1872-664-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1872-311-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2264-45-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2264-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2264-61-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/2264-39-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3232-306-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3412-204-0x0000000140000000-0x00000001401A2000-memory.dmp

Filesize
1.6MB

Download
memory/3416-307-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3468-304-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3468-655-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3636-373-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4020-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4036-665-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4036-372-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4608-8-0x0000000000400000-0x0000000000F97000-memory.dmp

Filesize
11.6MB

Download
memory/4608-9-0x00000000011A0000-0x0000000001200000-memory.dmp

Filesize
384KB

Download
memory/4608-431-0x00000000011A0000-0x0000000001200000-memory.dmp

Filesize
384KB

Download
memory/4608-446-0x0000000000400000-0x0000000000F97000-memory.dmp

Filesize
11.6MB

Download
memory/4608-0-0x00000000011A0000-0x0000000001200000-memory.dmp

Filesize
384KB

Download
memory/4772-88-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4772-202-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4848-303-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download