da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
Size

695KB
MD5

551d241b6d4195839ecdc1cfe8fa0a1c
SHA1

7d2f7d06487cb5a21b9d55b0d2bf8929dd165eb5
SHA256

da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9
SHA512

14b9db2c55c9994c6e09682c93a3f1f56a75a64f9874cbb6141d33ffd6e7770462149f0491fd96f8295691d649c9457bbd1e607ad9284d15d0e34d1999ecac61
SSDEEP

12288:ZAiP7SRWKrQhzVA5WyBzced2OZ0oCQ576ohkLd4d783nlMEZuC3yOg9Aj9b/u:ZAi7SRWAQhe8yBIVODCq76ohuk783OER

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2444	alg.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
5092	fxssvc.exe
3044	elevation_service.exe
4836	elevation_service.exe
664	maintenanceservice.exe
660	OSE.EXE
4988	msdtc.exe
2576	PerceptionSimulationService.exe
2976	perfhost.exe
3780	locator.exe
1588	SensorDataService.exe
3252	snmptrap.exe
2504	spectrum.exe
4964	ssh-agent.exe
2944	TieringEngineService.exe
2572	AgentService.exe
976	vds.exe
2180	vssvc.exe
4800	wbengine.exe
4056	WmiApSrv.exe
2060	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef1259441ed82f9f.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4084	4724	WerFault.exe	80

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000707e0c8e9cbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000511a298e9cbfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4f4028e9cbfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004e6a188e9cbfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2852	DiagnosticsHub.StandardCollector.Service.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
2852	DiagnosticsHub.StandardCollector.Service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe
3044	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4724	da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
Token: SeAuditPrivilege	5092	fxssvc.exe
Token: SeDebugPrivilege	2852	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	3044	elevation_service.exe
Token: SeRestorePrivilege	2944	TieringEngineService.exe
Token: SeManageVolumePrivilege	2944	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2572	AgentService.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	4800	wbengine.exe
Token: SeRestorePrivilege	4800	wbengine.exe
Token: SeSecurityPrivilege	4800	wbengine.exe
Token: 33	2060	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2060	SearchIndexer.exe
Token: SeDebugPrivilege	3044	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1852	2060	SearchIndexer.exe	120
PID 2060 wrote to memory of 1852	2060	SearchIndexer.exe	120
PID 2060 wrote to memory of 2316	2060	SearchIndexer.exe	121
PID 2060 wrote to memory of 2316	2060	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe
"C:\Users\Admin\AppData\Local\Temp\da1e8ee0565ef5c40ab871af5d5841846f8c4d65efe45c22f71e8934ff75a8c9.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4724
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4724 -s 708
  2⤵
  - Program crash
  PID:4084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4724 -ip 4724
1⤵
PID:4916

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:632

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:664

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:660

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4988

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3780

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3252

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2504

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2760

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2572

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2180

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1852
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ba058079a93ab82f917baf53db221c50

SHA1
82de4888b0c2e5c5b8c75c84ec769906d51d11c8

SHA256
b92436702004e66937e07bb54cd5e782a61f1f0060a84a6ab5409dc58ffdb643

SHA512
c81b50966223d409e81a8e85fc0927d2b83756cf0169f83a07f65eeb2f237e74263877c6ccc329775a1bcbf5831202edc2ff6efb2944cf8c6a04cc75f366c464

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
495b144784460da0f832fc359efd2ce2

SHA1
6b02fff113f37074014bbdff93a1090e4f5d631a

SHA256
9448848c79ba4f7d5cf0038bcd58ad8d45f4102abae21266797b36c8951f2fd9

SHA512
134bb5c89dd45ef5c58021526f096e478587e0eda5ff0954ec652f376fb850fd3fa32ddb831378817e8a4fd5637e78fd0715c1a9d550845616ce503fd614265e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
eaa31c758b19514f71b1ae0f3ffc68da

SHA1
1b47e39b3f8653aa7137fbad6ecaabc1018e2a51

SHA256
ae77eb27b877b9092649a91dbddf1bf29d07d4b8135895cd1c8a0981c951a1fc

SHA512
ab555dd85f57669d3a71befa1b2f31124cb048c41ce8e68603634b7a9fe1535b4d6e5770c2d0c0dc726cbba81e9830c7ac9ae5d39ccd55460041a22a5f649a74

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
506380263300b451879da85617b07308

SHA1
bddf9cb6d51fbc283a0177a9b5ada329f821c2b9

SHA256
e67d739b36d3a0ae3d1e7db12eb9f427946b5b86a267339b496e8e04451bb45b

SHA512
ca250a5c3fcc94c74ec68f184574e468a8561cd2c23880470385059b7629d9bb0c19939c58e8c88734402ba3663fc84c6b7d4b248d8a9c204ccfdbdcc385b533

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
531f0b02a519c52cceef8d900e138c4b

SHA1
ebe185f3af0ec771b7cfcca735e229a2c8b69941

SHA256
8c88a6b6e96c58ce381f56d476651b44670d00d7412038fd4649caa3df41062f

SHA512
400f6f2b615ae4aa14d03d9b6bc97a0a3faf4bff96ef50477e1407914417b17f2f0d4b39655e524ba04f41a6926aec2428aacafbb7aa13fc95d1e6d6cce362ab

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
1ea2852b2288ab8664062cf6a4ab8dc6

SHA1
ca8cc9c646289e9412e364f09ec4c8481a0538a7

SHA256
f53390c68858e9b53464d50a40b76234eae68a0b56f0aa1de3a5dd8c7c9f7a56

SHA512
15194027bde4d8381107aae0ae7238e2aa7ce67b160c23f7c3e8cc3ca435c4c89319857a84568883541ca9fa811fe810c43a4a84f2a1e6edf97cb43f0df79b63

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6ae59f04613d0faa3a0794e676306d3c

SHA1
bb674d8cc7bbc16f2f40a343dd01a5cdfe507d64

SHA256
fafe52732dd1941524b0505ff87225935c7073c9139336a122b993508a92094f

SHA512
d30068d4975e5748e642c0e80de430bb97b948ba31799ef7acc57dff262cb9c6c98f98d308dd03d45bcfb3a98da614964f5a74fa1a893678f2d32bf5a7b6b562

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bb64cf82f998b552d02e0cb7573e78e0

SHA1
38d51df6597c58bac2b70e08ccfdc589d306b762

SHA256
625a6a912967ba1e2c7ccd79af3ab13f8cfb7a05a9c7f23e3542b3d605f30cd9

SHA512
1672c27a01420c0f0b34637d94a24cd89b5ab32b44dd16cf886b938bad75d0cf06ac226f24cf2e33d3104dfc84bf352cd76ce2e02bdcdb8528a709bb015cf727

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2dc1cf4bfff17a665663d1fd3f310d00

SHA1
2678c61bac8b18aa9c7af44673fef381afeb0545

SHA256
8d82916e9ece4dff28e080f5fae7fbeeab45133094d0fb8bc8b6aec23c945eae

SHA512
aa49d14ad0605db9bb00d4823eebcb092406e891868fe05889df9e8af2a28bf6c451b5ab4a453b0d083ca85214371f27ce944bc2989c1f5335a820e4e22b3f2b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b677763e4153b80912edcf292064dcd2

SHA1
60734360d2defab72f8c3013538d13f74a564c15

SHA256
28328041155ca25b300cfd0c60b4a9a57687af20e70cab32993d0214531babf9

SHA512
d3dbd7d4c97092b2f54743363b4b245877f8be979224fe706dfd2b0d73e12540f081a36a3a07e67e18233abd69a16cd9f0702eccde24c54a0b722f6a3aba8a19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9ed2ebacccf20a0d84b62a085a0a7332

SHA1
68ec365e37619910b8691b3daeb8c55c803a80fd

SHA256
61f158fb411e96b7b402542654475d0d2e7393896200ed8588264bcabf15f979

SHA512
7c679ce4189db6ef89d396b754373d47920a2a789352b55330932f6ab4b762f868b5218ec81214827dc87cec9656998d941d0d85e2d7eb8f2133cedb52e9ba27

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4932ca821b1b64031e2b3156bb06497b

SHA1
341f43e62856244612ed7d9975c510144f4c38c8

SHA256
625a62d82d85f52b645de16f719879f87217bde5d431ca5ac92bdd4cdc9820b0

SHA512
8e8556e6a1ea9ab2d84f2cbe50c6fd4e785d4bc9a7dca7436c860841ceab265a71d89d6544264511d574ebac037e64f174ad5df137a0e986797a7bc78cf1e8f2

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
092e42892883e1ae26573260cf2d8b0c

SHA1
49232cf1055376a0652803cfce98975ab1f45359

SHA256
972c672937555996ccf2f1e2a1e0030aebdc3230ca55525d94b6dbe076e47db4

SHA512
d889ec9c81028e4d159f29a596fd9acf5c1e66508dd56d323615d17ae4f908c07b998afde16b5a3786c3090eb0beae665f76f0f4414e54b9eac404fee3427d9a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ac79ddb2e6ec97ee4c509466cedba625

SHA1
d1c53a80c51efd6daa807410152811c41bfb1aea

SHA256
98805ce9a865c250f4ad5a2915fdb0dedc258d9628727b06b9e86cde992f3489

SHA512
51a907072188e0a51d8de33822303415efedd794841847eaf0a1faea2ceb7adb14c1d957a181bf80d831924b9d45ab923890ef5e76ccc3b386035ac1ec7d1768

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
462975031060bbdee73406e0c23afa5e

SHA1
067e28e0c83f412b77b142d91a9bf286a58dfc28

SHA256
5bb6462bd543ac504a0ee0aba1c0107654f8f50fd0eccb9c13eb20188be92155

SHA512
18e64fb395003a84e1fb9b85814d9191e236d2e75d8f030b2027a6b8ef8008037f894c847fc2b10851237eb17c5fad6957b16b9c169c3aea172ea47d2d9525b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b81913fe9410f9c73717ca294f40ce19

SHA1
a43453d70087c2836429676a429056a1e5535e4b

SHA256
a8278f14f1756a408174a6e2d9284dbd8c88210255ea4bb9df100a7b81f852d6

SHA512
b3b487d29aa402da01e63a36efc2d15f1e139273cb012a19be6786dc2a0c62f63026b7cbd222319cabdf5a9328f2e90a550dc747c15d7cb84f172a16dc4dc78b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
9634248640c009588c96ff79ad7b2889

SHA1
ef88da62e413c98b5c5b5807379e34b446f5c3c1

SHA256
b92b11feed086d39eac8047875f8b09b8d320568894cdb8cc30dedf8be72e772

SHA512
e21d99603d4a0276982014a1c2858975d6c86962b675075a2e369b7c50de6b0d5dc82871e304f72976fa574f2ad2eceb27b4673c5ab250fd64624d5579cbba86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cecc7d239e3777441ee99d3ca0b5ab5f

SHA1
2fa6df51a8d7b2996dbec253405b7f8f77308cc8

SHA256
37d00526307730ac0d5995428a54cbd332c1f9b1f3ee25782d18b81100aee98a

SHA512
10f608e5b1850e9ca217c2ac276300e8eda65a6d50c86850ad44f6e34096f1ea9b5e00eb4cd3e2c19c1f34f0f64299dcb2bb6a6ef7fb2198089820aef833440a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
1542964387554222b9e4f4a222c82224

SHA1
8784c99934e9c75a0b9224f88fd932b651b94403

SHA256
caa125f47a0bce0d16c1ae7f4442d5bd6724dd982fba1ac42fc9a41efa79009a

SHA512
500f7f2846da3abf7cf76e035f7655c7ec6285b735b71637f2588898f9b7badf3c642c46385cc3eade2bb8939b0081ddbe67f39c1c917594fb6d495889b27ed0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
4653c9560217995ef7a1da08642a0ada

SHA1
09550b04e4e2d2b56cc22013316fea612051b528

SHA256
8bbb0517e4da234dd89490fd3db20132d9c8dceb28c66ce5ea6ad5a71182edfe

SHA512
782c4e2a3b1d37f453733c5c5acc308126b8c156d058a4f3bf4e25481e6077ea552e3695087b7a55eaf8fb4c90604c62219d4d33d0301a86af3187dc9d7586e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
705ff079b6e87005b1d3793b1823e703

SHA1
e7bd18056c7daa5501cf93af9816e253abf46583

SHA256
0bb082ae67e4e5c551eeaabe4b3ff2971297abe42ea4ecdce35cee0d78fadc0e

SHA512
a7444a288dd518468f1fc9822b7aa1d73eff1e5e3e38314f6f7c2b04d4f15a7893e0348e98dc9d2c0aaf2b3270ca722f6ff1015d8998abdfb57d8d9a33dbef96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1af43149a964e826337c6c148ac18714

SHA1
bff3bfb1051cee60e9164b288b0fba8074170134

SHA256
63a7805b9bb9fa72876f396240c0201be561d4e4857d9db541c4695fccbbaa35

SHA512
902cfa2ce55eeb2d05fa64b7f5d97a2c300f30dd18e22b9697f4b8490f8369a531f7e8eccaba0ac5c465a7a0fb2fb27f16cfefd2300c544ee02a5087b5380902

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cf278b5b7bc2189e0dcf55f0c6c85f92

SHA1
8d7a6de5430d0b4c8e7fa9a3f0f7176886bcb396

SHA256
32d762175e7cad2d87737e9a9328701062848a8689b150209f06866bb991ee32

SHA512
a2286e00af17054fb0b3dcce7c9fe215da987955eb57ac46b604c626d93fa6adc6da8118480b8deb675087ad2b97433fcd314e6060cb58ef0fc25e6d36d4b332

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
a09be791f610045652d6bc4d2c904552

SHA1
b58ce8e1d021d72b0cbaf68d7e358fcd8b0bd81c

SHA256
268ff584300bb4c6a11ca4b7c6fccb6de7bc0ec03ec026d2a8eea35ba138dea6

SHA512
53a23c54551c7a1feeef91a2a67def1cbcb2e69699aec2b90d0af348a64b5863333558d64a439eff766dafb96d75cbfcc477677132df8e32aaab2a1b6b06e840

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
97277ea4837c66304a6ae365083d01b4

SHA1
c888684b41b590bf3cbe252c9f23cbd74670bfc2

SHA256
1cdfe096ae530582172fc3b371e6f7e7e97d623b193b5db8f9b9ab98c8afddcb

SHA512
f7fa45c4ddb1bfe628d34c899634ad85b7867bf10ba4da43cc771ca9369aacf5d521903228b02ad313b276d055fbf76016ee474a60c471d5767a93c766ef864b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
60e8012f395559ab4f0d63e0da7b57b2

SHA1
626457460a955a83978508ebf28fb9ca1bfa8e70

SHA256
e37b94da9d17b4370feffa366df0c85884d77be54422e09ef27137ecb618f2c2

SHA512
42da07d33145a713685d4300bfc9a81bf42282af27916aab92cae3700c906c0f55a1870ae1bb5ff0741b7dc30f8e0d2160a2b372ef3f0537deb334bf209b36ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5dcf0ea82065291b59c8ab1506c82015

SHA1
0572535ff18b056447562d5ff9b7a1190b365802

SHA256
a3fb92665b6223881adafdcbd85f08cb521f30262920844521f082406621d89f

SHA512
9ef277fa75cc67470a799dbd7f75b93ab63e4357c835b8c76679afad176cf5b2440bc64a33b1e1e89222998d1845e6273994e944ee9c03f2c86aac547c05bb13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
38d914ee56b7067043442882fa3f627e

SHA1
f217113f7b30f444c82ad92f627da00bb83f6110

SHA256
b7ffdf3f33e61f695720d72eaf5f8789c8f0a5f185575b54dc11337cbcdb070c

SHA512
f275e9c7651100e3d5e174475ba90148511e4656fc6c69b23c6df42d2dad461eab32564d8404ef9bb97742e482852e8dbfce69a2ff60425e6daa6d60d4eede87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
133c7a993af898b8446ddd093f472adc

SHA1
fafb749d1a77a5ef844aad5e174a2ca4590db7e5

SHA256
c166c6b245be003077d0e5406da3c5c9974ba9e463b2c48f41f1b5ed21de0740

SHA512
25870423e726cc18e6458cd49bab5fb1262c4dbd97a5b991431fc3d54fe7d576f1090a4112c2f07f200e5c234bcc041199d5f1f8083109574b5ad90def6f1002

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e8588fb61cf5782805eae54757ed27ca

SHA1
fdec74bb8b5754ce17c0741c07111f65b88ea0fb

SHA256
f7c393819787656701f84ecb6490733ac9d3362c9bb790fbf44c9e10a5652d3f

SHA512
e68eff60c944f80f9caf492ab33120e3f6b83693f5f3bc9a76164cb9b659fd5bda1a00a25733f3bf66ef2ed6087de2fd1de7b6b6f3ed7a0d4fb33bd6337a0793

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
c1ceb971e7aadbef0a99305c0c4922fb

SHA1
b5cf9b8cd99e8568e1fb4fb31212f34949d8c702

SHA256
8a6e3d5da6ad09b45a1d0be8449c06e35cc9bb6576803590ce76e417a75d117f

SHA512
d0fd0a71ab78f18f7243d26a61690098cb000078b28c0f37f6834b1bfbf9fd34cc0f198c7f4e6c2d12610599183e17e00065d39b5c0db0f27f10e9ad3bd8c1e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3119124b76b67adf3821075119921126

SHA1
b72878f916248f08972c1efaaf2935da869b3516

SHA256
da9c9f5e8a61ecedeb653069cbd56d3bb252f0ad98a75784923fb7542bc895e1

SHA512
cf97a440d5383bd967d4d90c055e8f5b874580af1d2122a9c31234c73e61804227bac87684bb5e7fcdde5535e11de55beb2fb7503a682bf697b4104d8d223641

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5d5ed35161d637ac9952a04c4b5be3ae

SHA1
bbcee008e4d14f8ea76a5fda14bc24fd31530f6b

SHA256
30b6fe310b3e8035b669b5fdbdd58d301da902fec9ff380057764b56fabe7c8a

SHA512
4fa919690ca84cf031f5e94a18ae3ee2c74bd6b378bf30a8afbe07db950736a8c5662a710b31d8dbb66ec9a8904612b67a09f17ccdcbd755c8e266919a6b6788

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5bd35e89c6567a11e04baa08d8b77846

SHA1
0113e54f78743de7a4ad3883f6bc8e2af9a4eba9

SHA256
78651cdee981058d34e4933902553f692df6128e1d1152cd3735a295dc6af05c

SHA512
2f5a43ebfcca6dff07e554ae6f67441551ae97f0091017139a0eefacbbc6c55e7fd4eb62ca769d19317aa252c7eb44a8aabe050855e0793363f2ddf697f20204

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
3c46bdf4a11e7eefc9792aace9c2cf08

SHA1
9290a3630d3fd358266d9939c06507d1588aeede

SHA256
668454259f418c166bb55f8f917eb4879b07cd1d1cfd7603421b5ccba31ce512

SHA512
58e9686d8b14034ff2f00ec4b663700d7160c017d0fae6968d2dd5127ee82fd1adf668e1758c40c4e08a135cf2efa236c331c401fc5a3e2b1261b8151e78939e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
c466b76b4ae633d6b813c850f33111e1

SHA1
553b438888f65ac7421b7e63bcb3c9c439b7aef2

SHA256
4a116f1522bd5d23a4e4347dbae5ca8aab8027709e7efeec3b1f6b0fa2a759c5

SHA512
84b66c9d2e75df10dd861ea70f34513eb1b4ba8389c6b2ef66301f35d539a16180a04971c4d37b0be309daeda38bdcea4e875425748f2298f1e12f139fa34076

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8c734e546efc57de234661eaa30e6e66

SHA1
6cdf5180512b1e99cbeb6eb6ecc875a1f143dc26

SHA256
a43feae03be98069b643cf67401f8a1bdcce7c8ee09530ace521cd55d30c5e90

SHA512
bacdac816a7054e928af757c407792f175daffcba3b7f5cf43571a953e4907dfff390f0524aa655beeb2878711565a72a962a1682257a440f21fefc2becdb6e6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
0a26a5533e3f56863c41876b6a081384

SHA1
ccb0766592f947dd9c3123a3ce4217468683b586

SHA256
459161ff978ddf2cc2260811c7ba45711b26b7ca834756ceb88b7e2eaf0c411a

SHA512
6dcc55b4aac493a0968598d91765e6e6fd4ad59e8531220ad79573e41b251124c7f99f95029b9ed11072b582c16ec752d62ad7deffefb85092a51454c0dfa213

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
d6383fccad7ecf6fdec84bc7ff9ca97d

SHA1
0a49080094a813fb5c9617e4b77b92a4f75523b5

SHA256
edb1d6f476e9444f0270d4748e04f35f50db1caaaae0c188bb7359e8a4da9e6b

SHA512
bfc6abb85105f46585b440c31b0cd20b65c7da23aa31415e67f69605f9b3fba783afb56e549f3b3df81d16241eaf676687f8ec24cc01a95a9a1887e5faec52d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
e1bc131c93a4c1ab1a4e886a517b5e1c

SHA1
789d6abff7e6441dad570456457c5f10c812b7c3

SHA256
b855b5920dbfb4485f715585002976ef669906dacfab181a0e694a195e4686e4

SHA512
2c1481f6c5f2b384427d7d30b75b42d13293a0af0f94727af9662e77a322daf3c548120579a795c86faf172d76b76d5dd581bb0a27875f1ed5888c463c899ffb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
9b57c5c176c4693daff88908d1db1de3

SHA1
090e0bcb2bb797962f150fe03c4d593c570b8b3b

SHA256
e0f9c5e3141716426f2ddab2a6b62b4259218497940a501e9a9e7ff52fcf1246

SHA512
d92ee3ec4921893df923d24d559a2572d6864c3d56c5bf17b408bc9c2c7cf6377e95118f032d4d760878ffc83f17f162b5f6304aa00eb2c891f2fe3f93d00858

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
cc4d0e8da8b2c9c505a67abf8d2486a9

SHA1
8d7ac63f09af075306d2cf3a9a1c96cde480f52c

SHA256
b3d7aa0f9ce1f0f447c4b133f1c3f582f53caf575cde164ac3f9a8f0e4a634d1

SHA512
7c38959f5fb07c442185d43b1b74c17878ca0853255b1ccfb1862ee6b326e8a53c1278470b354f8ea7f67671dcc570a80d52fa1e059583a048e033a6994081ac

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
401e96327238205b650b44ae167b1eb5

SHA1
94c98e571fb91d27d93cee4328aa4cf20612b10a

SHA256
5bc8b534ae067ebfc3c1840108fb8bb4102c2435b62cd8f9266ddb45e4a424f8

SHA512
759dbee82ceefcc7838aa1157ece259ca0846b7ba981fe984b5be9e1c05168b18eb70831629337e9d624b1c2bb7280e1887be37d964b0e3c9e1e1307c120ae3c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4d5e35b6b52ef7cb24bc36353abf0fc0

SHA1
64262e8af8690df9fb229a198a4dc7a7057ee1af

SHA256
369321e60cabc72a5042d0a13398581e3c710eaa5bbbcd999e470a5724c3d289

SHA512
22d717e2adb0edba68b2b6eb8798e104f157544dc6acd59724f8c7d4c4d15d3ac2ba0f49b100b2932045229f8ebf92323b37d3cc1069d259baf930f956420246

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
de5e4919ea717feb101ed4f4bbf40548

SHA1
9916988c3839cce0825088d0bed4ee2f0d46989a

SHA256
d7157dbb65ecd41d5956cc2bdda8c6a5028f216d4e1fb9fea68dbb0d63c8404d

SHA512
7f31f627bfc287aed363c4863b79ec7d923ad679728d02fe51097a34561f5c725ac22630cd1c6a2154f637a33a86bba6808917af31fbfe0f5b1a39fa636b46e1

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
bbbe13737b66d9200d3be510c36b3143

SHA1
340ac93fa5c81716267d9086b42805ca4d657740

SHA256
97c4b4b51f23a17983f50f569649f7099a2e89920961859ac272f2235328aeec

SHA512
de5549e97d79d5d35099285f70e2bf8234dff90beebe8996511236488941b9a9ac879fecd136689082f11237dc730e348f730eee5643b528a78324614c7048d3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
93830df75bc94cb598f3c09d545838ab

SHA1
d844fe7bc5fda8487d2a9469b84616b638d701e3

SHA256
036483b0deae833d88f0bd75a0f8f34465e295fe04ce4b7cddd9978235999ab8

SHA512
98544488126713d780a61c1aa129c30fa929b6502624c6804ed0b89c3ae4346512be56f15c2c4668edc686c39089d47fe0ec88deb68509509b7f0a4e78924d09

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
6a138ef10d98a5d069b312625060560f

SHA1
45367c935ff5082badf4b22277f1c205ff6bb4f3

SHA256
c2f45fb873710705c371a1289d2b2735ff6ec34f1d51b204bbc3a1737d5bca5a

SHA512
590e01d89d2540839c606ee6d071b420e568380b756944b5440f03a32220358fe0c3cf6eb45b6124cac0f87e885e5d77089d91cd06a00512fcc1d9a475565d7b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bd53974f2df9613a0a0364e56c88a49b

SHA1
f08197a75a872820657170bca543c93098b393a1

SHA256
b3bf13881cf2b19ebd1d5321ef0d547bcc5812c0ea0bc897aa79facf8dbf5630

SHA512
8ec9b044fda008b98d5dfb52cd7de07d73a65a4a92ad33042e9e2ae9d0eaa0e3209dae8ce0fb392d7d3b9cb34ec9e11268123a2f6ed34959eb5b78b50fc660fb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
cd93f4e9ccd6ccee24b607d2bff26011

SHA1
12bf631bcc85b8903eb69ca70180961a0c24b89b

SHA256
5433680b96b2646842099cbca802a5968c0d78631c5abef1a919ddcc1387a250

SHA512
e18f33dfd80a9ffcfd04158ecae689963a716169b2ccf1c518e19a2240fcf74c04b2ea59b2e719613169b417a4ceebbd31cbabf45a7ceec61efec7dfd90f2ada

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
253c1a4e51e1f5b7c63b1d17fe288a29

SHA1
7f81d7d0c622c81eb9b65fc28e201d6f08b36705

SHA256
e7f8026069991c337f8e0ea2b18842312ba634fcc73ef8c294f07b3431f28c5a

SHA512
9d46552a73e5fa9afc1cc8c1e2ffb3f715b4eec836420f8b4011124c44183707e77c51551c3b5d32e5254786b439bb3f9d3ec41231fca798b90bec4b1a21bfd2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7ad54f2d05818faa1b990f82d76a88ee

SHA1
8e1a2d8b9ec5b75ed2d32470c96adf1ff2be7de9

SHA256
ec4fbed7dfdc7d60b109bef4e60b00c52ffaaec4d9c08c7cbe63fcd698959e8d

SHA512
6f0eb70ae0c1f2e246c2f235c081f576604f43dae4b0bad3a2a69f70c87eb57ea335d6db68e2fec04af7fcfbfb072d98cc444ab166d990192745f6e684ab7cca

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
44dc2811ad6ba0fe65ce3cff48d1a792

SHA1
0c53e39d9dbbe3db70a13472aef0a9b747296af4

SHA256
a28ec39d868d46281d1254a92c6f5d5bbfa34ead0b2082ab3c7ce8043ee2f9e6

SHA512
8b434ad53f6e6a308b52f2122e57d0c2db03b2b8e4c9ec49bd233e40129823e35299bc976fc45c0153d6171a4af0e59dab9b2372f4c5fcd5444ffa5d8d005dff

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
139e7bd46d6762fa930f8de1b78cd190

SHA1
532451c197ef40551c8e50ac031d84fbe3286fef

SHA256
6dfa169ad0915656ba56c56f7f2cc816e9b1803cb473ee47859b7008419535a5

SHA512
b17d0f1db41700380ab5d2542da9c0d2ebeb30ccc239de6924c5bf1313f4d31a75553e13bd58716ff0657bcdbe9518dfa3686b1bc7ddadf6676d2ba364c5941f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4f15aa97044732239fc63ad121d65c73

SHA1
7ed083d3e19431266205db1a77cf299e80714795

SHA256
f551b39dbc6f318f653c3f66760adee66b979335336b01326b89a22e8a7236ff

SHA512
0ca4a3b852fe328e1cdba77b976fc43fe21ff40990bed46cd7348170271c0633c30e5d113efcab0fdaddd66878ef5cc1254c1de1f31c9055e920804c5ce95166

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
a38a125d893cfdbb604cee48da6ce704

SHA1
7c80310c30ad427788c99d30b5c5b383bda51f53

SHA256
60eb1553006d565caceec91936830409cde92b1ae07b5323036ee56b20d34dd6

SHA512
d82a1b5dc56a779b25e425580ad454f387c4a0d35b98bece48377ae36fc03e472313047f6de998f666e976502ed9605543d39d898b6656d3c930309db7eaac66

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
43ce8b3f12f71a050588a3d5a7df091c

SHA1
4bd932b77b8effb1f9331d3c14e1d3f143230209

SHA256
30e2c6b26bd33ff4691eb62f189560eb3e1b3c5e6f4eceeff7ef85e1311c4fa6

SHA512
9156de85bd51c6298545bb737f4a1e40f477fe693af857ad795fd24c3362f4655c2dea412202273a3d2b382648ba692b909f84f7f620dc9dbac2b1660d2fb829

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
3767a7481e8f90fd88e790c95bee795e

SHA1
fcccb34240ee0d4fee44bc97b1e81fc5befccc60

SHA256
783fefe34df39b51630acf2ca8170aafcc8cb0607e08fa6eaa409bdf63e5f569

SHA512
cf6a9c02e331492e03e246db4a04275d670e03ffdc25d11a3d95294af6822f375d6153c63fea0bbcebf40cfa205ea9778f3060afb32031d69b2a0954b82b5ebf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5b4344487d2aca2ea2b66eabeb14b676

SHA1
7b7642257aafd844e1fff023f3947641248606aa

SHA256
57cfa6cea20f94bb942253c2d1adfe2a983b70d9e491c4c1096ccc70e069ee8c

SHA512
855754598b30b8586cb4b116d4623f93a754915bc6bb37e6808fe5f25f10aa55639f0deda8f27a8f558d43a9ebc04b31faff74868d9c8fbd4b774ab15fa6803e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
76d51ba8548ae56a10a9d121223aabbe

SHA1
871985c77471bcfbbc5632b548c5a80382ad5852

SHA256
10f1b87d5d61820ccdc7232f735dc7454fd06a3ec90879eedc87e49e45de88fe

SHA512
6f6ebefe3247ca3ce6960de6c8c82594c6af850f7145031adc2224d52d5036b113aaf407d80134dd8ae29cf5c623efe4702c6e9213c32bf1ac723fab9cbc6d61

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
4d4e215adce6153f9abe94a7a3fd196c

SHA1
7629fb8ddcfd0ee9045ba15f52e6c24f95e383d7

SHA256
a8ce7acbb8902d3f119047ff1390815c745a1c72da5cb0643ff99e63f24140de

SHA512
2aa88a49ca499442673deadb5acc2dce3ae7a0b75fa4074cd3b43c85159022efa04a595f16981a9984f777c88614c079a6bbcfe570909674751c8836e62ebe36

Download Submit
memory/660-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/660-75-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/660-69-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/664-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/664-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/664-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/664-58-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/976-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/976-566-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1588-561-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2060-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2060-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2180-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2180-567-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2444-240-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2444-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2504-560-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2504-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2572-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2572-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2576-261-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2576-323-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2576-263-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2576-255-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2852-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2852-241-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2852-23-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2852-15-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2944-563-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2944-312-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2976-270-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/2976-327-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2976-269-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3044-37-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3044-244-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3044-36-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3044-43-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/3252-286-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3252-492-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3780-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4056-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4056-569-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4724-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4724-0-0x0000000030000000-0x00000000300B2000-memory.dmp

Filesize
712KB

Download
memory/4724-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4724-31-0x0000000030000000-0x00000000300B2000-memory.dmp

Filesize
712KB

Download
memory/4800-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4800-568-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4836-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-245-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-56-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-47-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4964-562-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4964-301-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4988-251-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4988-319-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5092-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5092-88-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download