ee1f90d4fa807b902c4271b60b568ea5587f4fed6b074d452068663a6835ff7a

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3bf3bc997816fef7d229c45e931c448.exe
Size

2.2MB
MD5

e3bf3bc997816fef7d229c45e931c448
SHA1

5fa6808cde89ef00b6109f7712f20f90117fef64
SHA256

ee1f90d4fa807b902c4271b60b568ea5587f4fed6b074d452068663a6835ff7a
SHA512

d5705b4ca1bde3346422346070ab460760279591c2610b202525570daa466e562719a68b3a31c6bfcb3024441f00abf3dc319ff11403d34ad8cd1a1682975986
SSDEEP

49152:XOOh3aN4kuLbegmtGxXvYMLprznyDSga9:vU4ku/ctuXvYCp3nyG

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2280	alg.exe
924	DiagnosticsHub.StandardCollector.Service.exe
4088	fxssvc.exe
1944	elevation_service.exe
452	elevation_service.exe
4968	maintenanceservice.exe
3732	OSE.EXE
4372	msdtc.exe
4968	PerceptionSimulationService.exe
668	perfhost.exe
2376	locator.exe
3168	SensorDataService.exe
3520	snmptrap.exe
5048	spectrum.exe
4708	ssh-agent.exe
4284	TieringEngineService.exe
2708	AgentService.exe
960	vds.exe
4928	vssvc.exe
3568	wbengine.exe
3108	WmiApSrv.exe
412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30ce9dcc92844182.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96406\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e3bf3bc997816fef7d229c45e931c448.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eed88c699eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005785db699eceda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e11469699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000052c579699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ee2c1f699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000e794c699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef0175699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed0237699eceda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048d6ca699eceda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
924	DiagnosticsHub.StandardCollector.Service.exe
1944	elevation_service.exe
1944	elevation_service.exe
1944	elevation_service.exe
1944	elevation_service.exe
1944	elevation_service.exe
1944	elevation_service.exe
1944	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2640	e3bf3bc997816fef7d229c45e931c448.exe
Token: SeAuditPrivilege	4088	fxssvc.exe
Token: SeDebugPrivilege	924	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1944	elevation_service.exe
Token: SeRestorePrivilege	4284	TieringEngineService.exe
Token: SeManageVolumePrivilege	4284	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2708	AgentService.exe
Token: SeBackupPrivilege	4928	vssvc.exe
Token: SeRestorePrivilege	4928	vssvc.exe
Token: SeAuditPrivilege	4928	vssvc.exe
Token: SeBackupPrivilege	3568	wbengine.exe
Token: SeRestorePrivilege	3568	wbengine.exe
Token: SeSecurityPrivilege	3568	wbengine.exe
Token: 33	412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeDebugPrivilege	1944	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 3360	412	SearchIndexer.exe	113
PID 412 wrote to memory of 3360	412	SearchIndexer.exe	113
PID 412 wrote to memory of 4460	412	SearchIndexer.exe	114
PID 412 wrote to memory of 4460	412	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e3bf3bc997816fef7d229c45e931c448.exe
"C:\Users\Admin\AppData\Local\Temp\e3bf3bc997816fef7d229c45e931c448.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2608

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4372

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2376

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3168

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5004

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4708

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3108

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3360
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
eda0ea85ef91649851a9c88d3f60fda5

SHA1
2f545511aaeb654d054fef06e9b3000849543f4b

SHA256
e128ccce68ff014c85d58b2a17370c09093ec0087d12d76183e37740bd06821c

SHA512
1a4b28c879f3ed1cdce418dc87a16902a83f006df109a230a1f4ce38aa03c885f6b9270880ad396a0f8c165dc8c9154e97022f326ec136cf5020ac33bdad99d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
2c3140fc5c7b84ea96d638aed92013ed

SHA1
0d2c1cd9f0ed35530b386e629da562c689a43ccd

SHA256
187848b0318b1de2530e1dc242b2013ac9b19f5a15cfe7e8609661821860d375

SHA512
a861fdaf236a9d2a4d34926d63a0077aabab2cfa80129f3337e38cb8609c0c1b837b64d1cb1cb6f0236f9e54ff7293bc408d486a0b9c3d7fb9b9d756b2a838a5

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
08292ad854cf88fa3bb211990acb0684

SHA1
084b630f96fc666755bfb8f6c629ddc3aa26c4d9

SHA256
f7330545b74f5e6a43b4ecc20537896492ec2658797d905110ed835223b15415

SHA512
cbedb3a66dabba55566ad1999767d8abf9a1b277c105e5660d7d42c43649df5b95cf3d0dc8e8838ebb9b0a5eb92b3912036f250b5f9b25f387934423f28de415

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
91fe05a07520b2f325e75a41b2e927f2

SHA1
169c9f2716accb44ed386eb93bbb88f27fc440b3

SHA256
dfd3368932c2ce2979e99694bcf6e32f4822bec515fff5dd99875c42e7fc291c

SHA512
ae6fe9c29d5bcb142abe3cd8dd8aecdaeed9429c12d8e2361dae57b61cbdef75aa1bad3410a123663ef54385368a0026d8fa5f2347c5b62eda088333b6ec65b0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0aa27f337aea3336060fa12fd5b68b1d

SHA1
68f40ad62169d5ac70fedb37b0fe5f2175e1795f

SHA256
f3df1ab5731b7baf4d7eb74265364a8d5d4ee891cd4031caf67f8d620df33b46

SHA512
fb5e9b1058c6f1fb81cad36f20c9084f437dfb86c2168e160b3704f5648923f9e44f445d79dd750bfa65fb0550d570e9242be8ac9239896b9e0a211f7c69eef4

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
91ba195992ee2681a04e0206d095944a

SHA1
ac1ccb24284ee8abb88de6efe3ff7ab3c986ad90

SHA256
b4598bf17f6eca36642b9905842a6e6f2f7092668c21f93d489562fa75820a14

SHA512
814a7b67a85b3c51fe88065c8f22d082acbd2b73ade6e02437f0bb859006f436482e2acc977d8bed2405f21f72ca7e7e6950ec4df4c7c81507012e9eb18d7c86

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
10a046abd0afea6feb1740db39b99569

SHA1
d11f7490c732ae2340cb1b7f05b32e8bf789c002

SHA256
e038fec35ad20cfee38d18173773240ab1ee5d79b0b29349709e17b31c756722

SHA512
d2b156de55888cc208984c20bb70608ce3db826ceba39db02e42da820c128e88c02e8377e596562bd7cb09d33e188f432324977123d297e7ebf10fcc849d5d83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
43a4a810b3a27d9c67b19ca19638a53a

SHA1
2e6fe3007d3bb312d9dccaa500c42d4020733f81

SHA256
0d2012d1b403f6f229127c37964617ecf3610de0bf917c6b9b589a60ed9f5404

SHA512
2cc2b0fa5a0a38c1ab72c270adb50d635dc393ce32e22068f6243ab6f95100752a0a05dedba2da60d0c6bcb462899648d229df62c0cd79fe513616abe02c5144

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
de893aceca00d394c9ddbf94155cf31c

SHA1
984d3eb024d189d314ce395c544443866bdca45a

SHA256
0367fd43fa42c62771ba07b138a0458fe7c4a175eac418a8a4bc86df0922c010

SHA512
7d2a6a9ce1b2ec14855ee6a197c15790dbe25e2c821d246ce6ae232a0c0c98b02f4053ffaf1e63b564182694536001abfd67048636e7b86c58b34a1082c2b950

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d46ca31224b1c5cc512fe08663189df4

SHA1
c057da2ddb1686ebce7f3c485aa0eb6487a585e7

SHA256
3660aeab9c657ece5f50d64e6cbb034d039754aead36922d798727256d9b8ce1

SHA512
249ec5a15e794bc075836373a5334a27ffa9cc4693b69a3926ef3f213e84b143d62f5d90cbd4312830365180d4b5985648fdd37fd9532b011393606ee285dc46

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
29520a39764aede07f12a1cdb6443fc0

SHA1
183d2ff187c5404bf29bb14dba99fd4a58ef1304

SHA256
d03d1f58a1e86ab37571fb4b4f7c80a35729731677bd1b0130a4b187cd1a6c76

SHA512
5a6aff549b66871fb32fdfa8bb710cdbe3cbb85cc942c38f84a384c84337185e9ee40cddbb4326ae413ad97ec98daabb43f58460e49c19f73909dfbda41933fa

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
feb6d428655afb1e1918c9139b616c2f

SHA1
07b5391177a26b64d11fce0b95c8736b6bdb4974

SHA256
40e5d7cc90c18b7d7584e5aed62e1ec0baa6d28bb6a248a82b73ebda7de47b03

SHA512
048aabfb878fb671619561337d9b1aeccc2144b90ee9b7765f1c09d136bf791d810d90be6d24a7eb0af584a331dc8d8dbc72622e5cede7f8ae14ce07a0c2c3d9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
69d2859a4ccce9b89893471d5303a0fa

SHA1
b92dbd69bcc8563afbbddf8218c5f31202241497

SHA256
9f60e6a4b1ce96a8ed8d72163d6cc7ec82d360be3cbef1d58b7aba57e05c94f0

SHA512
173b8e6336798f00ccdc1df45a17e7bebb798c5dd0edfd584d7bcf709a793e7c768c7be970a1dc164a6beea16527b4a6f5abb50e28e238dd3d10f1a36c7a3a15

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ec7557533e0d8694c288f5465cdbd3c8

SHA1
609ca64833454f1f3a00b01649b35a0822edd9ee

SHA256
ce41858528d606b63ead45216d5927f86e6c0cc732f32c6dd5fb69855c865d5b

SHA512
3edb9b33e6947c7b06bcf1c9c95bdbaa905f95ba320dca6dd0e17c66c651567dffd2557182ec7cd2c892baa4f316f78968e0035100ae18a6e4ddb555a9e0fa84

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
99c8cb3dc6476fe049c1b20a3837cf71

SHA1
cb507be26dc36118cde8f57cf6f6a2746daa6170

SHA256
09098ee53fba13aa7439ee7dcafbabc6f6775efce2fe99ad5f681381f712d908

SHA512
bee2243b5b9a527144b37755cf7085d36a0ef1486acddb45d025588546a654298dc0d02edfa581872149132d47c1754f9681101be92bec28ce5f82d2779ef015

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
49efe45ac05d1040ea3ca5070af44d01

SHA1
cd0542ec6b8dee15effda9ba739bf3240c8118fa

SHA256
d3ddfd55212cc218758a581a0fc81997feb4ae10328450252104ddf553538e99

SHA512
78c7c36381768eaff0aebeed0829dc449bf557008fd616873c12c81b6c8c8ea5dc268cfea2fc621420aaca348f3311dd4d078857859aa59eeb03d2ad79a18b15

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
40f0efb565d00f9ab0a3b5295729ebe3

SHA1
01e03d1c6ca71b2936ab58b62c0005b4164c858b

SHA256
3827dcf94944ec0a8a43fd36aa172131d122488fc752c5fc6ab1e031b3496e75

SHA512
5218ba420a3bb5d8981304e66fd51994318eab604c4727f9df65cc6e95528f8fffc4cf5845eff53d91c9b0cbd0ccd89c16b9507f4aa1b5b9a9e7522a6dea786f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
790912eaea566d8ac252f3c64894e7ca

SHA1
4c89e0558e599b786891a73e5ba495413f0fc190

SHA256
db6b164555433982151efe89478a4e480942c41a02df682092285a74ad226793

SHA512
22db702cae835fab413989d0f33bf9d315c233fbb1517d296415c1070c47dc3f7eee87ba065f2cb357c98432c0cdfeb4b71fb1a27329a0e128b4624deeba3d05

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
3cbd52c53c9c5a586673156dc50ce3a1

SHA1
48b7760478c3bfbe5e0423fbbe3a4754801d503b

SHA256
a07b83506029e6c32c2b00fb53aeccdae9228b464c0c7687db90c75ed4a8f4ee

SHA512
4907bcc71841c25ed842365a9631f12c976f2b4684f8fc88c37eb8f6a7510a5315c37dca6c36136286320f85153870014ab85cd7f50609acd904cad24311be6c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1a6813fda30e87bdb3bfa6eeb1b2cc81

SHA1
11a8b6aaa1152278b9687f33c9186296de718ab7

SHA256
579ce5d2b1cd9c75a7e38b9ad47a13b8c5144a855f1c3a74b23eaef673d103b7

SHA512
ffab229d9e8e49056290c75a89bf3eee1f1e5b6f39b70aab3e56c9ad651fb55d737deb265b40b2e097d9c47f6b2eedde49ed07832a48f0e99b6648917bc39062

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f6b2d19f2e9f796aef08990594fcbff0

SHA1
15aac9001a7541d895e451fd9544c9e5524d2dcd

SHA256
e09fdde6ea986cc8e1b3710a24ca1b1eafa57867e0d2d8d399cb3bc5c43fedec

SHA512
dca7e346233a9565ed85b5231caf79f578309b5c1c9a70fee8549d42aadb089ea94c46689ffc62cd635997b2b8c7afe84cf59aadd3262387af2d81711fca21d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
28eb8306a9813e7d8af3119218ba8403

SHA1
d7dc35f0e6e04b26a8ee447bce2febdffcd14e67

SHA256
3d9b0a474578f5c9934793155b43cf55175d2d9278885a9ae724e038d62b0f75

SHA512
a9f35b6fd37684fb070d9256d03f7ad53ae8e8374e8e608fe810aba7b74357b4cecd27f20774818a094759a43414bbd3e2d39dd46858b222eabd733485fec969

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
50889f8fa5bf8b68bd028cb694dcf2a3

SHA1
f28273ecf6a6d3900d11f84ce2e00037c7a59b19

SHA256
9a9804e43d32c1feb60cdfb64f1c11dfd774bd832603d99a317175305fbca5a4

SHA512
afde4bfc797a62828e952b010d5bda92e7ccccbabddf29d98fcbadc6225e24ea08c1bb3e8532e971e968e4c3143105b164ab9da2921f5de7c499260f977acdc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
4a035bc17355f9bd3627140a6db3b2b4

SHA1
fc7237a299c99f0a8c92640bbddb4e32cb2b2e94

SHA256
628d9fa8920f47fdec5e09b4cc5f299a4c47125eb7b9c463c52697454ea37e84

SHA512
7dce1c5856d722fa248bcacdba7e6274a52daf78e4ee74726832b2e5c59d7a63802a3aadfd4e5a6aff48a27a69be13c7d70ee49cddb41144357d7507edffa5e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
cf14a18ff9cfc00370a1530a2fb12f3b

SHA1
4018817ae2b4fe4170bff0e0aec8f84c2d721b38

SHA256
e34ce83f2d5d0d06f3cc1ece4ab2d8cd59ad3d8221d8568b24c8349751862413

SHA512
d59c28511d2661ba6566682b83ecd0b15c137995ec475799167e77627bac0217bfc628e212ad2e61a94dba666561f9fbbd3ce73942be0c8c15a3e58ccf4721f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
0c4b52e1f5616b15732e99b248e68e37

SHA1
b21d7caf6ed60e409d024d655f238a529592b628

SHA256
787b58b32d8b42889abb7f1946c927d144d56f53ded807265b2cc966fa358793

SHA512
ed181311bab13e80f70c49c2bd142aaa0cebadde7407a1e25daf18bbebe67ad633d51b6451f0b8d6be7da4c416b486521269b337a5916d094a6d04b8d6a470dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8f5d7f2d9bc406cdcac94ba6649a9f9f

SHA1
d146e5fd52d9b95606a9e9222547d6b7f18a468a

SHA256
1097fb684e8d6c1c507580380836f416a42f7932751df89d2592b5a6ec506020

SHA512
3f6a8e6ece9c570d07e5fe670800cdb52c8c2cc92b46bfce8c4fc646e1f829d9cce81dba897e75bc098b0a168ecb6ab6494c096ad83f7b08a050f94595a7f7e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0dae3fdabb20cf74e5b08ca43acdec37

SHA1
a6cff625d763a9390a1df00a208664c1e0026d29

SHA256
77907630e7ee2fa38afaf6f8aef5a61810aa1b06e1930a81ffbf6732ae1209c6

SHA512
59096763263c569c648ebba3f5fd331b6b33b856c72571f5227e1e51d8c541715429371cebd29db5d7aa5615df9274efe7cfb0c1011b5a582859b407cc9448db

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ad4d6466711c6268410186fa94b985e2

SHA1
342b76e573c42468fc2ea961cdbf818736a8a922

SHA256
86281851f4f52a94765875fb5cc878a9f719d464381dfc480d72d60bb52897a5

SHA512
08d1ba81dda4cb2af661fd3d9054e1e646074a3efbd0e5b8b5aaf84e7e13d83693bb4ae062703f0535cca7aa08632de23f6ff00015f170a925718f40e9be0654

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1393b1fc4de93fdf21cdad73c904ee10

SHA1
333309fb9209f48a5f06339336b6e6c1dc7e1ccd

SHA256
61392dfa78247dc208b93b0cfbcd0eec1a14e9f28e351eb0c94e30c252798c26

SHA512
01aea0a07ed94f8166de1ea527f816f067bc2765554e155228cb4d4efeca1bd0478c8677e6b664e80e9e61f6e3eff3c2e4fb0638b4c1ac1822a2ff64016a72dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5f8f3414cb2f9a71aa4e361203df1f3c

SHA1
9691bd761374605d69dbaa21428a8ca5ef42433f

SHA256
a93feca1f0a8efe3220fc640467d58a8d734a62f983c0719eef60157f95f7c28

SHA512
8278c34e4b4b7754b44c39f5991119ece7f736d9a58409542968e3a07f4b66abf2bd9d00c3bccb10428e95c2118ee0e21d9f6bca8583abddbce4ee668b8207bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
b123ed530348a22f2ce3dbef69a5eed9

SHA1
bb4fea7def921257995efdcf346655c23fdfd2d4

SHA256
26d9db3b0e353ceef03951f132591d2043aa399d1bfb1778765a0e22fee5ca89

SHA512
c0002d7515276e964e0a0400e1605e4dfb32e2aaeb7cd93629a3d47ea74c008dc364656c4d41426298de4072814facf91719baaf35fc05c5321862533e1f8b8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0a0e4d424be564e9032e9a7280f1c497

SHA1
97cf1be4abfbaa9058ed9c7d1d3f2c06783454bf

SHA256
7f7668465308ab4a645dcf1db4722eb313a6e1e466d4b4b8757a91974935169f

SHA512
b677dd0ecccb2beb8a9f5126eb292f858a943957523887ef9b21e5703259863ce67740d0274789970134715525e2c3bd7049ebd4f36b5e4d06f83e452bbe4820

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
c7b430aea61ddbec6739f13468a97a27

SHA1
6527ba9fd5bd9d11ed514f1281dfa1e8ffe2cfb4

SHA256
7c075d3f2c73edb1813691fca5addf2c16c0e0381ded305d50281a783bfd33c4

SHA512
d102e415d573ad415a362c7e549530492ff0e048517095be70b252815daa55c9523450950f91d1b9e349311f838c25a67653a30d5c3d69fb613b4714c1b67129

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
30445f445009e4097e5be3d3c690c122

SHA1
e1b80d8b0d22a054e3c9aed00591c573728266ee

SHA256
33df6c6639b91df335dc8a413cb2c74a4f9c01fab513945d173c7169665d0701

SHA512
a4d810ca3f8aa38a040cc4b7e209e84eedf35759e732ddb4178c70fa7786034b8dc084bc024f6bc1474186b259a3f94f4cf7509cc85a91a2cf57fdfdbe1e01a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
15e73fa0fbd889906d0764c9d7f088ed

SHA1
596a04cfac46f637feb629247f5d209eac152662

SHA256
2c9adb77809ecbcf74a78ac64830b434a2ea011a768e4dc6b8217ca042b1bfc4

SHA512
edc1c177100654252eef0bad428c1234f1b1793f7e074adb2cf10f664e2d6766b6ec91c65476c40c33faa946f851034943e9d2f6f9a93a2014092e86f2a86388

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
76c6643c8aab4f310d3fad949b84550f

SHA1
7ccce6ae2b4d4b67384bf28dc94b3af427425d57

SHA256
bd361a96e7ddf33f2fecd6e0bbeafa63e2296ec5f0588d1882d1f786ce8012e3

SHA512
a9d7d4e6f9228f639d7ae011c0ada7dadde1ac4125876fbd13bc6ee5ae05a74c89ab73c3427f2f28d447f39039aad49cf28805dfcfe6fd09068af363a353fbd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
c26d2d1f6c451030087ae662cba4dec4

SHA1
6d2fd8ea90dfcdf5f044167aed38d3e5a91cac46

SHA256
cbdd46c0e521969d31a8f52e8fe343a5d18e43c7cd7359848f5c1924efd538b8

SHA512
6c62a936f644dc8ec2e39ae9632679b211b9db96eb0012ff5e5a7ea34c4f5630b49f0cb60ef53f005417d1ede8d0004bed40f6985ab4e66ac904f45bec07c6ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
02eed35e6feb56277db87e0368ef396b

SHA1
6cf0f019a0b0729ffb8cbf4fd32067c9d3b85035

SHA256
3893dc8fe2a1432c0be951ebed53b62b9ebf6753828b6040000ad58257cabbc2

SHA512
a7b5d149bb5acd08484165ef0ab5876dc2ae708cac6b8243865a34a056afcfdcd8047a448b137c74e317e8dfe7f510b2dfbf8938064e38a8f6a3d06010e009b5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
edab1e07c9d62973b9b35424f9ab372a

SHA1
9bf195837c06c9de8e5d8a91dcae9ed1687a581d

SHA256
97efeaa56d0e4b9fc3e7e089c99b056b807459440bf306b2899b3ad2e0c2f555

SHA512
61fe9face6bb569bdd16746b516333c79a015291e256c14ae236c1a20fce1a852e5cd35dfab78cc66916513c9702be8f7e781bc07caa8efce45bc01398e8a5dd

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
5dba17502d6bf4bcb054b171864045aa

SHA1
995f41942cd00263f433770caa71c7b5766a22cb

SHA256
88d8d9f75718012702c3b56d1e8184bd9022107d9d1906da22c25744d8b9e2f1

SHA512
45906fea11c0e4afdb14b8cb2700c69998a5c1eb00e88216126cb1e8e359f10fb1caccc48a0166192646cfc8dec8d24f3d7c696fab7fa9fec01154e375ec8324

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6fb30fb864744fd0afd020e625635a89

SHA1
3eeae5b676ccb4a983246b32996f593ba2439912

SHA256
345c57b476dbd58d365c9f54691c94e93bd79d66a0eadb3efec95dd96bf82890

SHA512
57f1a1fec7b8d56c56191aa071ee095b816e9b096033b4bffc074dff550c81241719b07b5357d8c47e7a5c77988affc94e408ba53b2e42b32bafb1ee0b372167

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ad9f4fccce73a5b57348a2adfc3f096a

SHA1
464f9f1904ecb990db5fede36bc4d2229769b98a

SHA256
2d78fe405d458dbfa1f66dfdb04ac3dba3a249d963133b737a51d17e77b3ca5b

SHA512
aea29a6d0cfb1d94e720d1f05cf79743e60db7b4354ad36f06e8c79ef6da3e82a95bf53dfe97cd7008c881b34099717511cf4d46471accb5343d5eebf4ef9d1d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4038534e165307ef94242375fe095053

SHA1
64e674cadff0f3f5f17798d87c8a395ca32236ea

SHA256
9d9002aa7be14ac549d826ac4ca80a92a0d1775a3d3f29b16007d8a3c2fe6b07

SHA512
4a009af47c5f89518bd647fd59ac614c56bd45b9fa4c63a306f36980b2a8f4f9e2e6eaec6ab3940f45c6362f038a7dfc4735f2b292c2ae52bbceb327f3e70689

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ef04a7460dcbb8412972444d9d52d646

SHA1
f3d3bf989d6c66fed31bc5a6f96354376b4def41

SHA256
da01c5f7d774598cb80ed46e1dce70c68a41fd3d4be08489cc68f3e12cbecca0

SHA512
a7477e8c19e2c152f5dd57973e6d10cfcc2b8570c5c539f08c10533addf021437b74cc974d4a58e02ad379fe091e9439e75491c92061c6e3ec3bb89d3d32206e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
8811dbb0d30ed505f434d7f819e05482

SHA1
beb4d1c4d89706c78abb21f565c311c4cf539e06

SHA256
18a91f52b84c6a364d7ac573d391919595470fb98f3f4c45b31796a58da0d6fb

SHA512
f78af9c33686c7affbae6ee94ef131c1f49a0316d08e201d8d7ec9e9487a990c68de30df65425140ed138c46bbe094ea74e5b2faef68f540d78849cf4da57453

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
92b9438dd30ecd8f33f2082873b1d70a

SHA1
4eba1501d25040e00dc4e0d189a0a0af96a4d497

SHA256
54b873ef9b9f697016948313c9d8e552ca2724179b81ec9610ffd2c673aac7c8

SHA512
9284b1949773256712f515a2db4fbdb68107bf2d1f79c4e7b5d09ce6071fc7db99305e9b920e1e73e64f9e42ffaa94b592000cac1adf4a84744ab1b8905810bb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
82d01e0b5e43f25e4c159c9b8605ecb6

SHA1
af4b1bede5c08a724785b6dee1d26b453ceeed00

SHA256
4a882f8f3bc3bb67814e8d54468d4f7779e52ce3225645e599bec829d9729fd3

SHA512
3104c4a6289c5d9775b7fcc0745347d6a97d73c8761c89ebc5d14b58b29e22944352f19e51ccca78ec15d3a391bd5df0d6d5260777e3e3af2becd2a8de4244f3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
43a7d6cf88fe0b59dcff1fa8474e2ba2

SHA1
e5690d7c100f0da4a8d564bac84d0b3730e3e8d1

SHA256
ea9b35ff9454e54e6cb7c0b21249c0ea41abdaec53407815aa0347772c484d7a

SHA512
603992013656815ed7ea959a4c3f64465c417bc8e3fc48ffff6d9cbdd8fc8b5f1d16cd514d199458e20fe179933e5979d35c402d3f145b6e8b90b8978f6bc794

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
63928676f7529d749cc4c865fa111adc

SHA1
10696565050b2b688ea6a988160a7f59804386ea

SHA256
b64d757973e2dbdc08ad098d7e5bd04587f660e030fc19b322d192c05ddfdc2e

SHA512
003b6c621e78efdc0f96ec9f90bc2e4f2989d255c5b303ee7700e1cd81df42b9c4f54bcfcb76c78fc0b8b26cc0e580bb9f32006bc05f0288da376b341c890877

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6deb05cfdfa1638af60fec18748378c8

SHA1
0cc8868ce187ced6071a86acb7089851c4748de7

SHA256
5dfba015b86f0fde56a1a339493e446512d70a4bde9ae2699d5deb9c6f2d07ad

SHA512
735601ab033f656d3ced8a7082bcb9ee1a3e887a4c6f2e34cbb60140c01b400ce7410e9ffcc29e43c79fc444549bc8cc729694d49bdf2c6abf889a724df94663

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
aaa8bd3016702ce2da76470b5da31236

SHA1
18e1e91c1120ce317ccacfa7c91d8cc27a56170a

SHA256
df2c82bb0e7db4a4bdeee08d2e75042fe9a858fab930f69cdd5a5ca5089b66a7

SHA512
932c6b7e9fe05d5488811e814ee3a9947ca164044a52b284c74f2e665f0e658defbb9984ec37cf68fd3d7f898b24dafb6178f7fcfe90be45465d99f646a24388

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ec8ca9a7843304a4c56cd83a581e8333

SHA1
2e928e90e227d275a4be1041bc8e2d9f0c35444a

SHA256
fba6e15d884914395fda0be46b776301155f7cdf8cd818587fa45e37c23d265c

SHA512
ef2798527a5f6d876df13cfb7a0d3e0898f2069d464b8725aa3e22d316e038c3391d0a5fd2f9e5f125a77d8ebd002f89dfae6519d39bf235b0059b0ac258aa3c

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e9231d0ef6b2a1ff482addb24ed6e79f

SHA1
86eaabfb5ffe2310c476949210b7448765b74f5a

SHA256
7e2b3b9bc319ef61c560d019704e4acbc47c3084250101d2654b4ac3d58b42d8

SHA512
a24cca0cabeeca5f4b4457a3432498a7ca1a250adc0ab71d4596ce4f4b337f76aea3026d97315aa49e62ea73c5acedf121c744e1ec3e376887d0efdf02d031ca

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
3f12c6810c44156b31b2787303bc079e

SHA1
ce5883cb3ef0e1b7a65873dfebf58fc469cb7650

SHA256
190ce611c172312bda94a786cd57736af6821449a000284cdd9fee060065ff05

SHA512
6b77a0c15f07ce32d215d893bf166fc1a13e7cf19f40e1da4b6435c214edba9ee5fa866c4acc459cd607ebb0c9c1f690ddade61f5084b9467009da53e9ec9d2d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
57f8e5fafb395e3ef2654ee6cd23e271

SHA1
d72af82ce3297df64e20f81332633f46f9b0baa3

SHA256
be513f6a3bdd71c1b95e0135ce1433de220927c4271fe3a28067311dbafe16e9

SHA512
dc1262915f19d3db630b355358d7f222a9d736b6e63f07c2e0b66ff4876474e7b2b99dcb4a0f345bcf23e4e44fe3a89cc38118e429aa2d95c2ce19b7e72dc194

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0d1aab6da413e78e91a6f84631535c40

SHA1
bcba05e8d324b7e6c72f307d497aad0462682506

SHA256
6f683a0cd310d5cbd527534822ee9ad4a633388895daaf0541f67121b7f8bcc8

SHA512
fdc2253672a05cc01e9a09db7b6f542d50f535b39d2a04964b1997d4d448c25ada20810c590e3b482c497d573a47311184975296552700af01236fe6d6acde26

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a8e1c2ae84de55e109d6cfa9915ef3c5

SHA1
2c7f5a9d06c6b3df99322815fd0a065f680d75a1

SHA256
e5e518012d6753907edc105428ee06261c08fbd1b6306111760fb566c496b2a3

SHA512
8c097b2b7bc84efc1c3d89f5eeaa5f6efe7496796f636d09f55e0344e060395d81b8bd097ef23fd5921c0e14fdd2bb207eed27d8e0d7a49b63dc1bbe31c5d270

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9474bad544f4b5861ac8c3669a970f6b

SHA1
0bcd67600f55fc7abde4d738b18fe32ea374179e

SHA256
7e08f01c9148b0c4fb98f97af64ec0bd4f5ec1f679a2aaa423cb09ff98541d61

SHA512
7319e3eeedc3a3ceda40af3fa2ca0257f5739c1c000c48b9ce75b76e8907bb7010c10a1d03fab3ef4d3f0d0fe9260c212fecb1251e7f43329e006a20fd31ef0b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
63146dab8268d6a04129f8745b6020dd

SHA1
b3252d133258a5961997658181db6afdd3240ee0

SHA256
a0f9d57a52ed3f1ca96ca74bce6cf7ef2fbfe6858c20844772c818001988cb40

SHA512
98c1815acb76812b54eb54858ed20e5d701244e2685916978432cf199e37d30805a13c2267e5b58eec20594c6aec925ffa72d896a1e1734696b9659bd7b58911

Download Submit
memory/412-336-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/412-504-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/452-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/452-57-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/452-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/668-326-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/668-268-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/668-269-0x0000000000630000-0x0000000000697000-memory.dmp

Filesize
412KB

Download
memory/924-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/924-23-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/924-17-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/960-499-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/960-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1944-33-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1944-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1944-40-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1944-243-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2280-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2280-240-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2376-330-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2376-278-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2640-1-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2640-9-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2640-47-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2640-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/2708-314-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2708-316-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3108-331-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3108-502-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3168-335-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3168-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3520-444-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3520-285-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3568-327-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3568-501-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3732-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3732-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3732-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4088-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4284-496-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4284-311-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4372-318-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4372-250-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4708-494-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4708-300-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4928-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4928-500-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4968-60-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4968-257-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4968-263-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4968-254-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4968-71-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4968-66-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4968-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4968-322-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4968-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5048-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5048-493-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download