050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 18:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
Size

830KB
MD5

303fc4a84c3c9d488c9497ecf25df26c
SHA1

8ba2c7f56d5083e55a9ded7ef9d773d8fd0bedd3
SHA256

050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45
SHA512

8113e5df7ee9758c821c3f3d325be796062e820304d09442bb54a7f491f1c7a3ccaf09d06adc85d92b49047a6fffb3c4c4b64bd03f1db8eb77a8f6f4ee7d30f2
SSDEEP

24576:JUhzv/TaTPRmlh8t0D+7y8G2G9yL0cMoThTR9PyuLzpQo:JUVnTAm+brLC2hTR9quLB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1552	alg.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
3008	fxssvc.exe
4256	elevation_service.exe
2436	elevation_service.exe
4088	maintenanceservice.exe
468	OSE.EXE
2180	msdtc.exe
1384	PerceptionSimulationService.exe
3676	perfhost.exe
4732	locator.exe
3204	SensorDataService.exe
396	snmptrap.exe
2272	spectrum.exe
4464	ssh-agent.exe
2892	TieringEngineService.exe
4600	AgentService.exe
3280	vds.exe
3284	vssvc.exe
3296	wbengine.exe
316	WmiApSrv.exe
2320	SearchIndexer.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3504	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db1236b9c8648821.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059cc0d93d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c16aec92d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073a7c892d0cfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030901293d0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6a32593d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d57ee092d0cfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000030901293d0cfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
1692	DiagnosticsHub.StandardCollector.Service.exe
4256	elevation_service.exe
4256	elevation_service.exe
4256	elevation_service.exe
4256	elevation_service.exe
4256	elevation_service.exe
4256	elevation_service.exe
4256	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4444	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
Token: SeAuditPrivilege	3008	fxssvc.exe
Token: SeDebugPrivilege	1692	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4256	elevation_service.exe
Token: SeRestorePrivilege	2892	TieringEngineService.exe
Token: SeManageVolumePrivilege	2892	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4600	AgentService.exe
Token: SeBackupPrivilege	3284	vssvc.exe
Token: SeRestorePrivilege	3284	vssvc.exe
Token: SeAuditPrivilege	3284	vssvc.exe
Token: SeBackupPrivilege	3296	wbengine.exe
Token: SeRestorePrivilege	3296	wbengine.exe
Token: SeSecurityPrivilege	3296	wbengine.exe
Token: 33	2320	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2320	SearchIndexer.exe
Token: SeDebugPrivilege	4256	elevation_service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3504	4444	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe	86
PID 4444 wrote to memory of 3504	4444	050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe	86
PID 2320 wrote to memory of 3260	2320	SearchIndexer.exe	116
PID 2320 wrote to memory of 3260	2320	SearchIndexer.exe	116
PID 2320 wrote to memory of 1756	2320	SearchIndexer.exe	117
PID 2320 wrote to memory of 1756	2320	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe
"C:\Users\Admin\AppData\Local\Temp\050e5350452861406c919787e754d8fc2eb18543da3d487bc67e2aa49a65eb45.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3504

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3008

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4088

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:468

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3676

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3204

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:800

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2892

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3284

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:316

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3260
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
289d120778c7ba9c9cbb96717b13c910

SHA1
91fee36801829d3f60509ac45b274f413826b039

SHA256
c83fe498783506e801c82b8b017745c20e4cedff7487caef6900a2d5ea77560f

SHA512
1a66cd5f92267d4a6d1253bc118b4863282b78da69f21a4cf50d0180c0eeb19ca910a2dd107201c69e363fc656cc5008ae35976e6ecaaaffc8dcb85093ef800b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
a389ec904a6c1b419377f43098af3c9e

SHA1
45834b97eb20d814e1836cc9b09f65544f92c0f2

SHA256
f9f23a4894c348a3e2527567ad3c7650924fe59db4f8903a0baa21d7e1cfd888

SHA512
d841d01960b47bd2d4a8d5faa148615a7528a48dd7476be25a68a2b71affb376359cb8731776d00662a116e8cb253e202ba98f9f794d2da4ebf33090559fcedb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
c2ce669bd9b4d5bed6be104ef40d42c7

SHA1
912bbc15cd40c1a77ba04612e44a4cb8123dbecf

SHA256
65c5b79bee42cf3765dd456c89d6b5244ae50a5a6d7a2cbc5fe659f52bb29468

SHA512
b128481f613fbb006ea375de585d1d1b34a8aaf89dc224a4e4f01ae7129950d30bca0196da197284b4659c0dedc290230d07466b0ea46272894a3d5011033302

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
3bfc157d780fb073d066c7efbbc65382

SHA1
fa9372eb6c770d67a2ff71696db4bff66cf463cf

SHA256
85f4edf66539a19133cc367c3842bc4bc41ac539476ce1bb4e34e2399069c1fc

SHA512
0bf7ce931936a16a7e6cf23245722e036dfd9174dc1d9f033f7554d43f674c8f0db53a9a01a44fb31f7f2348a7c65e4faf36bc5660a681b15ccded49b0c6a52b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
45662775217e3ec435a179dcb7110601

SHA1
76878932961ee06d5d72a0e83c1a22c3acacc93b

SHA256
f9d2d0b0933babb1cdfa2bbe1b0d46cd37635b8ae5e18653f52fd3774dfccb55

SHA512
064c9281372dca30a1e91b6e4dfcc7fbbef38bfac53e76f24313b7f1ec1467243d83aebdbff50a3ffef4c4fc37ed57e83288c987a3b0cdfc574861e71e61bcd2

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4f02ee351b7321e154957b5906cbb664

SHA1
991ce57f48b4df91c32b1a5ea260b8a9b58faefb

SHA256
00a5f7eefc87c947355651dbf662f2fbe1762068d674b755d32cf069450a5a61

SHA512
b0558fda92662bbf67ec1164a5070f9280256777c4ed637a514e44955547daf29e33b74009331eef436856d0a9f764b53428d2a7cdef956ff5fa6ae3d3150fa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
2fa2de22675d80b2d4ff750de2f3be67

SHA1
09596d20221866183079482cd6a62563ae2e9697

SHA256
6dd095dfa9fd9532c908c6819207eee07f23fafbeb51a24140479549517e31c6

SHA512
f51a2b772bfe53a2419dd3bbdf496ad9a867f7e0db33ae089b29070b74b288e2e9c0fed0a1ce12374094a4904510a73f7d230b8ca03397d62934237fc72f6cfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3d7e1e2ae0c980c3ab82ddd7e79f3693

SHA1
3c20efe0c684a64f5624680588a6558721b36c69

SHA256
02caf50d9e469c1f1d794fbf34b1b83935e44e13f030e4278f05fa413870f333

SHA512
b98c0691d66442163b8a77ad2f1e23fefbc959b5b49c1f1883ffe957632a8de63545bfae013356cd16a60078c5adca4102c46cb90f1a7d96059137e4b89805c4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a55123b2c1f9aac8fa23085e59dcf3e8

SHA1
e1d9e9ec018d247f9d88b8599a8284ea2f5134cb

SHA256
c83f94555f1b077cbc14542fe6389cac99df402de6bc8f67280be10f273a1bc8

SHA512
870147deb19f727e1afa5b90be96d0951900df6591b9a8a590ae1e4cbbe3e10f02c9f0a11b937c57c5ac505a51c4b86ee7af3ca4a6a6831880a7e3f55c7c0170

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e4edef84d07e1cd6577eb5bb1bc8d141

SHA1
c8329618fa30cedb0a3850ef3c0e0cc61bc32c12

SHA256
d567887553463159ba633d4240cb467e6186b0a4e03545f0277376783dd3ead2

SHA512
173fc3fbe5340e05147e894b85abdae5c204355bdd8fdfb8be8b672abd982d75d54d604f4cff0e28e147c777d49a467ff3ca1e84150500d38d1c41618b0797b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
46c5d44712aeaea15fce485e6e0713d9

SHA1
a8c76231e437a480ec558d16d740859d2088f65e

SHA256
8b2839383f5fd22694672c20ed72caa51621448165345ab815a3197406275547

SHA512
b997ed9e36b182b1c448d631638d244d7c403612c2d2237cb30b944648dd5f88a2114287adfceaf8b4e1291a00963514825420095e26378423404c0882b64c7e

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1585894980d65ff08d2c4c7fdf3648e6

SHA1
fad25733fc3966ced2dd894a888b07a1651e8021

SHA256
f942b9c76dcbde65fd62f864fdebede24eedae295cc317169ed014f5da97b2cb

SHA512
ef90c95ffb1acd5f330d59c9d162f3e777cd28b651464ae94f0bc4ba777c7c1285187d3159cf51b4dcd061a3bdc43bb475f26d85ed50b341df4c06fd01218890

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
776027586a9a44a1aea6550980c7ac6a

SHA1
b6c172460ba6ebdacb8f5964e4213e36bb4e39d9

SHA256
a38c0d3f2788e145af1997eea82be078dda0f98d798a654e084af467057e0303

SHA512
282f2e171aafdff56d1d19943a8d57bbb20f54ae0ea0bcbadf7481ef66c6566f9a32d44417a02c68f2c50c0d97e7c763e5bbc9fbf5613780b35bfab204550ee6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
232b9c2ddafe0295f66613527904342f

SHA1
f2350c429a32e18755ae6633d01b3b25aeb7cda9

SHA256
cb290910de09d259c552f047907c2818fe886fa4634876dad2843dee7cbe69d1

SHA512
ace0f22fc4c23b4189acc9f6d3664fe55d6095c0080082b89c949bf70791e156bf6989e96be2eaae4c4112044f4b0f0c4bd98d595dd0fc19e67b2d0089729599

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
882a3928157cd9db2639cbe92b2e7cb0

SHA1
0e24b6253bd84cb9990149f7c263cb2bfa9b9792

SHA256
5b7b637c951846edb0954f71dc1f5eb932aa794fd58174b14beed92b80e61abd

SHA512
5f6b5878fd483369cf89b0404e14ac5a43e4b33c58edf1c505ad0ca3ac134abf99694277c11f936068489e10cbddc31d0d441410ab39e848b2aebd645fefb826

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
da2b6935bebcf31477da7eabd152e38a

SHA1
5c23d789dfc2c1cbe87a7f1ab852ea88463d21d9

SHA256
049678be1c3ff70bc27c911bc6e5bc155fa558a6a1163d9df92e5345911f95e0

SHA512
7529b5449ba7b8ff2a5e8259d525e646da545ed32911094eee8c99d2edfbe163fe2a7ccf8f21bcee4a9a51db0fc38931423f07570789fcdf67c800d3456a6f36

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5b1b7b11952aa36c183807fd783277b3

SHA1
fdd568b092ea2f8dc686f6942c44a2729872cc94

SHA256
4710c03cfa9c326a96040b5b3ec15dc879833f34f1cb22edcc4b733a2f0a5f34

SHA512
43af59c36d18f66ba18453e3de7a18181d4608b28f0108b386f5dd529fd34635f43b6db605987f13d9bd9c8410ebb48146eac1eeec96d089013f761ab31b83f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
985fce5eec63a6567292458d0c8c442e

SHA1
ecfe16aadefbeb027f0d1027477128f06f53b778

SHA256
077e75f92ae75950f3b504fc61b46ebc982104e4fb76affc4ae9fbfef7acf30b

SHA512
c420d186a0053716b462676fe8a94683f96f0bde20a0af957c63ad46832c7224733613263e2180964e66ae7c4ee346cca365c2dee0d86b00a57e9d89f4f813ff

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8139ee622206d2ddb302389d4e482a25

SHA1
1e6bf072b2e05fe275321ba234c9d1c74ce06393

SHA256
e9225948a3b9479838af7f8a8e3c445d57128c92b1ecd77cdfabe02cf6612c1e

SHA512
bd6c6f56e1d6827b9763e66d1dc78f4642a653ee5b3a3769de683ac0755388addfbb6bbd39ef30e3dbe5e750feb6aad5bf5811f9d61def8f5d26a00cd856afcc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
de9dd1dd7d9f83b48f0ff3bab9a31f83

SHA1
60a1b8857ea6d1b2ed73b4bf6bcf4d7c704e2425

SHA256
276e5148b40923fd35661c62862ac22e8c2f6f32d9b7ced7c7c55c1f1971fe96

SHA512
2ea52bc4ecc7181e50338aeb39825d5f0a279bc5d6dd8be8958f1c4416658a642c32a5d68b279f0542a40747c4395cd30a8a8064f1404be7db843dc8e48a7677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2ce6a3d84c740d9bb7f7fbfd4a0ee4ec

SHA1
9195cadd4e051c509009b48341559f9d2db680e9

SHA256
8fb6701ccc6ac099b019d90f68e55722579ba245eb49c26c6d693bb955ff0d8f

SHA512
cc82b82e0fc387809b72bd0c0d0161176db0238d7fed8c4e237f28be563103bb33b510fe9ec6c592e02ce36ae791d7f906a1228bc07b745fe48b796fbdacead8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ec9efbe9e507b2848e6e0d81ba463cfd

SHA1
f2b112f563d72c0fbeed955de02737a3199bade1

SHA256
dfd1987b301fc4b745225a09b8ed23b9671e81d7d7a50f3a4e33c6283c2f3904

SHA512
b33a75f0d83152d5d11ffc9f8af2d28b4e9dd013abb60b7fe7849a2edb591b40aa0c2ab1a18e7546c2217d6543d27afb3ff3b6f1e03eae3b7a5397c2f68b6322

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
194ea1892f2daa11b6f2f37ffb7100dd

SHA1
c9d460929fed352f5829fcc8db4fdd20193dda33

SHA256
e1441ef2e917b4d9ec80df63cfa413e852afd96d58e810e904e97f3d5070fc2c

SHA512
cbade6a43b5d5f2c953414c4f25ec9b3958c476a28a591fe7d67fce254d10744377cc521c1aa5a37aca4807e18253eeba2911a0bb63b82a543f6993423da41d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
9a234b87631591eb60f0c9983d728137

SHA1
e9ad8029de7dbf6e334a63a4d222a09c87460afd

SHA256
566e99e1893fd50ce10e1cea44ef8aed21cb341de3244e9d089281bd41464e51

SHA512
2035f4e52e0f645608808ec0ec28a7548bf4df00db57a3bbc903409a94a100b0f03234d3e4956cf65771a643906684e572bace9b319edd6a5c664d3fd64bf63b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
f751bd8d3507038990f4d9d85f0b7f54

SHA1
dfbe1deba6a4f9bd92d48f2fd695fe718b9f3736

SHA256
fbdb3d40d293fa60c24cda72fb56f8cd12b5159f54caac98259dedc5c1d088a5

SHA512
e6eb5bd0a112be1913ad937885117674e7594f568e2a31b084ac39117bd1e2c28d4a2bb0a851995271216e2451feb5b6fb7ca2d65f3a578589487ee1402f4bb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ce9e6c43d752a86fa1071f922ea08193

SHA1
d54e2680cd627b95c001afcf169a7de3e2a7cbe6

SHA256
d8555f086437c94ad8f52095de3e999eaac1340cd6beee068b96f4585820f83f

SHA512
a48e5ffa443601b423756ec4519c398cfa82b4fe0e2eec8871cd3bfcd1ffe1c84b6fb04a2a0904ab42c62f0663f33544d1de7f26815ce9f808e05840043429e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0b29515ea42528f7ce883233dd0126f7

SHA1
534e6b0d9128cba437daf916449104098b255552

SHA256
5ab7d7636cb00e9901204077f3dbd4cc42189d4da2892d17e2a5710334868933

SHA512
53baf7a58e7a84a47ab46d1d2693f029c9ef7258fc775d71a299143efda90134e42fc5ec86f7cc1d7f190c3dc17091e98f996317485467dc0190687a70a52d88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
59336fdfb9457b18a1a7040d54eefe28

SHA1
b486e7a931cfa0509a0730dacaaf0b61df20eb07

SHA256
fb2398682af699f948ee24928274433f004ec8c4e999477ceed856792758feb2

SHA512
5186fd1dee0a7edbc92321a3d577fb00c3f88da521337e901678c6747ca45bb6ca5f4eda69d5c65285d6f770c460b7ea7cac199538af3fb80cecb25b85a0dc3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
58ed7a6d1352ea5180023763f310be84

SHA1
d1df07fdfadac76dcd1f0a35689d661edb8e766e

SHA256
3bc271d172bc3717e502cb88e17f5499566eebf6e59824791e60c01835314576

SHA512
cbd61a693f5abf5688a34a4a88cc45e5b8ffb2e7af5f6804e7d977eded91ffc42672e265b1ac92243fd6724c4e4c78dd794640e7a4b0bc4e2621b1939c744b58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0a24a7d50e370b81ad2d039ea06dcd77

SHA1
2ac46341dbab2beda4c0cd0df9084e960ca11b1e

SHA256
66182237c5be5464f68455a4003d5e70a82d0648a92808d917cf4055c304d9ae

SHA512
c4cc043b5f7c1f527158819cce018960578959dd2aa74193cd919f5917668838ac848d25d9a3e90f05eb2db460bc6d35767636aeabfc60a4c2c950366ce3db0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c35560847f3a0ee1e5b05bb93926eeb7

SHA1
a87de246854382813ea2d82dda6ec370cd68f0be

SHA256
bf88dd11552e464f8bdaeb386deb14ed3e3e9f6ea14e2c51456e7f26c33e205b

SHA512
53257dc21b4f049af495c37c1857cecf31ce64eb454a91fb16dd5a6bc700200d0feceff8759a20e0ac4593f4817b459cf8c69cd675d21d6ab8995741ff416965

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7e0cd1db618967f9abadb7bf37affcc4

SHA1
efa21f20c513591312fe1473898b2fe6e738ed9e

SHA256
32087a4bf5cec6db4bd2f796e4dc1aacb21dd5134a5d05db95f82f81ba276ebe

SHA512
696aad796eb868312d02c4f8c9e089a416e4c60edb3a57e19287cbe767a7f39121a1aa2bb2d74907ff0f602ee674df4efbeaabe6c0413777b479440ed28ef655

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
da19416b3f7a2d2ea540270de8874096

SHA1
843b22e3eb7cbfcdb79f1e201aa28ce172571cd4

SHA256
182b691eaed1c59e7c09e87180f6b8933b114c34427d44e54f6879b8fb959902

SHA512
a1ca0d76b54772a348eac3d1f764eb2e826400d48eafad3b1d1b7f83c13c5785ba5593165aa464ccc3d64547e3eb4e56bd5847d4b7042653d0a7676afbdb7fc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1b8a28d46d7856b7feb5e2f39b69d8ea

SHA1
1b07a2f46016883193423fda24561f0f4cbd02ef

SHA256
a4c48e8aa32282ebdb5ac9703550f5f1e98babbe84637490708291bcdfe7f099

SHA512
3a973e9af7692158b43f7ccabc31f6999844c76dc5c53c909b466d26e3f1d232088405907e037dbfe04411ad58b0cc9f77f61e0dd108afbd923e81deeea17f7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
912613aa5896719b5b056e9bdb5cdb8f

SHA1
05dca0c119a5b81bedd3bbbba18f16749f9a2bdf

SHA256
9da4c61e2fcf1df7c8756407deb6b7400a920dd3811f9ee956a5d8b9a3790fde

SHA512
f2c92c482c03c1712151a3e739cc205f0f91034486a011f2117e2519b8bfee1c6297ec48cc769a41c6fa111a73068387cc5a39f98ad18b39a42e76603b81170c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
b0a039785e111ec4e1ca5ef5888cd440

SHA1
d7894c4c2c3ae101828fa46c06f182bb8e2e604d

SHA256
3745e9b5e4228a0a0c6929591adce423330400ce7938055d63bf4259276fbd74

SHA512
642653551e0fca98e2bdd06ab809807b8b4eaad51cecd12bab8baf144fcc7d93b79e4dbc08d0f73bba62891ff626a61d48903c135a7a715efc804b3a86f0e1c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
f1cabafea7dbe23e1a74f184b5a36b5a

SHA1
fec6bb5c2839025f7e1fb304ebe665dcc60c77c8

SHA256
887f1488ccf835d6424c8036eed9008b75d2e5c25ac02b4fdc1c0f4595c7d154

SHA512
903e2e94f7f3192cda83dcf851e692f0ddadfc7bb7972f3bb4739799a6146a342430fe703f50a5916acafa7f00b218e59cebf7eb1633cfa7b945a62c3098c336

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
f72361f9cac09dea4d6dec0238ba36d4

SHA1
f6eb561d110e2398fe73e521e7607676ef18a86a

SHA256
5a43afa1d59a984013d84d4ffc5e7498160b3833f4f61d11a49146e42e3808fb

SHA512
80967060703d4c481f7431acf73262b1124ab16485b6d11e72d84a914f3ec2139e3d149240ce2d20967a7e0b1aa07bd78dfc80deec9322c2e56c8f1a1983c743

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
12ffb4e2259e21b96fa1b4930192e8e7

SHA1
d983160b5af5bb86f8711f818ccb07c19fa9d6c6

SHA256
3e978c2cfe35a15f596ad8294015e7ac8d272958c4c3f3c208e26bc7aabc6e1d

SHA512
631b5bace56a64afe347f0e8071a8fb5a0c4917aba87556193858555982000fbbdfafcdafbc2cdaad4b53476ac164f358eb72bcac516bc0ad7627af584849bcc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
15fbd945251e4db8a48e91e5a68df33f

SHA1
34cccd13476e6939085f3262bf2d4cdd0bd4c4b4

SHA256
5b021d532db974e066ff762a2a5122db25e46dee0be51ecf0c2401cc3847839a

SHA512
d1e6de547e52ece90d6003db094e62073094abf61ab314bd259768864a805121aaeca9fcd5881fa7a76d3f3d8eea66094df466ad156c82b3257acd5bd87ecd2d

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1c4d7b1c21bbdf66872cfba03254b423

SHA1
d50ed4d57991b875e31249294df2456a3a2bae58

SHA256
c6ed9ed8668e40c78daa9398c440c46024be71041e3ccb96c8d33f4f977a798c

SHA512
f8525cfe24bc9b7d13c9e4210625b9ac77ace00d5c5b1767fc597bea9ed0d8bfcb0fd11f579b7e570518fea0b3be246d89073c3ae1ac7269cc99f4a4a9b5188c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
298bbae17a2e56623f95e6e012ec68f6

SHA1
c108e10ca163bdf3d697f4bfedfaffa40c2cae42

SHA256
623276fffd3629c4225fd2be47f93b4e9aa5081a61bafe9555cffbdffcfb3fdf

SHA512
9724272189a8dd8d7dc3481ffe0cf600714863dc1de0f289ec29e2bb72e74fe25af24a3a61afbaa49bf78df7b2ac100bf562160f138afe7323418edb4a23fe28

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
08dd58142ca44f1efd3f0ab06a819dc1

SHA1
e835a0d1646c28efea0a7b6084c5852f844586c2

SHA256
e4f1adb3ba45ad41b17543818fc217d56c985634607cc25f33675a4e136bab18

SHA512
404075443135ba1fa9ffbc17a6ae33f72b7dacf3c793db3a1315c466392119876dc665f0b900ed495be71da8b3ceaeec047aa40a84e097b4976743bddab014dd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c2ecfa1cff10a26b11cca94ed1f687af

SHA1
fe1440f888a23ed89fc14cf37b5db5f98627b615

SHA256
18b7cac2b15b2efd341710649be33121dea4e5bd8e06daca04a5fd2409ab2151

SHA512
4f7c1d5cd3b7ab7add58515bd6b88f3628ffe333b562ca3999fe3cb2611cdb0b4769dedaa4b8377db14696fc25ea19d7278e5c8f8e7fd3732792159a3cb4c45f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7868c2825601c2923bca0c122142acef

SHA1
435e836b2ff67c701f059ace1b3d0a2d3e9a870d

SHA256
b8eda8168d15b6a77ee319ac42d4840b3075eaad8a6c23945f25f7c85bfc96f1

SHA512
f20cad61d510a10636626abaee3cd8bd15baad109a1ca652d80baca66e15b6434a5ada9553f331d51034783274e332af4f146aa67565d4e1d8a263c6ae009c43

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f17987242b38d392641ec4f07a557b43

SHA1
fe8d6471c63ce9371026c1b99d2f69d5b7be69d9

SHA256
7059b76ca7bf41dcd36a0df0195cc163dbea3547d369793f8352b2df9669cd04

SHA512
2802575c95529d2f1c5cf30bc8b9ca734fec7feb7e6ebe51593b1eef697d503d10aae6884de0212f598471a854a0021be3e89a72699e9bd50835079b057efaa4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
bab1292eb652b466863620ffe7bc554a

SHA1
f73f0847f8b62a829c97e07e7371220ba2b3622b

SHA256
e16fe3f36b9344d01b5e56240c3944c4669cbb8e88e25e967174cc124173a355

SHA512
ba5835080794aabbd8ec0e3cd13cdfb445923e4ec2c9ec008d497dbd2f8fab90c7e34ead839895b2beface45af1fc7ed8bcf4a5c95169277f7ac74e2e6ad1912

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
825d7d4c2dde12e2a0fb4e7bba643ade

SHA1
2fb12cc6230f7271a1f656837ae7fb049804529f

SHA256
a456d10e27865a71df6f351eafccc2a000edbaf590158b50a0eea2f644d77903

SHA512
9a5dbe186452f3f375ae74cba170d7b78684074171ca43db2dfc222470001af292e641e745563df0ca2ea0557c92bac0c0cb8f2ebe5dfa0aa611b06e8428fd39

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f56dc4f698def63f30472aea6aca5dc3

SHA1
a47dbe2ff95f98ecb175f7a3a0b7cf1504c6a596

SHA256
29befb1e1f3d5a2bd19b42bf290fb5bd3d0b03400ccd2f2e1aa67669b19665da

SHA512
5417bcd543dcc4de9b2a2b496b0bcf10ec71c9d108b628775b91c9e83298dd7e98206fab77f9224ad033b1530dc1c7835ce4091fc3309dcdc79bae0c6e7ff38b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f26695db83b88580e6c818b8529a2cc0

SHA1
301846e3225d8d02b9aecf3208ecb9b6130064d5

SHA256
401a76241dad6f4c57f2cfd5b61d2ef0713d3421443e6062e81e4b637aa26bd5

SHA512
6700ff599bff027b869c159b71e9dc23ffed0eb7b5ee8e596562437bdb111ccc6784680ce5b1eb08154292788652772c987c92b39ceff6cd86e08ca8ef71e7ff

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f0938b019008b985943f8f6aad828050

SHA1
97e66a087445741ddfb4b971358da19f433fc5a3

SHA256
218aa6f07d42277e6acd0f1271f4fed305b287b3be026bd5c1e96b70397653ce

SHA512
831a21b926beabec9dec5086b4d135a121f707736f94fc4704ea3512093c9ba29e683a4b630be824c86d1047a0be00bc8397f8784bbd02d6c42af4b3b8391a91

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
efddb7e254b2db339bd73de667e5f54d

SHA1
413117477b03357a8bc79213f4eab439c806b135

SHA256
c85c98fd11ae7fbcb83a09483ef973d4e5bde4596c1015fc4bb75ff4f7e69bef

SHA512
7733ef02c6ef3894f399244c9b996488e8a8431d8dba7d4e130454cdb25af015203b967f80ffc2d49409f9b2dfcf54cf74afbc7a25d98b1688cc899cc00c93f3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3138e5188f5896117837d7c919056197

SHA1
13fb168799149c99acc37fd28c152b0f847d35ee

SHA256
10dcca856e21edda1d11bcaa8c06d049685f3099f431a7abb7ee02606b86b055

SHA512
95c0d2263a1776c66730bcae97c72d1a2fd034237ab44cb7decae5410cc43d080d187bd99cefdd522073aa85fd21201c29a25e840baf50b09f6f5b713f888d92

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
608639763ddb6f7e581f953f57e87802

SHA1
bfc25eba704fee16cb00222787b393c6c1a0a549

SHA256
9ae628180b3aa919a08ec28c2845bb845098c969fd4189a4d6afe61a28dd9d74

SHA512
1e465de9b322880d9cf35b7193e1306eda2f73565735340a581676b6c1083f80225ba74b63212e23172568f5eefca6cf283d82724cdb0a16beda1f2cd0e3eb45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
363f7ce438ab8ca76fa140c28979825c

SHA1
6d1092f940c381079b9da84e6a5195f78b472397

SHA256
71ae733fbf09bbd93ceda1a9aac1396684e3063609a57c2f11b8c07a1144db91

SHA512
934122c256b589f30610a7883787cb6b56627a3c035489213c1bad87496d6d042e027888cc72444e0ccbae7eb763e0288b203bac72cb57d7ff59c7dde00a35b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9e8d7ce8075f7a2e88b56cdd2167f781

SHA1
ed5084533f44551e731e6341993a931247e9d6b8

SHA256
a7c01b5ec23746fc2a6033c73619bd7b964f9b0dd643a7336c214e4b53054392

SHA512
100286a4f11f58928b9aaabb80e3b031e5d8534b8b077e504316c26b8741aaf2f7ce5a7373cde16e6fa3ce2c3569382d2b70511be4b14f4b5d26155a7ae6c238

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2f48daf12aae401c8d393e79428969aa

SHA1
de68e71a6a9ec4ec2a62f7e8f8a0f15be0d35262

SHA256
e0d77f786a676eb779374a6d18631444a7456980f22b9e9b946bf919e02284b2

SHA512
da574d7b69cfb06c6035f144930c6a42f21cb41ee103f12a76780f6f472c5cf15766a25fff9103b28e2e75ab76f2ade7492579039094fc5c3c6247d0d0832199

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
ffc6ec9b6be9d3a9012a6e7a6ff1e8b9

SHA1
077c443b91d29938f7995aa2a9147ebd2d26a14b

SHA256
72c329937a4fd40fcfdeec3fa1553e053216c3722f718653ceef85e57f74d39d

SHA512
7c1ad634c669c78e4a6d4003cdd76ea309921305190bae2092d9de7bbf8288ce832218dd1d9006379aabded1aaa2cd32fb4bc6f1bbc37a98522ac15871997a31

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
5ae1adece8823f8bdb647ccb7f3a5232

SHA1
d7257917ccaf07f4186a56c1957c46c76a1a6350

SHA256
e788335cd51f281b488371ca6bf167d836d782392ecdb4550bf9aa9b3a98bf2a

SHA512
380bd7bea649e8bd17e38cc00a8815cba951d494c94f9b968ad4dae0b4517c5183c3029e1ed10c25c2c9009a6bd5da6bcbffb5d5072fed23e5fa84cb92105c7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5c7284843572d67fde0cf71eddccbdb7

SHA1
6b0625c477bed20e90759f99a9d258ce99b24268

SHA256
1dc7345f4b2ff2e533d84dbfb08ef3bf6d9929f763cedf39948c9799184de731

SHA512
6d5807661fefeff905e6bfa28eef41f112a5e12c6a4f87acb0e09154911f5d7b47dff4fcae3c8dbda2f3d63fd711b3d8a2ed7b3ea9d57e0ce4a83d3a146fe9be

Download Submit
memory/316-554-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/316-348-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/396-303-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/396-496-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/468-262-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/468-90-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/468-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/468-96-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1384-282-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1384-272-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1384-340-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1384-276-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1552-257-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1552-14-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1692-19-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1692-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1692-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2180-268-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2180-336-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2272-545-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2272-306-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2320-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2320-555-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2436-55-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2436-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2436-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2436-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2892-329-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2892-548-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3008-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3008-34-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3204-299-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-352-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3204-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3280-337-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3280-551-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3284-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3284-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3296-553-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3296-345-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3676-344-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3676-287-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/3676-286-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4088-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4088-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4088-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4088-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4256-43-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4256-46-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-260-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4256-37-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/4444-81-0x00000000029D0000-0x0000000002C40000-memory.dmp

Filesize
2.4MB

Download
memory/4444-65-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/4444-66-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4444-1-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4444-17-0x00000000029D0000-0x0000000002C40000-memory.dmp

Filesize
2.4MB

Download
memory/4444-7-0x0000000002090000-0x00000000020F0000-memory.dmp

Filesize
384KB

Download
memory/4444-0-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4444-71-0x0000000140000000-0x00000001400D5000-memory.dmp

Filesize
852KB

Download
memory/4464-547-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4464-318-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4600-332-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4600-335-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4732-296-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download