30117fd3a01cb36e0fb80327e00d1160a7353d8226a90ab97cdd6f140179cbcb

Analysis

max time kernel
111s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3573bee9a4285487e2c8fc13759f440N.exe
Size

648KB
MD5

a3573bee9a4285487e2c8fc13759f440
SHA1

9c025de94bcc0af0d72933034261301062458100
SHA256

30117fd3a01cb36e0fb80327e00d1160a7353d8226a90ab97cdd6f140179cbcb
SHA512

628e619a48f8524f02c86e602679c6119e6b9c7fce3b9cc243976605bdb1763ed2bd176bce60c3c3fefb025a7e4e22ba4db56f66eef8e46c34e26f437a5aa04d
SSDEEP

12288:oqz2DWU9eSMIO74u8k7UtnzPgGeB0dPoIlaNyF/ofCVGGfX134R9kMKy:Jz2DWset/HU9zPjeidP1Yi/dGyA

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2296	alg.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1292	fxssvc.exe
2984	elevation_service.exe
4436	elevation_service.exe
2084	maintenanceservice.exe
748	msdtc.exe
4004	OSE.EXE
2396	PerceptionSimulationService.exe
3972	perfhost.exe
1064	locator.exe
2128	SensorDataService.exe
3136	snmptrap.exe
4148	spectrum.exe
4556	ssh-agent.exe
1692	TieringEngineService.exe
2028	AgentService.exe
4608	vds.exe
1232	vssvc.exe
3084	wbengine.exe
1396	WmiApSrv.exe
2808	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\System32\vds.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\3ff9deb777a2071e.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\locator.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a3573bee9a4285487e2c8fc13759f440N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82640\java.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	a3573bee9a4285487e2c8fc13759f440N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a3573bee9a4285487e2c8fc13759f440N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033768a1085d6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d73c81085d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000db1851085d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b9ceb0e85d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062b0a41085d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009d5ca1085d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d75e40e85d6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe
1568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4612	a3573bee9a4285487e2c8fc13759f440N.exe
Token: SeAuditPrivilege	1292	fxssvc.exe
Token: SeRestorePrivilege	1692	TieringEngineService.exe
Token: SeManageVolumePrivilege	1692	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2028	AgentService.exe
Token: SeBackupPrivilege	1232	vssvc.exe
Token: SeRestorePrivilege	1232	vssvc.exe
Token: SeAuditPrivilege	1232	vssvc.exe
Token: SeBackupPrivilege	3084	wbengine.exe
Token: SeRestorePrivilege	3084	wbengine.exe
Token: SeSecurityPrivilege	3084	wbengine.exe
Token: 33	2808	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2808	SearchIndexer.exe
Token: SeDebugPrivilege	2296	alg.exe
Token: SeDebugPrivilege	2296	alg.exe
Token: SeDebugPrivilege	2296	alg.exe
Token: SeDebugPrivilege	1568	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 4768	2808	SearchIndexer.exe	112
PID 2808 wrote to memory of 4768	2808	SearchIndexer.exe	112
PID 2808 wrote to memory of 1852	2808	SearchIndexer.exe	113
PID 2808 wrote to memory of 1852	2808	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3573bee9a4285487e2c8fc13759f440N.exe
"C:\Users\Admin\AppData\Local\Temp\a3573bee9a4285487e2c8fc13759f440N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4612

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2156

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4436

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:748

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4004

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2128

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4148

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4752

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4768
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
426dab1fec734f592745fc07df5f267d

SHA1
a8ab2cfc6e5c220d8bed64bf60642e0769d1d9e6

SHA256
49d459ce47ba90e76b3adc8e6945a5bf8c9e00c2c9ef22c65c1956373142aee4

SHA512
aacbeed299d7ad4fe122b64cc1c8c6cd4e451d6b3ed124472c561fccabed41cd154fb6ad8e3a66ed2c19909bfbe0744fe2f2b6e79b6e544272b1a68374c24293

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
67cda2ddcdc79dfe06a03b526bd359f3

SHA1
44a4dd60c544434a8a68fd746979df9726b57b62

SHA256
841f3a37e8f7ed48d36d905edaf2e388e4b1d005d5a98147f465b503604eaf6b

SHA512
e69e314dfdceaca1fb37459840b6ca463e9073f5df43f6229f4f7af7b6bdbe75c434e6b375cf5a5068b9a9f7072b50e196f262d97097c0a0882735b7038b1a31

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
388c1e462eea38ba52a4f861b2a32bdd

SHA1
fa9a0dc94c368b0f6de8d0dae6edd8d2769b51da

SHA256
a1f9f3b85728f3a1dccaeba6d66f632a1ace549f007c1c78909241a99ca7fad7

SHA512
b3434e3d0308d62410b69448609b2d96caf94f2e85f65dd9897e604ba9112b58e3531e51252ef91e8bae8752ebb7017e893ec0b3bc10be31be616e05bfc6ebb5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
415ebbf838976def6ab409f0682f46a1

SHA1
b0ac1580f9737dd0c9ac80e482d1efb6958f708a

SHA256
92e7d869ff45f1082f74279da41df158d6fe72affec6e897f6e83f17d82c1bf2

SHA512
8ffca8fa72903dc7cb1ab4c59585fcd1bc5dd97d560817ff368f1a09f435e83776f76730d523d6ecea128e373d6318fc05b1d912160284a0d0fd57eb3adf397c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
95ab9d0f3d6256a4835fc32769fe8cc9

SHA1
8845f4df83de1f8dd00c6aa132ac897b0f3cff21

SHA256
50db5729dfd0b093525cec810236651671b6f9d418567962d6d6a361f94105b4

SHA512
40018c7d03f0147e62cb08c532a7c5b1996f1dbdfea1c3acaa44c82e8decb3ec0d64cf28ca21de6e4cc1fcd5f3de5ac3647a718aa632dd062340ccf8a48ae7a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
df664e494665e80a3896e80f09d93287

SHA1
184ee989b0b3cccfbf6f95841f76acfa6d8b97b6

SHA256
5b297e6af8bda249182bcd6ef0fbdb41ab29eddbe4eb6ff65fcc491b0ebb1105

SHA512
f51eaec8d57000c0f8ab25f844ef942f053d66751a21e944c3d70b710c9cd338049c3913297f72199b8e79fc03eb85ffca733556eca6ee8386efc0183a48d81c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f3e2f2ce00d26b3d65c1a37f912722e2

SHA1
e773633cf2c863cded7ce8d25cea649bc7d20e50

SHA256
47cbe27bff25bd6994a8027cec9b47a3ac58379620ab5ceb8df3dc71c4328b9a

SHA512
1a5e6bcc9aee4e32ec80627b09cd5a6028d41e02d762c9c84159b5c69fd86a1d07631eeb463ecaba9de7515083c1fca5a0b72438c772c8615ed7480003e7824b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
399d8fe34397db969b013d136e235a24

SHA1
6380b86cccd5b5a2adb84db35a48e8aa20dfc381

SHA256
17c7b69e216258a8ee01efe09bc332f8a40dfece56fab072265a084b788a88d8

SHA512
c21f65780984296fe44ef02f8185ca8b359acf7f606e74beb8c41e0ed034dab37ea19e72a02cd7bb023cf113eddabc8c707c71d3e5b7012aa432891230b926b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b20b463f0e9105b8c1b5bee45b86b27d

SHA1
91554a881c8aa5e79ff98e13445db27214df3e0e

SHA256
4cf592790a677098608fa0fe084074d89d36e5e2643b2399df14defce4ce1c03

SHA512
4d638878bd1820249bf75ad00d2fe897553c19f9e070ad4c3360a66a320c8949c0368528b96a6c56ad01f9801eb640a387ef691acd97cc1ef9ff40f8b1c264b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
abb8dd6a7f5eb6a0c6d02ca6c7369154

SHA1
2cab898efab31dc217c5367e62307a4f2d03bf62

SHA256
b09f0b6ed4ae34ab6df0b12f9e06f0a76f0f9fdece394224a60015c5039d3143

SHA512
39ee7d179ab39006fccc33d7d1500710642a3431bc82bc945c1f61f0adf3563f05269947b3f9df2489bd4c6970586171f353ba70dfe1d3d65a9d1ac3f4eb9214

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f8d18bc28fbf47204997d0e59dfd76ab

SHA1
ee578aa118d2f7fb74d87f24ca60b4814be3fb2a

SHA256
209b076753bce9e4da740adf4337b4187a17ecba0e50b23c51df04ccc2d3980a

SHA512
2c8e45e18cbac28e7ae44652d7af26b6a9b843856674f594880da3af077f205fbfafa7f765cb9bffb9cb5b3078018030915ac47a49c120a0e091625f8509f819

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
76e5bfa75afebd9656ffb164ef2d0224

SHA1
0cb082e0a4f3faefbf1a22fe26d6b78dd46c3257

SHA256
1fea67e753666646efdd9c074891aa23b81a5dd807ee038080a5dffd38219c8d

SHA512
2c8227767f66285b1ee84e9654fd212d761beac0b911f5a069b946870080f82e15bb797a9a02ecaf2c1652e1898c768deb240f45a36add0dc962a0011924669b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
df135c2be3382a57b8a0744ef7c9dc05

SHA1
4efe802c2d130d1ec41eb7829ed966c54663f1a0

SHA256
1f522f184843f46671923245d8f78e08ce06792d23e4c37fc89148ee6f69d7d6

SHA512
a0ab266007929d12c6e0a83ca7d9ac9cefb22e230cf3da142f26f8fedab02ae7861192762cdb07de8a71d689fd69b9421a23a93ebe7ada8b4345c77d214d4e2a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
0458c40a01649a510f1ce5ac5b639db8

SHA1
af1a9b45e8bd39793a548b039c92935149acf21d

SHA256
e7d5eea203a20ee6ad0846aebf88c54b5e49d8307197e48792bcc277073f18cc

SHA512
7ac9b1f30a658a05b2ebf134a595cac84108ba95f4acee0dbef4b798460ce76818a86c73f4f82d43a642f81b2a5cf602daf479984d6d71d190784171e008b032

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
02302bbaa98f0163def99f6c31866a1b

SHA1
833e88ccaa52009bcd8fa7d7ebd895c390125043

SHA256
d1f79eb45b876b04bc694970aa1dde2b5ee61a1ace36bfd5320e4ab11e2deb6e

SHA512
e494aa063ccb613e20703de866e375fa1008da24c1883598a9880c13b1cd79dc38a092867ceab6a31b2d984bebff80ac492dfd6a054ddbf8d84e80be19417e9e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
fee3517f943dcd68309dfce4bf8ff968

SHA1
f592a2a1482a240ab9856e45650d1a31d74ebfdb

SHA256
1e66f0729e17e0841d6e6e8e7ea69b3c0b79a2dbca7a48ce6d697465bcd9a9ab

SHA512
9cda7f39c1d56378903a9d6891aed5a4385e88374398525985c90570d4d206b1f7c654deeab44a55a7cfe1f65ab5232fb8fd09f4930f68c202f73799dbd4bc88

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4134757c6c90deb2c838c78621dc87e0

SHA1
cc54fb5f20dfd071be079c8b4aee3305eaaf7081

SHA256
2186bd9245a490e529de910926e2cd0afafe80fd7e70f00da6e4e7c06833be11

SHA512
9fc40575db1b0c1913aca74c2dfedfa44a83f7d5691a58b4d8594a221f0bc476141c362343f3f0c64378205ad8c78338c6459f047298bc77988d1bd280e76053

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
a2d06380a67247cedd05cf0dddd2316e

SHA1
010c6c5a4285aea8e0bd9dacad0439dd834e2f73

SHA256
e86b75ae3118fdf0c3f0d9d96fd013cb10395edf5b4877d2ecc7c9e52655a05f

SHA512
574868f9958d732c0973b997c202cc1a3144dedd3ef1ce85063ad39431e5705decc801ad55fae8bf46cab1e8731ec2b1ece65f2f3f9691e5ca9343b048548717

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
f8e46fea1614fa168972766e2911bfce

SHA1
ea43e4fdb4696126ce9ff6714e71daf55ecdb5c7

SHA256
252b6b99a4dbb5cc5ef8d29caffb4246c08fe3fed8b7e9f29e44981b556d6fa9

SHA512
22394ac4909c9954f51e4d648191c108a8621e05f9006534a769beaed3db89d284bb9afbcd758baa66302dc34b690b7341847f82dacc2da0158f86ca6360a342

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4292bf6b0e397b193529ec322b60d640

SHA1
233046691a15208938a72eee0fa326b1d8bf09ff

SHA256
e843ded13e541395b118e185153d33278a86527d92539891e8afbebccc2fdd47

SHA512
210c86b9a55072b28ccfd5ebfd44705521651e7005a9aa942abe29bca8fccdf6a351665b2a3d61d1610044ec48a76d59a5472845b0328775b502e1c68396d685

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b81ff27de4aa4d9884d0e4d2b880ed79

SHA1
f4f29c0c89107072e9e7f3deccced550c68abcd0

SHA256
515c62de3dc79167265898f0be510e0bdc6c095c166c19ce10a9f326d127b550

SHA512
80d9c08ca433ab372c354f6deffa2fd38c2cb2132afb4b510b476db0e11c3e03b2f6ec44efdc0f0e121828c91b76a77658d34fc00bfe4d9d9c7504074e778199

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
98a8ce5c27b2afb2bd70c210f0595c5f

SHA1
e6fc70c42427ff59459c211181a4ecb01ea9f42e

SHA256
f04824fdd0f68d64486b9bcf18439deaff63e1456daa5d7e51eb57eb3b730c88

SHA512
fd85daed2fec2758a471ccd56d55cb2d12a2e79f0973755fba2c15bae9cb7bbc825590866370769fb4006631f33ef6ebc9015ffffb2a57fb8e652dde58076e16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
916721a80865f0b1af0e42e84b070caa

SHA1
b66a0ca50ed45f4673a63fa9f30e9159600d7c74

SHA256
acf88779af80bdd12cf803a0453052ab001e69a8d6f6447fd77b09e6240523a6

SHA512
eee9eac992d2b5574e25b258f4623282338f94d117cf12806b75a5444e5243919f90b01edd96ec4dea9f1ed52863a47ef3f42039873052e454592df8d45a7f3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6bf1f1891d471cad42cafceda3e58c0f

SHA1
6611e4bdd029cabc1129854269c6ba0b8bd4fb19

SHA256
905605fe85e416dde0bb27f9957ba13fe26d3baa6b8c51a7d45fcb986a80e225

SHA512
d68e37cbb8c35666ade15bb27e67c39a06b0b08f387342d22225e1f42ccb69933b02ffe65c6c44f0afafcf493dff6ce8deb6f2351dc76a9f9e9b1d7a288cdf13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8a81e181f89eec8bafbdab6808923837

SHA1
6b14d69367eace7d342f3ee7bd4374f22aae167f

SHA256
6b29c3a454f81a22aa1004a20fae66458d6090d7297db0ea91b0623d154bdf2e

SHA512
76ae6ed9bc033b661d40cef3bc274a773b9e2b45905bbc6d72dbfd5cbe1574a808bbe16bdbaf45d66215a6ac7a5be342514aaaddbc44d38f9b6739fb1c6025f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8a0e33898506f060f5cdc31924a19800

SHA1
a3b8d55e06aaf8d1882ce72bf5acefe71ae612a9

SHA256
ea4a2a2fb7e2e25e606507634cb0482925c0a6ad255adf84319fcce0de3e6007

SHA512
3942269f51e62f085192127ac410c53ccf70abdaab9ed730838ab1e6fd3c66b0578e755ff5fb20373f47ce40a988d7532a195446271b896faaa11028c4e7fd02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
911b5b4cfadccb8b6b7d6b67949dd0aa

SHA1
67492fafae87f0b14a8a33ac2c50e1147d7b3bb7

SHA256
d1b77d90687101836a339df37d2f7d45fea903b28c97b28ba8dd55660111f7f6

SHA512
82972cb68ca68fb64c9794be3781bd9c59f6634559e93bc90b2d662d006c04d076248742297309962f26319cfe7916c7c5f5fc6105beb060c464d31c36f126f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
cc5c6baa6e381e5c00f6a4f856acd0bd

SHA1
c82ee9b2b5652b06dca303a4ee3cd3014f1bb37c

SHA256
55b77e35f7b4d81ed084cbba9becfa8c90a467fc61de25d95450f44980479fb3

SHA512
8ee88a48e4abfc24c6f20e3d7a8b9ab6816f801a1fb9e857388c5f96c0a6f971fd934582addf3c64a9cb4416d01e6a00f19e9c9b75bc03587cc8daf0540a518f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
3132f3952be7f93c317a8bc877565be4

SHA1
fbeceddb249f0cd110d9147e974de943af1cec6f

SHA256
bfac1c12d89cdabfe6f46e0214f580f6af827186790c8a42929d796a55593af5

SHA512
774537dedc0fb4f8e5b5f5242e96055449252af084620f36a34d63d16be281704d00543c8ab80cc96b79fef0d73e8f769ea78955ec91a3873fea2d46a23ac435

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cf5f7414888edfd7d04c96606b1e2630

SHA1
576ab46f5c0a7b166532cee6e06c3f0835e6fb6f

SHA256
a830a69ce0150a55b7dbc5ed13975102ebb61b97746b98b51663f5933d6c1e2d

SHA512
b95a726a3300cd656f1dc1319d1d4f70059324756fe8d54b4de352c9b88e7fb84a34a37b7d7dba93c3969cfb7b6e4b782afe043e98b3933914b33c9d5927b452

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d2a54363987b3e5f8dd4cfacd850d469

SHA1
45239ef8307be754aa2964e1bf35156d788e5eef

SHA256
6c4caaed2c9428b4d9633282bbf023d9675eabfa70092757b7bfb5ca5412d8a6

SHA512
60241d4fbd4a1352670fa8fd7266a310983f18a90ed1e41021cf379bb02690a8ee3a6bf6984dfaa57b0d477cdb27d62489da936670ddaf31d2a6ded262e24f61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ef4d68bc9e2962543dec6a34e6a96230

SHA1
466bd9617ff4bf5b1fd2e4b4b5eba5a39902f4b8

SHA256
e6bed3a2c51d813966b3975249373e991d236c1874ab869dff48c3a692a83af9

SHA512
030264e694dd52c80dbff4b6d39a6f4830424a6ad38b8d16c15b2d765a3f172e729e7df19ce8f6e68a5f07f3445f14a230f0b4171950c1ca15fd4386db0e1134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f4e6bd6cdcd2acd4a6a3a004706581fc

SHA1
1edade8da19228878049b54e310f1bc2a69c0a13

SHA256
1c59962e5c0d5dd62c9fdacef7e5ff389cd2955a15d0ad3f48e284d409566e12

SHA512
0ac865de349052a50efa4eb316340f527e419340a942505dd0ec13d8b2a430a8f83f60dbd10a35fb93d7cf6592cdff18f01360e0f0a67541a312ad7b108fa218

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
fccb3a63193b0f6f937d668a555ad4cc

SHA1
41e460ba9973988b4ec885b504373e09d43e0479

SHA256
8401a38ef79367556b49644ceb14b80d4d0ae105b1830e5c6eee85a354d74ee2

SHA512
da09903e28634e2cdfa2a7ae3f326fd36fe2710e169c43eb49750c168506e3b42e213128b438a30b79fd49dbc5939ec3a1d1dd63e1990d3fa0f1efc99d893ea9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4181bc4e2eaef7e2e4740d6598c78a35

SHA1
c701bf815827620832fc99370dd47b108bde5e0b

SHA256
790b34ae18f9924ed184409b7ac0412ac78fba02c39df405bb4e1a568092354d

SHA512
4dcf0e0920155d7965e07339cf6a91136b3ccfcfc13468f1df36eefd98e4e8265b339dfc355a2465ba29992b83df607eb7dfc7e0c6511550b831efe1573bef67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e954b1e754049a8166dab79d7735fb8d

SHA1
b49eeba004fdf1a10c9945a8c2a1805cdc1fe567

SHA256
4188b039a60a042dfa309338c2d6cbfe1bd0362e0593f5d94c6472cf5c149deb

SHA512
a2c099a99a2756be7d97ebabbc5798577f7573cefa8e196d62146c47ce2985c19eeb4ad2371449ed6ea8f64fdbc4ec980056e29fb35a5a07dd8ba00c41549a30

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c46f7def0e073a9a84ff48326a182fd9

SHA1
e11eb8ee8851aefdcd09bf10053f339a61bf8f72

SHA256
3460adb6d046c7105910ce0f94cf3342732b7cc753f76e2946ac7acdf3874121

SHA512
6eb3e33b683c3195ceb6212403790406d79dca759137496a1178e43bc698ddcea886c77acf9e8a5b01b124df5c35bfe575346da72748712560173c9aca394089

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
abf7941c01278d013b58a67d8ffcb080

SHA1
c37ef0f23a53cc7267ffbc44ab884146464ed8f8

SHA256
2dd3675e1527ec3a1117d5c5e7881ee8d994d578a485ec148fde3bf3c9545363

SHA512
931e06ddad9fed326d9d7e4700b02dd8b42fd1335250998008185cffe6395075ecc866cf1cb3d1bff3754a09b350382f5ac65b82d314eb831204f043b2a97afd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
985c4e56c61b72e2ad69c92a02249dec

SHA1
92096ad59c7d3f02c0a1d90e2bb08b4831a65fc9

SHA256
260c5e0d39aa6fc808c6c0a3c17a855cd7bf58634dc87f74ce20afcfb3de2aef

SHA512
ac22a9e45625b6c4182919f46b08accdb1ecb020465a944174a8a939f7a49554521318a9c6ab657d39fb6a086b964a62adb813a17d7b9a8b86577b061b934f40

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f6d07a12fd9d77af3fb6ff745e6ee145

SHA1
0c58963a89de135596f1a69a4713ad29db89a2c3

SHA256
81cc5664b7843e25c663bba2b1df03e841b9e24c1798af32736e5a7125d6ebc1

SHA512
a9fe741093b07afb6dbf3fbde55eda81af41623265a2b5b24770139793ca841f3862e9f81c73cc9be257733598d5eeafc0c4874984180a3764464353d548cfb9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5fc1bc8926970926a38ec6d0cd866af6

SHA1
33dd6890553558afaa4db58ab7499218dfb8afef

SHA256
16f59947b80fa986ad806b467c5f80e6f6e6556b628f9f96154ebfac6d7540bd

SHA512
6358053723bae3d923045bd37ae060b705f5310b4f5852d7e009df425c81573c2692a6d31a079d43b1c3205199273b807f09421091880ea88c0bec3d87e0c864

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d9be217ea22a34cee6a205d1495fd6d4

SHA1
72efc3b61f02020e0dead615b2ce19f28faf7184

SHA256
2d9b9b9896ab2eb2eb81963d80b891ef56ce970cba6b8e4b4e6a6de4689c4e2c

SHA512
a09d88dfce29bc4c878dca9a120e87c59b8aa6f33ff3fd29fcf653a2823444b4171226cafd66f9880e58bab2d2526e2ae9a4f8368da7ac70db7770e6f8083b7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
451fee58f0b28451c2dfbb7dd629c7cd

SHA1
1d55eaac26e656aec56d4777dd9f48b0db3fe75b

SHA256
4005d83f8cbca0ceb14f34ee58ed1e9319293e0ca527d76ed7bf960e6c01eb2c

SHA512
bf964d5f6ce5d6eb3610de49e87bdeb8f7de36aac49e799abf27286c63a62c83e5d7134dfaa032389a6fac9b0984447f79580cbb908748d47723e5ec75b53217

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3984a8fd789009b2e889db12554415fc

SHA1
cf0931a9bac32247ecfac48dff1f4f280880ab2c

SHA256
42901b1624d4fab813169e2eb94b932a26b622ebde89e8452514f911da3d9f72

SHA512
7e83ff4be3885352e303cd87b69ea873c00a127aae716f04ceffe903f506504929f3655852fa4f4b877aa06cf4782eb5c9d5288b25c8bf1bc6e825b628dc2665

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9751f3c9832a4cdf72183861023c767c

SHA1
707099a029a451cd74d4d43da43f3521b347376b

SHA256
ca56cd9a78ea85ad904d24631b92f65783f3167b354ff1c0d8af597613e331dd

SHA512
dd6ff9c3ef0cf71c08c5d6f7142227578a49c34da8df2fba5bf2bdc185645c71cc2b2832b03c557b10ad54dad6d8818ca622f834b3349264b64d122000044c90

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
07daece2783d296d8000cefefb5055f6

SHA1
653bfe23f7fc260ae25296b6ac29f8ccf5096487

SHA256
d42b982caf8f8eba9ad5f58a024ee92a1d0f9d88bd8f0a3615e5291719630903

SHA512
e82cf5fe7050174c6072653fa65d675dd17855e506e64dc743270a85f30a3dbc7665ac36d7c5a02e3af67dd1d60f07f57364b01b65b0c547ae6fc97a295f4a7d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
96c24c25052e86316c15e2ae050e1b00

SHA1
47ef5380f575d4a98e822ff213c18bff4f408506

SHA256
639c5cadff35bb2e14261719b3a34dec52f7130151b4eaf43c1cdcb750ba07b0

SHA512
cd560d9fa83c7d52115dc2f136d7c31fbf1820e13e0a315caf9927c2ba95d002b8ef234dd32ab0af6dd0ab4cfb14dc4aaafcbad9db1dc3202da488345c6fd1f7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2554a7be98edc23a147304e4ef517785

SHA1
108a5d97ba3ab21186c3e279a2648c02ac40a474

SHA256
bb8b1408343bfdb966163bf517738ccc0a0ee88dc8bdc74af6e63bc3e82f2210

SHA512
5e553e5b398ecfee8d91d7f807342f044164245b19c113751d557be28bceb48a1b1f0dd43276bea6606c57a0807cc1865cc8a72f80492249e826e689c9b63c75

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9557ad9b0a803593a23dff94f38d5902

SHA1
cae98aa09f97030ac75ce920b36ac072b4ea18c0

SHA256
77936d4f40d297cb2805657f58f882e7580e2266bdf8a3a346ae4f1dfda5815a

SHA512
1f99a6a49e5fd1507e67477d1c57f7de6931586ccb29b5c2478d899406c73d71fc823c357336a9e3bc3357ac1e8f1f3a0973a5f0305ba148240f3b59236d91cf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
10bcf4fa7d3dc715314c06b615c29328

SHA1
80dc6c58371844a07afff4f1f2c59855ad28486f

SHA256
dd30f0cc549684461f0c6948ca566a2031eb9c03d81f9b00f3ce19b04bbb7516

SHA512
96968b27f829948fc43b4b134e54721a2782ff6861b0f05ea4652b356bad03461f9d177bea6af4e8dde0f2bb2b81aea3ba31c67bbb9c8f390d57d16aa98af5a5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
571b844b464c3b9b5a642ccc120949ab

SHA1
9daec8fe3fb1f265682f8f07cac7b5f96c427d2b

SHA256
2c6266cfa7c17bf2efa2ee425fba9f8cceb93f831ec36bab5ae28f533b919f12

SHA512
70fc403197cbcc1cb56cb650d8275b20032c7169a535ad9197e8e8c8734a5087ba5c0901ba2258be0c0428086cd44164e1c2c42d7f871b32320dddb72d13f843

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
08900e0765eda4aef50d918a4b931f2e

SHA1
e69e532bb489ea3d183b78a94f718b206c6b73f9

SHA256
009e0cf1287c1d79bac02a01c93ee5dd43096b959fd31c98ef558e596cd26de6

SHA512
8724e44218edaf5f4b6f11e2c0aaca683d2911fbd309061cb07d7bfb3be55e9f3bca6324fb1898cb1334b354520427fad223b29ef3e597f00bc0cf00656f5c4a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
69e3211af8370e51cdc440006ac214ba

SHA1
220eefba4f1cdbb8cb6c0e1eee8c96d58b07bd4b

SHA256
bb764c1581c5031c90e30bb4262f210bf0a5edfe2efb0030f4f34835c3fb66ff

SHA512
8c45b5b7420e30fe1a5e7ae5029b7558a32256acb0c083d7bf8913ac778b8df214678249a53a6fd26d7c45a4316a26ae89fe2fea22f123860c541088c3942031

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a70c84017ec29b760c7892274f6e95a3

SHA1
481a0503bdec284b2b21f799cb53b9986630bd23

SHA256
869eca134412d860e1c6c77d86cf4b76cdff57097ff64f1e868fb374afcd2b20

SHA512
5f9e6837ed6d84eb769d463733cde9abfef47117975615eb85483ca9229e0fe93c2195b04b6a1efa5c807fca38d2a5dc36d9a32526019196d705d8436faaa45c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a39c0896cbdde5171bb6a652dae2f19f

SHA1
ff8ae33df86e2537de2628e8669f8730c461baa5

SHA256
36830f31486fe25bd653f23401f76bf7059fc9ba9946557999628b33af6fd1aa

SHA512
cbf2956d0a125d40fcf37a5986272d839aa7636bfd7e042e706cac310ae5c6972cf65cf025167c6d5aa2c75f047725f8f2dde152df126756189a56f7990b26fe

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
003e62b2ef92d03b34ced32c1ea1694a

SHA1
ed82c5acc9b9d8ead233edcc8cf510a7de1a5e4f

SHA256
14cd975bec6c785f8e34444aa73c4cb9fefdd0a5153d130f2b2c15253be16997

SHA512
28930dd219da11ab88b2b597b031a2313d209ffa20dba3d17e00fa70791a602dfb163843d2d8a4467aac86cdf12cd3f9c5dbb22590c2018be7a53d45def51076

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7668a2ab9ebec110dfb5beadd9b8bd85

SHA1
7a0993f065d62bbc6f3703cfa7c116733713a35e

SHA256
547a6fbe6b3eff660b97bd3a066c8adc3182bb8beb88b4458fca65aab29358a0

SHA512
ff22fa8ec3ca6ef484d2f4625ba4c320639a1fd671623206824fa36f0fb733b0817ede95ad63f860d3e77c356f09f59f90951ce466937456ce606d0675d3bef0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5047c3a0a68426b61d0936d0b2597daa

SHA1
9cae75ac4beef77301fce383547729ff83e9183b

SHA256
d5efa8b2f67e52aff936c5e352e01b76ecc7efc1896b51857ec28bbbb575c57a

SHA512
b2060fcd5a5242635a277ce212d58c97072ea20372e5676a2fc0df1ab1d102fc20dc737e38f057a41910676e87384e94d81ca86ac9a2b04152bd1cf7b06a4adf

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4223862f621783c6a6dea010f84492f6

SHA1
fa00dfda3479aa4583bdb8f47db0466815941374

SHA256
3ac780c634ebfe6b6299b6675fbc660c8501f031d4417db567c65e7332316d10

SHA512
d5f14d0fb92ee56243227ff72bf5dceb892c63bcc39eb860aa6b50abf4e4f814ed80c7649a5091f6b105c450b5f357d42c0d3bd9ada4c320486a8c8e35c8a667

Download Submit
memory/748-214-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/748-94-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/748-93-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1064-152-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1064-265-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1232-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1232-620-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1292-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1292-40-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1292-64-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/1292-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1292-61-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1292-46-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/1292-50-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/1396-266-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1396-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1568-143-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/1568-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1568-36-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/1568-33-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1568-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1568-27-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1692-211-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1692-616-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2028-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2028-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2084-77-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2084-83-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2084-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2084-88-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/2084-85-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2128-615-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2128-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2128-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2296-108-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2296-24-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/2296-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2296-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2296-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2296-120-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/2396-130-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2396-241-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2808-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2808-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2984-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2984-178-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2984-51-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2984-57-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3084-260-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3084-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3136-476-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3136-175-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3972-259-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3972-133-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4004-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4004-229-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4148-185-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4148-562-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4436-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4436-199-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4436-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4436-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4556-200-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4556-612-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4608-238-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4608-617-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4612-6-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4612-570-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-566-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4612-92-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-0-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4612-9-0x00007FF993A70000-0x00007FF993C65000-memory.dmp

Filesize
2.0MB

Download
memory/4612-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download