e6fe2165734c5e57f4a0363a3309c1a17c7df47d6f008114713297300464e6e1

Analysis

max time kernel
118s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

743c5db20b06d46d47932233631fff30N.exe
Size

625KB
MD5

743c5db20b06d46d47932233631fff30
SHA1

299d7084fb85f43b095657fc3c6b3f784168ed5f
SHA256

e6fe2165734c5e57f4a0363a3309c1a17c7df47d6f008114713297300464e6e1
SHA512

82ae93175b49b7cf5b8ae07ce6c9879deae96fbe2f8a987388628638442da6fe612da8354373103957f9ba1c0fef3941de5d10bbdb75342280c733efd7d65d89
SSDEEP

12288:j29+3Dbif4YAJ93y1NrLiLtJ8nBxu7DCOzRq8DvQgqAbhIP:S9+Hofe3y1sInB2COzRq8DvFqtP

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1000	alg.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
4676	fxssvc.exe
2936	elevation_service.exe
5060	elevation_service.exe
412	maintenanceservice.exe
1116	msdtc.exe
4288	OSE.EXE
4640	PerceptionSimulationService.exe
3836	perfhost.exe
4016	locator.exe
2348	SensorDataService.exe
1272	snmptrap.exe
1600	spectrum.exe
1620	ssh-agent.exe
3000	TieringEngineService.exe
2020	AgentService.exe
1388	vds.exe
4832	vssvc.exe
5012	wbengine.exe
4060	WmiApSrv.exe
4772	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\41a8dd9b357097ec.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\System32\vds.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	743c5db20b06d46d47932233631fff30N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_100609\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_100609\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	743c5db20b06d46d47932233631fff30N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	743c5db20b06d46d47932233631fff30N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed272e59b5d9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cfb6805ab5d9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8012759b5d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027f6c45bb5d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000646f7d5bb5d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000007ba45ab5d9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a8a3363b5d9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c18c1159b5d9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bbf1b658b5d9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009efb675bb5d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe
3896	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3580	743c5db20b06d46d47932233631fff30N.exe
Token: SeAuditPrivilege	4676	fxssvc.exe
Token: SeRestorePrivilege	3000	TieringEngineService.exe
Token: SeManageVolumePrivilege	3000	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2020	AgentService.exe
Token: SeBackupPrivilege	4832	vssvc.exe
Token: SeRestorePrivilege	4832	vssvc.exe
Token: SeAuditPrivilege	4832	vssvc.exe
Token: SeBackupPrivilege	5012	wbengine.exe
Token: SeRestorePrivilege	5012	wbengine.exe
Token: SeSecurityPrivilege	5012	wbengine.exe
Token: 33	4772	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4772	SearchIndexer.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	1000	alg.exe
Token: SeDebugPrivilege	3896	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 1156	4772	SearchIndexer.exe	113
PID 4772 wrote to memory of 1156	4772	SearchIndexer.exe	113
PID 4772 wrote to memory of 3528	4772	SearchIndexer.exe	114
PID 4772 wrote to memory of 3528	4772	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\743c5db20b06d46d47932233631fff30N.exe
"C:\Users\Admin\AppData\Local\Temp\743c5db20b06d46d47932233631fff30N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3604

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4288

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2348

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1272

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3000

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4060

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1156
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
250a1e128374025477d634fb5825dd64

SHA1
7e173e7f580ff56e83e36eaaaba9b79eca984d77

SHA256
7c9a9d846d32e9e05a9f1c49c021c88e718d1b32a49e159e460a4e6640746f90

SHA512
54097a53f247c1bfe8f14f900608184cbd81b1b5278e4158135518e4a277c6f685dbe14f491b5ffc7ce14e564eb36929f0029f3f3e313127146c65f11f303da1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1b5c1a0d54e4eed06ed945a0ee3bfbb3

SHA1
53758a41d265b3358e8c852b6bdae1c487f8c35b

SHA256
1b724c6a47ab2b88d7edd8b5661a2c7fe73a40813d2458b30de4dc3c050ebdc0

SHA512
dc9c3bc3f4c8cec767a2662fc1db13dc041373e39d6fc12b5b043597aa99d61ed9e85bc8e7203b961a33ee6a52f59b4976e20fb09782eef42ef7e66c4d013613

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e4359d2dd16aa226d212ad120935a8f1

SHA1
7ae1e2f1e3515f1779f7bbfd95d18d57ae94017c

SHA256
54b6eb949c42f2c066dcdf082e29d78214d360fba8a24cfc67c36ccb2b5054cb

SHA512
583b73ba42cf177c885aa7c004d13a54e2b623d517e3192ed575845567ff939ff9e1760a8e36dfc1f2ded8330d37a8a14dd2250d792027da91b9a533d4dc6004

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e078c2da1bbeb47bb5588c9110f8d008

SHA1
e02de66361f9c9744fc13d77e8938db10992067c

SHA256
70a9528f0c9129e4ae28a5406646199ebb1d83c74f1a336f7c5b0754e158b5d4

SHA512
df710fcb4e255418d3334e7461d0fa56b2e85fde8daf611ab418a674ef54ef706c86ee9b0dc3503420defde08d6bb5a82c5da69759c480f2e2e68565b650c816

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d6dfa78469ec3cc2fd831434f19d91ac

SHA1
3c87465fd1a3525d2387ee480500a79ad44f3b7a

SHA256
a4160d6e39ac801a6edccd8350231a302cbeb064231be70ccd440299c3750df7

SHA512
5e1c98505c715d60355ea6e86d46beb5bd3ef716a159fff3b8852ea6a50e224767ad97c7610f5b557a561288ad32bf34edb2f9278386d0a40342fad5780f8184

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
f962ce184d0a768720ab02a07edd2423

SHA1
32cf465ec330e8e237ae8c8b568d114641ccb94c

SHA256
66ffccb119b5aa9ca21f53d62ee2389dd99dde3fca40ddfc8947a50c063fcd98

SHA512
fb2c119a04f46e3c7b565a113b5e2cf7cc34a5dcf3ba7f6e40c52a17a076e49ef4fefcdf20ff2a544df5d5732111846acc1f5b6fbba1b18bc7a5f00c615db95e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
155c1e3cd3301c42d6249189654c4f73

SHA1
6a9da5e22d954584fffd0091d6661462fce30f42

SHA256
23ae66e76dda2cfad17fc5296431d4985d705ad5a7b9f9b981ad403e1bc17c12

SHA512
4cec07c02d6669cb1e3bf0839d6d15aa2e9f7bdb377e60c895a37c33c8b5007a80d25de241e70a60f9698c3e67bfc1dbcf8e12124adfa559e69fd64a9594c17b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
92de692778d50fd2fb99da0dc2e2948a

SHA1
47f3bdbac3005039cd0c27b2051bf867aa4c89ab

SHA256
6d8254f99e675480d263a1b370544a7e0fdfd017c1930e43b4d4fa8d9813ee43

SHA512
ea6352a26862ed414013aca3cee5ab72c436fd6683fc785505956f6e7ff02d81884fbb560e6add6a3a89fbac725c35b6f27a95f09782860707eb53a6c6af4f4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c97ad5a331dab0cfd393b2209dc75670

SHA1
4c3d0c5f4a6a986313ed3204bdd332ec25a4fab1

SHA256
271a8394575e7d72281d5cbcda513341edc691e4628a3f3543bd48bcc2ccc8c0

SHA512
6191981c794bbffcbe52debe4abb5ab7579a0ae3d4d1f30a26f42c27e2ff6c26b1e57499139673ea62fb160e51cd0f587a33e7e0377bcf9af27d1674393093fa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e417374a5b0a1d490c6cc10224a9489f

SHA1
cf56c895e1470cbc3d17794d5ede225f448ec957

SHA256
76ee9b621b3891635ac9b74bc7e9d7eb5a2259ec1fccd0de965b446009ed6ead

SHA512
484b93c3bc48d0e6b22108a2392b77f14ad23c8e0104e657e59b9a5fdaa0850d13f6c1e584f06bb696b6e6d9a9db109b519637a85c3438038cf6675963902476

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1c02eb1493d679554de4d039922bc6c6

SHA1
7e1afcc6dcf8d1d4a243cc3fe600b7210965467a

SHA256
6adf6e27eaf9996d3e32a46f70d9b0720003185c5cd06f872091f4597382acbf

SHA512
28fb1dd78a318ce57ab745664acb1866852a7a64fa8a0cd1d62f03196aab17e83577a6eab55c28f1be4d3e08c7a3ae9147b7a66c8392a6512308d0d89e906cd6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2389e55644e9fe0a75f4258987449934

SHA1
b44748356351ec6595f60fb356e01acdbd4f1dd5

SHA256
c97a34a97910fd901538d255872222714ad3816f5eed19beb0a89f562cc5caba

SHA512
058abf014d523fccb2ca93a7e00d34586401cc1622ee0b4083e9e052b90a3ee21376081f79a4501a8e041fbb2b6c1b855ed079ff8f9b7083dc6b335a15e79b32

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
2bea01f428b64f266b50142bbb751b2b

SHA1
a42d5f2daa70e56daa9d6321998159db4ce39688

SHA256
1da63182e33c97f0c320da34a4e711ab45b6c40221baa3f918fd1702f515963f

SHA512
a272dff259d702e8322c506802bdaac5f525cbc9e20c91a7d8ca517287b57b9ac6982e619e599b45a4f0691b52ee7e86d3c3681bb3577bd9d2cd82a980f8c469

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e5b5f11fac1df1160f5861c4834dc308

SHA1
2f4b0e867f191c4c774821eea1c85c2d7dd6f436

SHA256
d6237af023ad7a80e9fd82779538ac115cc17d5af30f128c2ef3840033ab174d

SHA512
aeefa345ded8c90c19f3fa704d04b8d8fe9bb676f1cef3e9b16127c0bea7bf26d33020985355360a03a8793792ddcc133fb49f199f1c02fcbd5ac3199367041f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
afaf06639d2005c38aa025aea0268a7b

SHA1
c74e1e9776a53c9c6652625ac33a5ef2682b97be

SHA256
9545b5f33752d627fb4f60991adf6196611173e0fc5f8c3dbbc5fd45e056ec53

SHA512
a4a53f7daaeebe887780a8f51891251c7b73908cc0463c172b1da7e442a60a7d2b5b5850159f21bcd8d2143c364fe32133d3bebe4458d553a6c53b72f6909465

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f198b9cc70950fe3ed231ef068d133a5

SHA1
8d5356f75e78467a53940f1523e4e9c23aa8c68b

SHA256
0e9db3d64c107345d6b5465e275ec9bf62d455edfff834dd4ad6dbd67559b2a7

SHA512
c9c811ced564aec04eba25a43e7c25c7ea297864eccd7078e9f4506f85c24cb84004efb42be8a00ddb5a9805955b14311bfd1d91676517572b7cc3098fa2c040

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
cc039f8441bf086049d7bba62e8bd6ac

SHA1
cc00f67166355a2a28a1a273118911d9c6958890

SHA256
8f4548cec5efbdd11085d3095b8911edf84240498f0e4bf16100577a101c125f

SHA512
bc9d2037d4f9d4eae28843a2c76d192cc1915d1a5c2af6aff6f44e32a9b02cc0e99bedbecaf492ddc896c93c377dccb61d4ae39f78089e261696d2f720319033

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
0ef4e06fe29ee075eba53bd72bb1e48a

SHA1
ab950a99256afa1c8e5b7a7dcb6e6872379b06bd

SHA256
52e9a9d28cad782e5d191e65b9685a1c27dacd393ab497aa8c6be02372880a65

SHA512
dd972517326b0c09296a9e0442d214a5928ea04a2fca630dc7fd093304f76b0ec143792d26e63289cc45e80cac69880a2156df0c777742c4d1d14c244453d0b3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
29aa8bb9a12c2885636e193a7ae37735

SHA1
1fca0bdaa69bb0e5fa60464574c4acba33a42bcf

SHA256
b61d284b30adb58b7debebfd2f2d60d21ae16271cd1f1915c318b0a12df03d07

SHA512
ffe475e1560c6e9a05f22bf2824c5f434c8b08138ec842324123e03b1397c3dc2f8d43e845e3f714b6beac7ff5f92c4dac42fd63595a39c5f3565020abfff18a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4243365deeb07925a8c9583cf2b555d7

SHA1
719f4b9c67f44effb97bf94e93e9883a2b3accdf

SHA256
2979e7cec3cb46a64ec054a33d38b6a8a1ff3c115a6a53c72348f95f825b1a42

SHA512
bd47aa65d58af344f4e4127cf6c4c2840208cea0b39d9914bc6a27588454e653bead876e9a6b571c173cd7da798d1053cb5e9d1a01285e215224429c8d6e9324

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
8a5636f688049615e311f4e105adb067

SHA1
f48b97ff4a0b438ca6cdc057b41e273da7e24c3f

SHA256
42cfecc2e3c3fc1137fd34e9070dc09b2ba503759e94fc6c9a0b93096f1d8ede

SHA512
9cd23ef3ee26e9c638f4a61cef88a97223fd51930a4847bfdd51f0e772d0754ad82ef3d6a37ea8a011d42db3b9e3f5e737e61752c279b266b44a4852fb6b86c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e8e7c54e480729f6c1cb8041d348731c

SHA1
2c50575d5c580bd97bd505af9b4cd51f313a4183

SHA256
36ec1861e522caf0a57bea854be166601f755d259a32ec18c8806c521235efd4

SHA512
0214cea7d41eae359051f75ab390663d561d17bf37c6e8ac3c6ff898cbe3dca4aa15d169582d9b8d0a56ad1a8fd177bc06ed9b356100b4a623e6dbc1bc9f5d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f9267524f14a5a1b069baa06f08c20ad

SHA1
289e22f41c3f4d38434f55175a60ebb2c65ab106

SHA256
1460caf2bfd6766b3dff467b2ce86d327236d0a96431c64e54cd71ad416c3206

SHA512
860fbc64b2b358b1eb39c85b80d977e8024831fb4b50aedd34afff6bc540944c3553539d706db355795e830cb52d60dbe20ad39e08e84b78dfdb71bb56eddec7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0dd01fcb9f70962d2a12eb07f01e55c0

SHA1
ef96963638b34495aa683acb1d3d1fe031eba369

SHA256
015904ad70395e65b5808e88473c1d1063e9db0cfd69b2ae65bfc8386869ab7a

SHA512
c4b4e7abe09ed72358a98ce79a59c48f6c2d89d9ca9e1529c4a77c2055cba3648229d4a39f6c2e45e1f362abb5b79e3ff861bc174f54e1c3dc795650c9200500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b3792fda9a16c772461ed7a4d55336cd

SHA1
734e39fd9a52d152666532192003881694e67a1c

SHA256
aca49e2089d57b23e7ea9bf36a6fbb5936f217468b2fa73374c03465e49d14f1

SHA512
3861cc5ecc041e1d9904cdc7776c7ee4b469b65cdb83bfe259616e728060597c50f1012636dacf65e48dadd0a4fa7bf88664a37f05ea03228a8885ba3277f292

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cdd85414d5edd456f7633bf77dced1b3

SHA1
f1dd8340b1f9e178c4854f88b650a3f895ca7929

SHA256
522a3ad843e5f58ab450f247851c6489886499252d88e11802d14d4bd735ae76

SHA512
5ef8b0ca598f4ee56006967cd92d4f50988648fce79ea7d87b206b50b5fbc0bcead352f0308ed7f422e74942ec66b550201b382469c2b051816ddf244513f3f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
00248ba2052b7963e9a06e139353eada

SHA1
0915764ec44280afcf46e34db3936fcc44c350f0

SHA256
1bd1b9070263f01ea78ca9384a2d23fde7576992185d9e81c57c4d213e33886d

SHA512
1f449cf4a6c6a3b8b8c1259058204e8717838e72fab104c52cecf6678efe2029803c727b5020c4574868c7ba8b0ef7f40738aeea39abba9dc20ff0195bbefdb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
64736e55766610251fa0fbc1eb8fd21e

SHA1
71b9f69eeff1348f397ae3c54a9239ded0c459d9

SHA256
72aaa106f4dd599071bffc00b51494c280d4e550c3a919609f770d974ba9a94f

SHA512
d879dbbc26a655447b8f26449f7cad73adf12259b67b7bd44eaff8fe41e87cebab786c8c7740862609193719f592364e08eb61461aa19f7da8582aa98114ec15

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a9273c618ce3318ebda46849312946b6

SHA1
7a70e8e6e5d93f2f4a07e168a53c150ed6e5fc93

SHA256
285e0ffbcac27bf264008ada1bc6a815e38d0d500881cf6f74775276220e23ab

SHA512
f999f3309ec41f84592ded0b1d6a008aa8121db37fa3892d0eff11d283ffec0d1f8f6f06dd2a54d495c3ed924aa0dfaef6b7dfed12778644857ddae373c7f432

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
029aae699cf41f39fcf42653d0a5d54d

SHA1
0f71c864605e85c183e1c0178f7984bfaf272558

SHA256
4d1861e7b80695b3be83025087d72ac1c2d612fb3dee713acd92fa9d58d2069b

SHA512
418d00189cebd418ca965998b43ec413ba860ad1aad9b14e596983f03c68c75f692381bd281a79423e739c35ee9569e8e3a645355f0a1d00fbea7f3e11754862

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
5944826ed4e05f2a9b3c6dc677d33987

SHA1
9032a02aff6991c052c1481eab9225d1207e0266

SHA256
290f6d47f6274edb04110be7f950a6de7a325a660ac01f32390da6d145447a80

SHA512
263086dc53a542ad789332f765571d14226552c74501f567d9a39fed82aba25f47812fc9a031008e31c3284984c8f697c8c3bfa5a575804c7ab92b4580a3fea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
7850917e740ec87b10a99d02a27b7dfc

SHA1
8869f0e6090b07eb61fd1600c17af5965d8c873d

SHA256
e9e672f23e003ed150d29143692b26bcb1177e81a3b1080ed6bce93388650e62

SHA512
c1958812aa89ec8322626a1585be81c5eea5b183d68f7a15414ac7c38db067b2b4e52f6a5ce0aedf4967bcc8908c04529169d887019fc55d752cad598bcf94ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a75e94a4fa0848098f8d912f12bf231f

SHA1
cc03ed1c1e17f4d457632a93b3d43ad4f1521300

SHA256
3ef2ce205fcfe67eb75399de8a3f66c1d0baaca1871522f2c706a6f8b6d469c2

SHA512
b6595a8326a85ba83a4b28328315917180da21fb44998a74af1603d65dd07492dc095979b5d8610d14ed691ca572264cc87af5c754497a1e27edf32da9267f87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5243bd7ac8b642ccfb43054d324eed73

SHA1
4b74b181e4da6a6a39ebe7b3d5c4b13b87831c8d

SHA256
c1d04d3b4a00c26e4e06f0c309bdcca92888a4c7e33f8fc15e4bba265b37f98e

SHA512
8bddad6c855ca28017aa00c7478ad09ed14e8e56c7bb4ce9ca85d47def9e3179bfba727be5cfcaba558f3b5126abf9cb80dee60456e3826ccfcfd64c4b522067

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
6fa064990bafc1ef386bb73d6c625195

SHA1
1f8bdf5db76eb3a905fbc6cc23aeacff6a09af27

SHA256
114bd91f0bfe2f141cb1ecee84da9fcb72ca803ecb1d4a63adf585a6af6c0236

SHA512
4b89008e9f41d360df0bec7e5a890eb83982f4cbf785387eb2b9a9fab6b08eeabb772dcc32d84bd32c294d50453fc0b6685a7c160b4c8f6771fd24d0de45ea05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d3545a5183530f8afb8ad01b34637a8b

SHA1
aa47f8a925d6985cb1b800f268e343f66fa28d95

SHA256
d9b8f96d0d66b49841c73a2e372f8cf48afb149ffdfb92cea3301feb574b85ca

SHA512
e4fe9d6cfab6fc4f11614db80b502a2815919bc3d743e1aed6cb9bf2dee264ebfb1c250fd8cac3639e58946983dad62cb41e985f4d2e7255816aa2e08cb85caa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1c3623649548a2100ac650ad5b7a6055

SHA1
befaecdb181d9e4a0d36c367427f40968ef66050

SHA256
b3f6bf51fa5c9869fe910897905c914835124695d28f76728b34b44c5beddffa

SHA512
8299f4ea959d172d87cf93c0eb01d835eacc4ad7e3a379bdce2c32b0acfe9427ec1eebb5b72d036bb798b3633fb94f638bb92af271bc49fe861036fc1b2a7acd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a952b0092d5a901f3fa5ba5e95d0aecb

SHA1
e5f5d7cae66a7457386346dffa9cecf5f0c89399

SHA256
d6c930bdbd04d9785bd6973cea6edc9a829fdefddd885f737d9aeafc59229075

SHA512
57b3b7fbde48f77df059b64de3173f13f7111df8ea8a3b9fc2ee0dd2f6ffb9a7bd13159ec5362d69b0021309c34b485ec3a2b7fd9e4d4fab79dc6489023b8616

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
0d1c9cbe9096a853ee2d2774bb9dde44

SHA1
6c9ee963cc829af7fe09e6beafb9d1d67e06f2d9

SHA256
35937a4018e0531b90de78fc2bc788aa056bd188ad48dde88118510401577425

SHA512
7f766210743e6e631d486b3eed331968a9df3376b44510ede14f82fed8b9d3240a9f59eb273ff09664eca425c49462228817344b5f7c0b4f9d43959b1dc1f765

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
30ac54c8eed662be8925dbad54a36a3e

SHA1
bdcd3b0b4ebfea511870291f9d50236e156e920f

SHA256
f123dabf3b23cf0878a53970c630b9c48cf70726a9cf28bccedb1a028e552ba4

SHA512
09dfd7a629618ebd622e183231ddcc4f9225017d66a049c073dd5bb98e8fbee988c93b2bbfa73b9a8fb8a383b18f7db539922d1e2b2a8ffefe5067bbcc6c5827

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
822bf5b94f81dc8ace615c6c7fbf255a

SHA1
f6c1c15e032372e3da50d24c69885fb253de3300

SHA256
b00faab1cf1877dc0d2847ae46ebffe7fd1a8f22d2eebed9df76bdfa71692b3e

SHA512
ba86197eb7072f5714734614a5feb90b9c34030ae96e1f11cab8ea2b5200b2700487dc48e94a35240037822fa89cb4df1e6e4768e0737b10e91e7096d906dc88

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
dc50d0a9c799b7c284081436c9bd022a

SHA1
099f661a959dec8ba648a50fb2ccaaa0e5b2caff

SHA256
2aa0c5f923fb78793f575174c4ae5df82b4aad5334590ffe21bd1a533307a211

SHA512
81f1b9c1b65eb792e6fce4ccd994347765f353455623af1c45dea2c427a2a38c07bd80c05de41152ea70ff8a2d8862939c8a04a9a0b97976c78fabe2bddacd6b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
da526f0e4236d20a7410fa656d06a7ca

SHA1
4dd320d03b5f233e5d5863ca692ff1f7ff9aef38

SHA256
63cc6fcd191780eda8948c81ccab7d6f49c1b63f16e352680a182cc3dbcbb33c

SHA512
c7f01298c902f9bbc7c1164577917b0c0a4df17b6a4a19b311cd814d23139e81c89561d70c47d051802f29bad5801553841765bb3412594a590b1af574d10c01

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
3ff06eba8919b00be0ad066d3e145279

SHA1
c2247ed8655cae579373fdc2d2ca8533cb47188a

SHA256
617e6e2d2f5117896bc67b937acf1303f44603284fe445d5164950ff661ae496

SHA512
6422256cf1d28035f4f5326254ba1175b52f3fee417a50460f531b41e7793f8c5993a2f98dec22556a302377b47c57c65a3b5cbf098495218363ec4c08740b0d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
aa11f82269df1ee6ddffc84a1bb2759c

SHA1
d46d88ee24c027483f0bebb059881d4f815877e7

SHA256
43cba12918e3215a935c94c9e84ea1c869cef87afca12a6fc2c7c007c6881b5e

SHA512
eafaea5e2d83b53acd9f2534efbf20f40b4746dc2bf21cffe5e3f0dba31eed5046b21b231fe2f9653898a3dbe4d52351196e0a0106ee55a185fd28ce35ecd44c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
7e1147dad3c8a5a84bc8f430ec6647e2

SHA1
3b1cc03e3c81f40144c2194754ae828e4d3e4628

SHA256
a9b80e9973698697a277dc3031460900ec9df79998e7b37a8c4b041d7fd372cb

SHA512
c526db6b7a21708b7ce9679be7a710f8d5d9923c559037eb23d27596061d56112a66d6f9f733845284651bde3150a0ce5536eb9de46819c5f5f0e8e45346f213

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
aa2ff6d97c0b2b1532d34a10a563c6a4

SHA1
88adad44718c4a27adb72ca64b74e54b6ae099b8

SHA256
d421f463d7ee03f300b8360006ca839fba2dd4b6cdcd1c6048de06be710c0d0c

SHA512
fb4268773b968fbdb2e11dc31b0212a1b660d58d6efbd134d6347b00b1d0076b11d3e4e1eee1a52e46e6534c0537d59bd26bf8262f193fc59bfd3b08fb5f9451

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
896503581e8592c8f3f83829aac036b5

SHA1
c9fae6b7c20b4a6d3d4f115248289642b1240fac

SHA256
20096ec686b8c3d2d5c08d1e4960c011332903bac1c494f2ea2f45355b238177

SHA512
c839980de0203a6f9f80a733c66bff2a4322324465699146c37aeaf439386f2148ddb13fe186941d5bed78386679e15d86523a02a8fbf93abdc9de62fd311e54

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f070d623783f407dd39e0187d3c74996

SHA1
fb0fb47aae2fb816f08896858aec3e8393cb6b7f

SHA256
75cf633cb6de50c2930364e6505881d40e7bbfee05c2fa964e70a23426a36f85

SHA512
6d497ca3ddf7b8b443216c2fb19ff335dfacefd98a3488b81e56f9832b075949630014babe49567040bdaee2977de41c9c8aabe05297da9192a354da7696ec1c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b1bb8352a82f7735afe66b6adfc6a05b

SHA1
9eea7ee25ec51b97df50d8a57b6d954ec872bc13

SHA256
3bcc60e6acce0be1af021c4f81e1a26ba610d50ab83a8c7564400a81985adce8

SHA512
0eedbabb2601a3eb60db692d128c146036c15533583455afcf72a6900865def1291d3203ab8cb5effeea09c03e78b678cdc59420d8a26aa082352c7445785bf2

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
33673ca033c41291cd83e97e62ba7578

SHA1
e591b1d6e90e6148a74a843888778609450dde7c

SHA256
0f22c539f281fb8104a173e2d8cf1df6193260fe3c33fbd2f30fa59bec1e447e

SHA512
a718aa9341e2250899ab53a332fe4ecd32ce9804ddcff02a98402475a7d89a3ae7739e6feba841990749c2b980bfe2dd866221d9d06a0b2dce5812ffdbbc2681

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2681414ba97bd3c6242cff12d2a71fe2

SHA1
6e61fdbec853f52b2af009d657d0f3c7a87a2915

SHA256
4cca390435a3aab6a9ca529aa5228e4c17191e95d6e971fa88e13a6b8e52e1cd

SHA512
041340f4452aaf925b2fe502860aec0eb437cf64cfb40b3fc829e96c6047c5013f6295cc56afa65fbd77c4e12009f8c57e5cbeb5a04b51f01fd8e95e0082f975

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ee277bcc8c2dd366be5a2517a93ee9d0

SHA1
e34f96295fd6e461858e818eead1fc129afee47a

SHA256
50771b70276c0eefac409fec4f738b390d7c1683b9d59b0202f293a1f0e4e226

SHA512
081591f8f715e901909462fd556fcf425a654cbed6c34de077f763fdc1c137a0b26a7f96307f74f4b5226b7fe88e368241df21cf821b43fba8258a1b0c207b63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
065e3f061193c5c20d55278de6d86032

SHA1
1f6545d442c2a485269412c1a19533ea1c1f376d

SHA256
13c2c64eada854e8f6d5065075bf530a7a9d470b6dba706bc4cf41013ea60f4a

SHA512
335de71dbb01274b58f23f1475c599cc539f9c86a4e3aa119800f7df77d28f966cd82d46fd1995ce05b418031e753149e79ac7790830c647452666af36107526

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e02223277dcdefc1e000ab74b9e5eac5

SHA1
0ca2334a4f3108eae34b6a96a3444f1d39b14308

SHA256
4ae2f6084b5f5f509756d30a7f2ad82daaf4c84ada70c59bc547dcfe6c7804d6

SHA512
497aa7cb1cb8273fa6f1b95448cd6be958116886ea5f0e826739b126115d19a4dfdb30c20f438ff7d9ca49117bd89e62de8ee8907071434ad5ee04d4cc8bc39a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
361158391d18a236fd0dc18c868b7e36

SHA1
8bbc3c4174d5f25797c2278da0f2f375f7b4b975

SHA256
208a6345e14bea60321912a62bfbb698df0b8124392b0092a291874b741630ec

SHA512
f974dbca428bbc8f2725cf8c9afcdba2cd234a59b256cad1d750462ab04b0627748ddc33814a6a0b4a5c173136a36e9377afaf0b9fb1168b18a4ae0a2d1b939e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
d5e4899364b0e23d43a531df4eb19225

SHA1
b4cb39cb3a398ee2f744070a15aa1649816a0102

SHA256
95bab4a90fb0865e2d1472c9f0bf78bc22efb09c8cf088499d6ebd2e4b0db877

SHA512
b37353934ff4aed5e97d7767541494412d2098565fdadb42c3cc85c1323ae2d7111ec757bc4aecc30d1d86cba37564922dcb8f27322ac3d49375483d93169af1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
737c876cf9c109b5acdebec9d6576713

SHA1
f1e79afb90a1b5fb5f2d2b3fcc8cd9c433b06d5d

SHA256
1da8e52b5ceaa4980b6595265adc16cb1f779b08ba4c1fc2b97792d58131e3b6

SHA512
82b943b8f68b5408589a1a3ae0ce603a5a0d9915d9007aa2f9effa679f88c1d57dc45e217e62c4030cf48cd3dac4879014473259abd7798b4965db84f576502e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
db0a011d6ecd22d9e698a9e72477a91e

SHA1
4eb2514889dd7f8069e4870ccc252a7918d93a58

SHA256
3702cf58506ab923b01b7d7b2f1f93442e218dabb5efa252085bb51b9f4a21c5

SHA512
9b99b1295f44692a9c48683ba394e8d32d2cd07f7dc06066cce2df6abd78793f3cdad8717b2cee2e9db5cc8c188663a5d9e4653389b7982c7e88dd761e63a8a4

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
53ebaaba82fc26a84cb7a62c8e9ff5c6

SHA1
30c85e465bc2508f9f13d64beccef9b6d4cc6b6e

SHA256
dece6c3217bc6f57ab448a3ca2e45aec1fd61f5cefa177bc98ec490d155a623b

SHA512
bfd841d393d7a848773f05f867a604437715d2480d3e0c8d17fcd6e55f61bfba172aeb62aff42e55926008eee45eb1228618440e79d9805eb167cc019fd6620e

Download Submit
memory/412-82-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/412-77-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/412-71-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/412-80-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/412-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1000-138-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1000-22-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1000-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1116-99-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1116-88-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1272-487-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1272-155-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1388-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1388-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1600-557-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1620-560-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1620-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2020-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2020-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2348-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2348-511-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-57-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2936-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2936-49-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/2936-178-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3000-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3000-561-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3580-8-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3580-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3580-2-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/3580-398-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3580-98-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/3836-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3896-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3896-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3896-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4016-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4060-618-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4060-251-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4288-235-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4288-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4640-239-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4640-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4676-97-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4676-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4676-47-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4676-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4676-44-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4772-619-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4772-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4832-611-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4832-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5012-617-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5012-240-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5060-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5060-190-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5060-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5060-60-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download