77a57704eacc6bb11158267ac32d2c189d526b37009f98814ba648384b00672c

Analysis

max time kernel
117s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8197f69bb467c0a8b7266116917b95d0N.exe
Size

625KB
MD5

8197f69bb467c0a8b7266116917b95d0
SHA1

4e34495d9d7c0c83f4d6f44703c1dac8c39e4f48
SHA256

77a57704eacc6bb11158267ac32d2c189d526b37009f98814ba648384b00672c
SHA512

206bf89d42efb44a59d7b85d2bed80d8e04dfbf4659394018e2efec66a66b23cd8fcd8a738691ed9a36dc0f68149b594d727055a5f2da67c3076f218a878b310
SSDEEP

12288:n2e8+Tn6VMP5CPU6EkUw6XvV2NlLiwXmVmMdpx7TjLNFtA2byK9CTIb76:2N+L6VMRCPU6CENltmVVdpx7fLrQWd

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4368	alg.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
1448	fxssvc.exe
992	elevation_service.exe
3036	elevation_service.exe
3144	maintenanceservice.exe
4164	msdtc.exe
4464	OSE.EXE
4248	PerceptionSimulationService.exe
4796	perfhost.exe
2088	locator.exe
3136	SensorDataService.exe
412	snmptrap.exe
1780	spectrum.exe
1492	ssh-agent.exe
1368	TieringEngineService.exe
2244	AgentService.exe
3980	vds.exe
3336	vssvc.exe
1640	wbengine.exe
1372	WmiApSrv.exe
4812	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eec30b4d77a2071e.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\locator.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\System32\vds.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	8197f69bb467c0a8b7266116917b95d0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	8197f69bb467c0a8b7266116917b95d0N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8197f69bb467c0a8b7266116917b95d0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d26b8a8ec3d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b406c68ec3d9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006c941890c3d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd6e4c8ec3d9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bdf6748ec3d9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba2cec8ec3d9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dcea8b8fc3d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000bbfe18fc3d9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe
3744	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	452	8197f69bb467c0a8b7266116917b95d0N.exe
Token: SeAuditPrivilege	1448	fxssvc.exe
Token: SeRestorePrivilege	1368	TieringEngineService.exe
Token: SeManageVolumePrivilege	1368	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2244	AgentService.exe
Token: SeBackupPrivilege	3336	vssvc.exe
Token: SeRestorePrivilege	3336	vssvc.exe
Token: SeAuditPrivilege	3336	vssvc.exe
Token: SeBackupPrivilege	1640	wbengine.exe
Token: SeRestorePrivilege	1640	wbengine.exe
Token: SeSecurityPrivilege	1640	wbengine.exe
Token: 33	4812	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4812	SearchIndexer.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeDebugPrivilege	4368	alg.exe
Token: SeDebugPrivilege	3744	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4812 wrote to memory of 1544	4812	SearchIndexer.exe	113
PID 4812 wrote to memory of 1544	4812	SearchIndexer.exe	113
PID 4812 wrote to memory of 1408	4812	SearchIndexer.exe	114
PID 4812 wrote to memory of 1408	4812	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8197f69bb467c0a8b7266116917b95d0N.exe
"C:\Users\Admin\AppData\Local\Temp\8197f69bb467c0a8b7266116917b95d0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4412

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:992

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3036

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4164

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4464

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4248

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3136

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2244

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3336

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4812
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
dcc2b99577e708f122d2e1ea9922881c

SHA1
c0f10f1a11646124eb8357ed7a7a3dd12d79fd46

SHA256
7db097bd8776542dec0eb0528417db528fd4a3b92301ded6fd232dc669cf84d0

SHA512
f913b8477f782ed892fe9c8755d22b9c957005af817d1cf9e00033565540ea458085b1cc796e72e8ce498b0a662684118c9560cd1cdf25493b14d10833a5f876

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
860ae99c6a7e4952c61791b374119824

SHA1
738187d00cb93bb2624b339c87c48a56be623386

SHA256
e70005db378fb9c3b7596bdf8ca931806862917258952ff7fef4b1c1cd7cec03

SHA512
a4bda2d4ceb09ba1ade4a987c9acec176df4e77082b95ebe2971f50fc8f4b2cf383d18d39fb6d258aefa65b7ee1671ee1b1cd806dd3738afc24d84368252fd4f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
45cdf781c9fe65216416dd050caa54e9

SHA1
83a7063002dda8d1e3f1c3138af91c0045a8d9cd

SHA256
e3b15de3a2f5dbc69e4fbfebcd1618fe2ecda1f7a113a9b637e5adad7e6d7704

SHA512
4a9b2ff92cfa5048ba7cef615a45d2e5d3b5b3eb0bc448bbc03325d564c66a7ebeb8a6753419fb12e94632873fccb0b2426083d1cac8ef5eb177b4f0f4bc90d4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2b549dd0f8f66771b2cb8a118da4a14e

SHA1
854f92a58568168c5b7d7f21fa1aafc136cc50e5

SHA256
cdde3a2010996946aff21895bcb6a6ae2aba543479901b8224187f2b4499b295

SHA512
a299fdce9aa5795b67d0b147aa4165d76619898fb551f58e4b615e42cd8153b8493409ffc4acef1c33eeeddc25bf2d5e070a7e114ae812f319a8dfe29aa85623

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
18506c47ed57c8d760f7d12f56f908aa

SHA1
377ea417345dac3d06c631ec22aa84ddc54d57d1

SHA256
503f23fa1b2f14df721ec7cbbfe1c092c114fa092b6554247791a3b401545823

SHA512
4227b889845e92705b93f1133b0293417e421c4734c607511626ba47c088ee1836a92a17367dcd422ff1e042d5fc1d11987d4aadc84aa48c2d5a3002037629a5

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
07febd1e1d0c36717336722ad1b0bc5e

SHA1
f04eb97524fe7380775d1b45f1a04f93de8ff958

SHA256
1073f239d667f8668ea18d08c66016205c04cb96139f67071a507b4cf22a634f

SHA512
33701a8c8519f2adfe4a0bdb7974a14bed7df68efd886e829731e5d5af2bd65915c7b656142170bada65878376aa3faf36a4e5a60495e3956104c48a084f67f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1b52acec4dfe911306a7a8735bfdcb17

SHA1
8a5fb0619d1eb662ab382fb19117613177e4307e

SHA256
4298db5779e9c5bc18598a8d89b07f1e420f0b4c777a77257a8b3b7a76d5230f

SHA512
bbe5a1f745c68d0947ea7a64a22a58e3272171b78fa697467a23f24377b9ca9004ca1172cb2714452d8da26a809fbd8a3530c0a25296a7b4d1c50934cd2edee1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c492caa17f4f204f123068fa1644eb74

SHA1
8f696e64cd067272d1e3d386809ceff546074db8

SHA256
3871cc338512f4d92ae9584e96710f3d367e92ce16eae696929cf8f643606bd1

SHA512
d6e2c9c6445fda4a2da27485cc4098871dc908dd3c2ee6ae7721b67630119bd7a733c8f06266d37c47ad45dcad6bc54997c0578e9bd2a4148d5cf2ce9294a5f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a535690aabe17b83e3e704566e11bc28

SHA1
22bd4a12c6d5f51843cc16445b5dd55925a80870

SHA256
d49077153eb09a132524377a7f1ec15be2ae26e0fb5f0add9c91cf78b9d82cf7

SHA512
c08e163f2e66716ccb46db5e559aeffeca14d02231a06c74bd02d7dadb32307cc1977655d23963b721aa5e2557705ac79333b7885ddbbeb601fc2f1bcd41a4b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
614235772c8e0e5002530b95ee132cd1

SHA1
e127de1148bc2926f604239e152ab90ccf44fd24

SHA256
30d4cea280e2b37fe762c91c43197af5f0a6e3575de26248cfd5e0097f6f3963

SHA512
83b9c1e481898c2a0b2f21582508e0f98de4d33cac4b426b38e4f13e2d99fc44a24f3b7ed240e65e8b72f1c1cb1bab62ded7e710a139ef2b7ea6afa72562c97c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
533c451daf52f8f0e1a6c8572de35893

SHA1
ed3b00a4bcad1901d727c2fac9244b91519111f8

SHA256
8a522bc59a767e8bfd13d4479a262ec0106f57e1b3e1f8db44b7b4c21b08726a

SHA512
ec7408214c9c6334eaffc2e79546db9df8f1eb74e846b917e38d016030dc55d25aec474039d68768760cbd758c85221b0fd6881cad20cc8576033cd9ca16abaf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1e36f10908bb3f5929f96da870eb1d95

SHA1
f603eede13628db6fb2b2d502a4f8fb032e27479

SHA256
e0a236dfb3835ef3b17baf1d2f6454a0b7a11476583447022c05525a9d869f42

SHA512
f2723583bccffd1368d170406f65982c35991b1722f6e096e094de719afd41be43ccce3a74d6c2c572e16281220770fb08834a564f061874f35a5c7e20791c01

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
f7bd9bd8fb51805176eced56f6e8063a

SHA1
03397395f086d5656ca63d367b3a46b853357b74

SHA256
48eb84886ba595e2f4b64bf8f6eacb76f6866aab51945b8be0a6414df2ca4cb7

SHA512
e3fadb45c62b529f8e918ea7667675131144b52671d8ff7fc423298f0851907aa3ab0c3d552a6c09df6ed5a333e26e458a0d5d968014fcf37d719442b83a732f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ed09684247d78127d7fdc59bbd61103b

SHA1
208ab2a4313941d308bbeb85c1bb18793e271233

SHA256
1c1f4ddb93f0a3cfa82152e744133d604b640c4a00d7e8e279415825efd4e900

SHA512
d0ceaaa14f0cb71a470af169d9d84fb7420b57230be1bbad9c8252d5538272435fb0f5a83684b3142ed4080c463e89e1b83ddb51728e7a3526b353e442f0faa8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
dfc8e0ce7880200e742cfdebf315b168

SHA1
d9025e00bccc4cc1881f303f34f50ee1eb24faef

SHA256
9777650f70e52a105fbffd461ac9e707a7d397c81a27dfa8f85777defa8acc09

SHA512
98d5ca03e747ce8e0c6cb6c0f59a3161face07885973e7ebe2971c1c2bef573827168fcf6bda968a4ceab01eb594872a5e02fa6d6ef4859b014ac7aee45f16c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
8077015d12bedca89f891309255130b2

SHA1
44bafd5f4de2ede81172d747bc2351aa9183f8ae

SHA256
004745f0ac39697c9a63d3de8681c4fb950520984a173115fcb87f0b29d29899

SHA512
e3b4afe853711b06db1fdd39938a3c3b434a327ff4814bfeb5792ed13a14a98ccf67865d2bb6dd4d4a9251de65ed432afe4590102ccb542d74c4bf26605cdecd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
0f49a6ca00f160ded6f45b7c8faf3dc4

SHA1
43618aace3b7b7ad2584c53fd2e1c9acfd507c9a

SHA256
c3dd3aa5a16b70b711146bfae3c264140015625ca5e4f1b748c112721736dab7

SHA512
a402c936048934a960cb3ec24d36d55f3297f2c3e3fc6b650dc975b66da05b6045da0b9c55fc9ce89a42777a4c51ee7ef7d428bb0168aa5fb8e585e69a835e80

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b6a5a88a6a589911266e4a8d725f50e3

SHA1
bda151d3374909e318772b59289e25518ca2ad67

SHA256
a62cb8f47e6ce26f944d80919635a09b672fa8862058cfdb3b34a71d9dc541c1

SHA512
f77df4448c30a0ab373e79fcb7428257a6a691378e0ab33a0e83aea7abce58664b8b66dbcf42b0e4d3088982a8471827e947841293916f55943daabd0e573334

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
8276b7fdfbaa72ade6960411b974233d

SHA1
f6456c4ae6b430e9dd281bc2e0c063c3f2312c93

SHA256
8bedff217ff21dab6c3a2a1cdbb41cbfbb752aa234b5b61bdd1dfa0c875af9b6

SHA512
9d3fba51480f96f92eccd51eb5834943d331809319f9e8af821315f44804c6602ff70daf2bc64aa705e252221e2f6efc307439db7ccd11923962f0649ebe5c78

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
ca229240b8ae532fbd38443df21ba9cf

SHA1
b65e9d04e19ea155332c9e74c6c2b4d282e77e7a

SHA256
50c852d5f3c006dd667ca688aa41ce668fb8e7f6611a881aa248f07021d1351b

SHA512
ff0a2468accb947ed4ac610c59598e7f3ce1925423d49ddb4a90261e6fb19391225f8d785ef5750b3361a9c770b23a413202629e5dd52126ec3b8cb04943b7c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c13dfe58195b43ae08909fad95fdf4f5

SHA1
4c59b20296dc1866059b466b2b58a6110c72eece

SHA256
7b492f30450831344017979e9427850cba4b9526ddafa02a24fb4384de6a1ca9

SHA512
ec503af1d412977646b98b2366121eeeefeea0cbeb3be172503fedd8392294ff7c12cecd63b457fc61be36f4d0ef08d94d18aed945732fea5958c5c795770af4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2d5f0606d1b055c121f8f18197ad97b4

SHA1
2b772d680feee65cf494d446baae48f352ca1844

SHA256
ee63e706892c8e27ddab7690f263f03bd7c8f193208fa854abf22d1b07dc9436

SHA512
3f34beb58bc0906ab9ef2e6e36d090507a47071e745741fc09b7f0ab52541f014914e81395e8800cda96e74bc3ad13d0ca60cda3f1e2ffd155e2e31b04298635

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f610e8d02823d12e1ea945b20582324f

SHA1
3b952a5f40887d11fb5d5b4e925fb9a6eb7135e9

SHA256
36b6e337354863076f1e2389114d87d07a87985dc23be028a5d187894e3c32a8

SHA512
5b54210f1cb83fb59eefda1601ebf43ee38577e2b592010a37445194b9a6d72f1de8fa3a301953e19255018dd2f4d56ab6d6ae20b859599c92d77a406e47df87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
456ad51ebc3509c502c333c342088eaf

SHA1
11f497b12b449c264a07af35689a6546174c25ad

SHA256
233cda477398af5a0841e07b76f6295ddca8b15ed6af1cd6ccb8fe2828284f96

SHA512
bb0279a15ec59813dbe9e54701ff5906a7ea09f21f0bf19fa3cbe0f2fe1d8acf6202a92d51fee65f58bed40dd3b61526a362500192c2c5502072db17b2928e2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
735f37c240d1addc8cc2abc85978abd4

SHA1
955931f8aa67c7c752a65a4de434feda15e51c39

SHA256
b6bf61795ceb16889d658a569e86927f56c44b5b37c316265943be2a2fd0beb6

SHA512
6a701f0e140ae5e43827667b3cdcd7671e2bc477e12d2b8ee1a9acaeb85159bbeb9e7522f15989ddd1ab7321afa8bd36ceb9d33f298318c3b6f5dbf4cf571434

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a02c6c4690787863f0cc0aaf172d0efc

SHA1
baf81196d6232a5107f725bef07e005329c999b4

SHA256
11c8f426e71aec8916e69eb1ac36c9103d5e0a651345edf829ec75070172d718

SHA512
7684a3b658083140e6a4251843bf75034a5dd4122152c86deee01e822aeb6905ba3db79186fb9bd5e0ad652c100dd7ee6e1c8c9da98821a13e8a9a590f3127ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f106584d04fc393620c703c764fb0ba8

SHA1
81f43d3b28767f2fbbe27d104395cc5bd8f0dc00

SHA256
91f527547e5f625d5d14c716d04865b4ee91ec064d3396313bc36b37e6565eee

SHA512
acd1d2aadfc8b22ff7a4ab4819b45ace55f1588e8d39cb04067a3775d79d03368d2d00e3d232e93ee2a6cdd9bb9651c2e9b2631cad8d29f23a181216fa427d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a18bfa539ecb80f04497921fadbc7eef

SHA1
9fc9e376c197b0782570c45814288ce8dd180b16

SHA256
a089d10756fdbf4ddb68f10427885d952b0d171aea122872bba967e0bca683a2

SHA512
7ba20732c3abff75b07086d65030a7dd9bb3e17abe8a22b1df423c4aea74e39aa7786ae5f1bad7001321fe124418a281c360c0e3ab00597384606fa224794a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
992c64ba8055c990933f422233d6bb98

SHA1
6f9d5e6592d306e90b9c73b6d4b1f83d5f3ebbfe

SHA256
7c03d1f9a179675894d8d41701b929bd6825307c2ee01ece6057b2cfbe8cf927

SHA512
fdbfd56da907413f3701080c19368af9bdcac54cab74e670c4355988346232fd6eac83a2a96c998ecfe984c0e1d99b5e66f8ca635953d08146a7c91b71ef151b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
105412ce80b87c82430f73ee2372a8c6

SHA1
bc164f7cd5cd7777e5670a2fe7073df8234a17f5

SHA256
a054fe8717f0ecf367e325f6e1ac65afef5336a6cc3d98415dfc50af008be543

SHA512
2650fa0b310d07fec2211ddf3c29575b1708de79d21f58e5f97e325b0e7cf1e91c3821418851fada314a74498c0af0b3371713414e0d546fcc26e6137c6344de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
8b027a24e3705f74bcc541371d496a00

SHA1
bba443ad038a42948c4eb1e8fbf05b0460cc2e76

SHA256
51d5ce829acf66a687bc51f8c5b38b700ddc399dde2c39b40b790e4b787bc3f5

SHA512
8971d8dfb79feade543ccac0ae97a0f4f181d814647a1af29cf11d1fc765607ca02593fe43324e5ccfea44a2225b97f1c7f4fe42a7fab4a1dbe6ecc78a639761

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0066cd6b713d8d6243d5716f5655b788

SHA1
b2240bce7fbf2be126d22a53a40c853d0d0cb269

SHA256
d6d1f8a9a091514d882d1de06eb812052c20a40e0c17831e902653afbfef5877

SHA512
a00add199a798a9e4482a200086d041b0c48ebb6d47d7626ed18037ca78e29f784ba6b9a615d4d73aa4ed21b33a9d6f5f811e8bf4f3e2c9a4b98d4f9be149029

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5215def8a83d3059f0964cab0643d014

SHA1
b4eadac3ec77f6c8479da3bddb16a0f7db0a6e0f

SHA256
ad46ea274a14b30bbca0f5a2ef12d86d9f69a27fe280a06f042b581a04b60a0e

SHA512
6bd0691df1cc5971a8913331700831087c527ade9e5e61e03e4f3f0383d0ea96f6124a76df2210192a8634af63589077cf873a6592ce17337007df5a188be52e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9e548f18564461df618b677ca1743741

SHA1
ce1b24512395755bfd3c2afac5ea0a4c44b3b30c

SHA256
ae07e2b89b06ce2e29e4b834a5f1e3da518d6d8899dc36663b46df8169bf34a6

SHA512
52ffa7d2cfa22218b9c0caa58bf93c5f00f439ff5f042a42d9e60e08c5bb658114ee19ea7f70fa13d3f853977dd3640d46da6ba6a47481b7f69491cfafbed8f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
510d6380900f2244edfe8f72cd855a76

SHA1
fe8e29502ffc22421ed04a39ecb9f3fb20bca3ab

SHA256
24a01df493b871eec11a49ec9c42c669401ebdd37b64e36c7fe469ebb2adb0b4

SHA512
1798fdc46c6c6df5b4fa9bf223fa6042dfce2f3370eca2ac2c1691184c8c5c041408d945503cc9bc7d2cc670afa7d3269064cf01678c70862e4a6fa618473bd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
140dee79157dbf989cb74336c899482c

SHA1
3c133efd33ec8a53d515e80e7985451e9908bb2e

SHA256
31bede1b0b454a9a0b8f1ba38c0dff73b778e96a0fc15c527bb79b60727e2a39

SHA512
aa8b227d171c195881cfb773ea4c3dc5531375fe794b4da8eaf9b7317e9f42028d4a4c0cfcf354488017bf662ee5804765c7e81f3d210a57a9a7cd547456f000

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
1c5a77cda832da8cffaf10972e16a2b4

SHA1
9f270fe08c79b4a31415c517b08df6105fd0ea2b

SHA256
fa33299b39695481d0e60b3bfc79ce8c365c83c5d8e18e3e4f9d6b81beb6cb7a

SHA512
f9e4c97ac9fd36f813c14bffe097acdcf05d4fa76f6f01d19b5013783082d35e263304637047e0e91e6d6d0f2ac7eb294e9512b532e05ffe5e4c205a0eb3b348

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
76ee46a14479279863334015b82e4fc6

SHA1
9c3ae787c9819704986d347322efca9bacbbd421

SHA256
62d167d5dcff767bd7dbf7254030e73b2d674ee4ae314c2ea085d52933460d05

SHA512
cef63ff918d9df8723987b2fa6464366d4e95e3f80f44bb8804e81ebef60387a2eda03f7cfed8e4e413aa2f89b445b68c1d9341c6ed2d6c04c80be09840ab171

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1b82f30636bb2d8c8dc1b8e7407e55f3

SHA1
71252465abf7229d6611451d5e4c97c395925593

SHA256
631ae988eee916dc3457a1bda2164b9c1778a0c823e9bde3303287edb3899c10

SHA512
b70361e40570b4b925a2e84171de0e8f494bcf35a51ff096fb1c550f4fbc4b6d04dc01907dfc1ea3d548f66571d968273063a396ff1926f6a957143a78e913b2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c210b6f6fa71bfd0dd4ac380f0aef23b

SHA1
8ec9fe1efd5b222b0c8da946777d23626c278c39

SHA256
79c9380ab14a63daf40cbcd5890ca84c21d4d4a47883f03dd9b4bfb7f67185d5

SHA512
fbb6b0118ce2defa40b12c3dd8bf8ce4a47f18f1c81605d288b33afa118151a69b9ef14a6dbafb8ae24e60ba162026b41d42ba51967fa3db1d349382c1012c64

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
7d69118dad7181615bdf832db49316ab

SHA1
e61ebb8c77c6373352b8e0d87ca50b1f8664d3d2

SHA256
ad1a47bcf1857589db421f04f752bcff6d935d21665f6639fbfa080bcac73404

SHA512
4cf3053fb28326e9a9f30a9ad5da640d1f60339548957af0950d99a795cf1afa1040286071eee00f542ee5dd4983619ef2444449a1473133fd4e8403b11d3375

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2dbfb82f478e247fc16911a67c02a069

SHA1
c63d12fdfd574cfa14af1991d6afb4ac208c3e28

SHA256
6fb2c8b069d8e4dfa5c7d6b4b3520e3fab477dfe338811281ed2dc6d4b446040

SHA512
8f861fce71c5da908cde6cece4658f88e97ac7e78116a4d5fd3bc39ebb31e3a15b18d42cbd30a498bc138b3aff63a1adb54aa330634e3dc0465869eef5571e3d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c52ab7066bb0c30a741afea1af20150e

SHA1
fa75439a9b88e4c6f40da5e11f290845cfda6e89

SHA256
7ac06a767312f0f22cbeee89008ce557c8523018ffb187b9407fe548fe254061

SHA512
dbbc34b78f9dd07df42751d91f9abe93b852a91d30e32e5c8dbe14b986b963efae764ba5128132d9de7c0efdee795a8c311d68133a43007e8b698ff70e2f21b5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
46a5400b4bfce9950c626310ec292907

SHA1
7ada4d04629bd2df2c0c0a927e71542a1e079849

SHA256
fe1c23710746a0a79381e557669edb9d8ff17b36dc4fc0972e7747af62bf7a03

SHA512
a44db78b083c25b81892268f8e9dcedacfec90dca9fa558b75634dd6be9b5a28fac5a0bd859d33ece8f6cd5e37e4695f7dc237a1ab9b5354c1b4cb915ddc1b07

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2d32ec15991f521a8cd5a17de71466f8

SHA1
366565953c30e2ca160b61182513dd076801a0cd

SHA256
9dc2d57f99e3020d7bcf0cde379cbaf37317781e5aa721eb876a2bce5fe5926e

SHA512
22abe8179b74e60cb785cc983d1bf5f9ad7ee2e5ec84f984f99eb780af5294fc882cdb7433bec772ed061e5ca429b3c75e035f470c8a3040300e839a55978d2f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3f30657d8c4a28a27278465165d7b8da

SHA1
263a6d3e47bc20be134a019db6f5067e79854e04

SHA256
21cf8e9bb000348d681247f91daf6f9a27a12b8555d4920d25c0053ff41a1229

SHA512
1a5076d41d05c4014f362bec6ae18894b96d35a3b544cad0c1bda709635a03066c8245e10ad59e7738553dd6521c11796c9c9a4f9af67f117f10a87177d5ad99

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
978d4c85f113e6ead8e390057d8eff37

SHA1
8c4470857e98c317cc14de923b8107d00728c5a1

SHA256
76be3f8164f47799cf4dfb3b2b9c6752057cf642a4aa43b8a27a7d95b551764d

SHA512
b1367e74274cb3ce76e7cba11c7fdb5131308d968915731ca89c30bdad040c64222a67eb9328888c764d93ebfb5348922f8259a70332ff74c534f67a74d1ace3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5f35549c1cdb5d18a29f3d6a07fae2df

SHA1
fd66f8682de4e56ef484f6ac59c95d56c2e31b12

SHA256
fc03dba16b9648f0298a8089fe98b92724e73650e3ef1c8ee74688c46c7f966a

SHA512
bce8fca81b7c2e8cd7dbf4c0bbf2c16710e2696da51fddffb51f95a58516f7c5f2474c2b1a2aed1b8c670ae60eb46db3d68bf8646d3a4c3709c1b3e217f2f5ac

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
248bde4671b6df7616a05a603c57bb65

SHA1
bd2e35c176fe62265fdd0a9169639761f172a622

SHA256
01149a1c9a786e71a246c8e259c61aefed9c1e6ef02c9caca94e8303d31a5e8f

SHA512
3175b31748e0f9409b51807d2d2092846331ac289a3f4d79335638c01462302d7c3adf6089cd29d63b82a4aab41c1bd4ffbcac87a8cb4987bdb8234fa752f080

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
c00f8eb82b71eaf482ee99b8cb0f8848

SHA1
249e0de3ce9e9aafb0686276732a86a277d8d7b6

SHA256
57d1d127d35f79243f556c85a583f3425a8211743f254c687cdcc2e17d916847

SHA512
41329757d5a3d37c6485b3359b1ee7ab21130970844b492755b6b1ef945013c29996f05be5bba24ff7a6af697dbbe9a550960c6cf8c37e28ce046fc7c57c28ff

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
da3f9d2ee15b293ab26233c3040778af

SHA1
fd8f9e4aa79f3ca20c8d253b75c35bacb301d2c6

SHA256
5b10d110229efce46a77e0c4234ba1c80ba651e5ff06c8ce1d14331602b524db

SHA512
aa29fff080657aa326cc94f864c8bd7216e506904ac1b346ac6e4932e8047ce3a669b6ad88af16290b50f00f74394167b10cfd1f8184995f6757cfa1c4bd2a17

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f5fbf9d2dca095a322ee76583af8ecaf

SHA1
fa03e3baa090b1dacef05ea2ee2ff36598da6e7c

SHA256
ab0aff58cba5cd1979e78a26745012c2063f4c007defd8a182374382bb2e402c

SHA512
0713e99d804578bcc599c56665baaf289793d55d78edb230a1e02cfed7f7dcb33cd827150c7de3ecc5934db5bb8fe096f50ba3a1cd4ea6e2e54322185582fb33

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
7213beb9f53efd77d771c086e70d0f0a

SHA1
0a0fa88b98574d2ef18642b2660557b30af646fd

SHA256
9f4eb2b7d5fd34b29d389190e705d481222b8dce35eda6e5a203cbabb390c5f9

SHA512
594452e6fc2340ecd89a9f9491f952c2ef03cbd7bb4ad73ee22f0b59a185d4550c7d27095b11c8499e4fe8ac4dcc876d28fd39edea58476d5d8a647238121bb1

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
6acc965bc786c233cf5d4193e51d08da

SHA1
e6bc8fce1ef7f860bb42c4c004187e7e39f39f4b

SHA256
760d26a42abf29c2d04087cd7596a358931c5aee7b2cd611182bab5f1bb55404

SHA512
d03daa5bda5160cedf66fc6535e681126741589713103deefbc1be92fd37d69612e462b62c5f479543e4bed9718dd814b0f54d559179e734b67e6678123f207f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2992ca980228e4b9da0dec614497f8c4

SHA1
64061154b2e87fdb535f581b258c09d66683b4e1

SHA256
bef20234c43856e50b99afa6b987e56e33e395fc2ac60de058ba0a83b34973ee

SHA512
b9f8a39d360950b9810986ea10656d4156ef2437fe364ee3708ed9650fcdba36e5bdcfa7306c0097bfa67f4352f26e7f1e15aaff9c02ff80d3c3aa8866763c3b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0193bd4f297ad9273a7059c696925d30

SHA1
f095943feecce509337a7aa011e59d14939bac94

SHA256
b081b4d0f44b2076d427c82e2e591ae5b26acfead78bde9ab75a5d90f1917511

SHA512
c4e681d6147b214614678c88bb2a24613e6c92dec329e56749904b0d273613c879ae607be9baab60d3075418ca35bed2b08981ae4601470719f3b63a2d8d023a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
abbe6310b5401d69aa16dc71e6c925fc

SHA1
e3a4587bd40ce9c62d8513dc6ee5c04a3d03dfe7

SHA256
43769a765dca5aa774a6f862e2c27e60fb47127c456b65ace161f71c17c8e846

SHA512
321834168f36152869e90d05e3dcb23eb1ad6303e0c4aa39b8dae1a01d61d129f833f74a153378cbf3345cf97e1e4235f635f09dda26f609e41acd594451a0ed

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9424d6eaf088a2feaf56061982f69a2f

SHA1
ee1a612bd18e12c4684ad008be9e310a3426ed4b

SHA256
227f2ddfa259d87faa51852129327e953fa9f935a505825df2323f13ba5277fc

SHA512
5ea10b73aa1b5b4a3e0977908661fdb36cfbca4c0f6e1ed785268cf627d16e3677d9421ef552612162492e8b0bbacc1ab0601a0cac4bab40bee07f3bc067d5ab

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6c047751ea5c13a37b9703b63f642917

SHA1
a4f9d233bdb392446f465aac8d2b789571ea5b0c

SHA256
b1a0d2fbdf9ef483e9af9027e80fae636822dacb0723865906f890c9f1b4983e

SHA512
78bfb7eb4e302bce96bce5eb5e01d0b37df45498a4e5238fea228618ba845c4e324878aafd11d71b59ee833c4e4b6de846b4188769865484e6ff7980f0184688

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
157d9348b34b1ece091bfe1d1fdfeec4

SHA1
27605b00dd3c8d494d336b9e36d220a0e5899f25

SHA256
c8e3468150ac987cee2ae0c023cc06926ba3022a89840a56bd25a85b35f95586

SHA512
a5e48df27077e49fe80bfe5340b4b224463e4c39435435a3257bb326941d2faa3ed6cd10f9861fa963e8cbeb57da9b7d37b66a8ce2dc5e2d5ad49fe318e0c953

Download Submit
memory/412-248-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/452-109-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/452-426-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/452-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/452-8-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/452-1-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/992-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/992-52-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/992-58-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/992-632-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1368-263-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1372-640-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1372-267-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1448-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1448-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1448-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1448-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1448-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1492-250-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1640-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1780-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2088-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2088-638-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2244-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3036-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3036-635-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3036-83-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3036-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3136-247-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3136-481-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3144-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3144-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3144-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3144-79-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3144-73-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3336-265-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3336-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3744-26-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3744-268-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3744-33-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3744-30-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3980-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4164-110-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4164-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4248-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4368-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4368-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4368-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4368-138-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4464-111-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4796-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4812-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4812-641-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download