47896feed19029c167a28fff4a7f625770d64f6313bc6e3f6e4d134625a229c8

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f7de6713398950533f219d17fcdd1e40N.exe
Size

648KB
MD5

f7de6713398950533f219d17fcdd1e40
SHA1

8c9459cd375dd50a3a5b455638a50c03cce902e6
SHA256

47896feed19029c167a28fff4a7f625770d64f6313bc6e3f6e4d134625a229c8
SHA512

c23f0306c18940028b21494972dbe025634ee4c550efd3909b272b8f551ff926d4b435dd0296dd459934fd452ab82d358824a11fc2a83e5bc00069e446a1c02c
SSDEEP

12288:1qz2DWUp7d0NxksRpWE9FRHSfNm1wgbIxnBw7dzE+e3gxZC6LgjigDy5fdv8fWi+:Yz2DW8Cks7WE9F5pwg8zmdqQjC60jiH5

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2888	alg.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4832	fxssvc.exe
2736	elevation_service.exe
3684	elevation_service.exe
4744	maintenanceservice.exe
2128	msdtc.exe
5080	OSE.EXE
1828	PerceptionSimulationService.exe
3292	perfhost.exe
4504	locator.exe
3632	SensorDataService.exe
3036	snmptrap.exe
3932	spectrum.exe
3852	ssh-agent.exe
1616	TieringEngineService.exe
1604	AgentService.exe
3244	vds.exe
3100	vssvc.exe
2784	wbengine.exe
3772	WmiApSrv.exe
4852	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\23f6c48b6003136b.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\System32\vds.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\locator.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_80203\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	f7de6713398950533f219d17fcdd1e40N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f7de6713398950533f219d17fcdd1e40N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000148ce9d8cfdada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fd816d9cfdada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004972f8dacfdada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f13738d9cfdada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000687c3edacfdada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000158aaedacfdada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe
4420	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
640	Process not Found
640	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3056	f7de6713398950533f219d17fcdd1e40N.exe
Token: SeAuditPrivilege	4832	fxssvc.exe
Token: SeRestorePrivilege	1616	TieringEngineService.exe
Token: SeManageVolumePrivilege	1616	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1604	AgentService.exe
Token: SeBackupPrivilege	3100	vssvc.exe
Token: SeRestorePrivilege	3100	vssvc.exe
Token: SeAuditPrivilege	3100	vssvc.exe
Token: SeBackupPrivilege	2784	wbengine.exe
Token: SeRestorePrivilege	2784	wbengine.exe
Token: SeSecurityPrivilege	2784	wbengine.exe
Token: 33	4852	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4852	SearchIndexer.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	2888	alg.exe
Token: SeDebugPrivilege	4420	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4852 wrote to memory of 4332	4852	SearchIndexer.exe	116
PID 4852 wrote to memory of 4332	4852	SearchIndexer.exe	116
PID 4852 wrote to memory of 3024	4852	SearchIndexer.exe	117
PID 4852 wrote to memory of 3024	4852	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f7de6713398950533f219d17fcdd1e40N.exe
"C:\Users\Admin\AppData\Local\Temp\f7de6713398950533f219d17fcdd1e40N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2888

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:336

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4832

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3684

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4504

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3932

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3244

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4852
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e06762d6a2b46c261785b5e52af7cc08

SHA1
b35aca723af174dd6c332918e75ae3fd3e238a1a

SHA256
1b139c64553503c21fb9bd4ed5a48a34427e1af632b8d2c379b69d1f7f1d9f77

SHA512
07b8d96424e751fca1c589959e99e6087865801b16f3568e5278fb43dc03bbb9a1d040a30ba9a153e346dcc4d87866cfbe2d48cb890bb654831d38dd51e034e6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
9cec489010456df6db7758ce0dcec273

SHA1
1951cd985e6e00b6be604c99b5108c95c2b300b5

SHA256
1c49dbd28615afb2a43dc9b5182eb24dec1d28a9f6b59b443cd2a2ec0b12e695

SHA512
54cca2fa0e156b48c4924690ad42847998153354c636fdb2331fe760ed1b33e9046ac470f7fe7faec30f0a52abe71c3ebbd0cb14145251a98f7bdd808b07f1c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
2c2ec331bf5819f69e4bbd0962c9b39f

SHA1
482861be618b460b5333c1f0670ae3809644a18f

SHA256
c5de9aae2d19de5b35e25c7ceabadf0ab3743cccd3eb050d88318cfb744651e6

SHA512
5fe966e840efe7b6a71abbe5709678452d52eddc89ea5e3aa0d7185c5cf73394a993196d142ffa910dd4f875d3e91751dd77a0aa22b7213c1453395adb0f08ff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4b014b65bd06e38348100a8063ed8a3e

SHA1
b3ec061a91ac86ec1fcf620d582fefca908edb63

SHA256
a2683bdaba0647e3ceef35739cc918d4f8d189afd103bfbf8f2db4d1cf42f811

SHA512
b79c2efae46062180839f659da4290ea3ae24302c64806e9ee694ec07a3f0a381660e65e5b07373fbfb3a5e6c073cbcbc7e25eab75bf14e6e761d82b45eb054d

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2caabc6c547017490cd9fbf0513cd46d

SHA1
95eee7512382e4c5beffab6e07d9df778d2afa4a

SHA256
5a9b4ed5e64362c908499c7b6a0f1074b4d8097e3c300f4d1cad74c8d53c362c

SHA512
ec474260fdf47a34d195d3ad89c12b999b1e6d061016d91239587b7f311e9720a106df866d5dd65d57087bbf2356f86759d5fdbdfd334311ee8b9c17c514a64d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
947655f21c14f556f872abbdaef33b79

SHA1
a2324ed9a190daafca8dcdddc97321319bebf6cc

SHA256
bc2ddf2b671ced0c6822719059534daaa0b96da001b879df114a5643e4018a19

SHA512
e48ff636c82a25ecfffaf1e7efe63695644816e6daed3389a5f480a038e6319330341de891ec637c7d066f3b52c2bf8bac96cc9de27de1674b6e4dc04c298ed8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
67b27bf21473ba0792286e87432fa4e7

SHA1
577d937ff8d6de10d61a7a02987fbada8f8d59a7

SHA256
d1c4a17a7f56c316c1c6b32888d36b32a4b6b1db282f9fb4d81c634f0d71dea4

SHA512
f3d09c6b16cb067e240b790ce98585e2efeb96bb0e872f717f417321c5110223fa724691d6c15df52b48c1c488e9b6b5d3e17112db6a1b84145ed2add762fdef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a0a7c35067c071ef1f1d890d61ee4f92

SHA1
49b60b96e923d4fee92eb225923749c07d378803

SHA256
6dc46ff7d5569c5085623baa5e39ce41e6b21a7f18c6c058258a6dfdb4c40c47

SHA512
98bf239f0f2b190dd7c83c52a32bbc2af82d642863a98847d4bb579ca44c2e69e49d75ba603a02f07294124203d90d1cc7fe9bedd48c17ced6afc66ecc2e4189

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
b06195ea4b4370e89c531edc688ac33b

SHA1
707b7cf168a403f53edc339da4f75b721d528c1d

SHA256
3cd4c30c0968281594d269c02be55cf3f10e1889895001ac73a5a5943accfccd

SHA512
c9a46592d25f3f390d2281635cf9be5bc287f380f62193e77605cabf2b048cd4e2ab6b302ab08603a99d0320a48a28ad5e3ccfcd71faeccc6311a9d7a4412073

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8c1b6d4ca01984299f9097bbd0e51b3d

SHA1
3e345d82bd671b1958825b202a1d0369d3a23fe7

SHA256
9ad5b7b5c548c0e530003ffbf8dc530a41aa72fc258389c837de5af10bc3d471

SHA512
6594e67b5cd2c1fab75a614bb8e28a05b898e0fdaa699b5c602e94a1aefcc65f98e031ac233ae4f2a0542f0f8f9d9a5747acb26f236a72bd81ee39f7aedf90c8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
06cc7b7d4190577f8ce9730def74cb1c

SHA1
95aef8318cb5b21b50a5207a462047264649c35f

SHA256
9a14ccbb7b275860e8cd504353aae76a1aedfa58e11f2e61322ac2a825d2be70

SHA512
16d39821ddedab49528f16ae446d611f6b08ca5a9fd0c371a588faa614ffb20ac0d6f03586b87935719c9b60b15ddb24b030a41bb83a838bcf0b68fda4a1a9a1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f1e75573e70d63f2ace598ec53a69c76

SHA1
e87e81cd3f1b49f186f2e879b958c434662f1e58

SHA256
a10cb56f8b159294411491f7f021caa70699ff6dc7c8fb6d9d81dc70007f9291

SHA512
acc03499059311f9b3f992e4b4992239ef2bf9e139e8cd1a766ceb68f5482143bc4b62f4390b150f406fb58a7cffb7d304e163f2bac28b589146290ac3b13ae8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bf4338fcc8a656c9015e836b4353a514

SHA1
c087ab46e845e8ab9526930a585082d27f9e5a24

SHA256
b27835477520ae7e26803c5c2fba6a06634e890a109882dbda7ee67ae4ffd2ce

SHA512
04e9853263228bf559472b50d62c21dcb8d902483eef28e091c49468e2d3aec94a64f1709e1372334f00b0f6e29db76d04a50a918adb8b4b40b8496739b69331

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
7dfae8ed576aceade152a5464c18f8d8

SHA1
0e7891ac9fe73cd9f9df1689cc353a8cab864818

SHA256
21291c2782873f84057d77649c9a9aca3fe8e72b05cf5f5a7d0ace3ea09e16c3

SHA512
ce580beec92042343a8b9c5c56c5ad94d241a42cc95dc561230f8498929fda9df7b61875d1ae36614ec62acc04e5bfb20ab4edf2dcf6bc223599bf94a758510d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3a76bffbdde2510f16622a9335acb351

SHA1
98cf8297502e2977f31510aa15992203e4b32b69

SHA256
4b1952fff803706af0c0de8aba95b45087931a48c34217aea296f37952aec6e7

SHA512
37c7862ca9099653596e40a366e49b612871fe376a1d418f08ade86d7fc81f5edb8181ac114b796851543d0fbdf67f337b7105edee525e54ff6cd2b933b73538

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
48adf8c615ebf620269c1661044d7855

SHA1
f80de41e910c535e9178064544c680d1ac63019c

SHA256
3f22a140cc522d8fa67c9b2a67bae556d90aacfef37c29ccb2dec7d98a16e5cd

SHA512
acba8e9b4bc783089d19aeccb50969e19db88dae6bfc8d520c907a30c6563e7acfe25c0be945414763cce796a2e61aef1e74182c0d83542a30e526849764aa75

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
84e39293f4b3c859fa2ab7dcbd860f4c

SHA1
7cd1eff1c8d36b5036dad0d4da0be49facb9a0e8

SHA256
d1984e586dd4f4646b8a3d88371c1fa72379d297372a9647c885fb766b7128e1

SHA512
41649105cdc58baf4f74d8d7eee3e16b32618076e75510adc016ff0e2230f8b5c3a0acd8e2da6f0ad7e8dac8befb3febdddf669549b3faaf21c24c6515bd094b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
9dee28c615a6e417820a907d81617dfa

SHA1
62a911667821cc1084cf1ec68a41dab067fc64b3

SHA256
2a355de4906dc9ca5d4f06430310ff3916391a036a9ccc0a1cb312a77e5ba69f

SHA512
26449735d2957835ac853e8af088f1260ebda8ba91e604231b8184aeec89a0064641cfe32c812bdae6e1e0b0539bf190711ac461495384c18c68a5966fb3ad7c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
6f7aa744173f3646cda6dafbf095d65f

SHA1
b7e3eb4a9b9c28c4c98ef68551d861fecce68fda

SHA256
6fb143de5239ba27e9adc068b31b04dce252ef2d79de3aee563f572ba86d6a48

SHA512
6ffd05d3534f62a733108fed5eafff4ffd26d5e08d7f438561c72a85e5355bf3aba7f17a3933d97a49b94e51cfefa62592df961d9c40b171a5abab8f669b0fdd

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3b9cbc545ed35059bb9d565aae559014

SHA1
55116655fa6026bb83a43c7ee43e5fcb62de73fd

SHA256
d269b209d16f55540e7758b5d553e9852b8178e6b1657ac0eb25adbce6057e2e

SHA512
0d095c0aaa4699a3c295da77f49b0276f4dd02fd3cc44b14cdbe57bf7b9984b885bc435e7ba46840524c5c7c4634344306b25bece10344d49f284b52dd7a78be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1e8324dd6c76ead6e67e65bae6b26bcd

SHA1
3f977be0b941a7f35e39b471257566290e719900

SHA256
3a3601f1602b09d595957728bf85882f7dbd704a4493eacb06d6831529a3cb60

SHA512
b46094f7a615abce9d41e2788be6646ffc0f44783a62ad723e419fe6613fffe7544c433f5177f679a46ee6104ab6f744761f2e36e40a1d37cd81b83fafaede36

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
2b574fc334968ec8034db85930dd7d47

SHA1
f1c3bb6a750124d5415d1f4b2cc3d09093fbd6c9

SHA256
042f6f331b6d177339b14c0d8dfc8c97091a6cc754f3d12360a7f4768d8aee8b

SHA512
d5ff890fef281e8b2f3cf82198929a90932fc2f2a7c8268c4ae7f76b618766259657ffbeb2a42394988f08188855dc33346eed17d4e3ce612d399ed720079f88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fa6874fb7a11325d544eeaf16cbc327c

SHA1
f6697295b3641f77195b5276dd399ff9f823ac30

SHA256
17aabaf9add1c7d2b0ae09ab77d8686388fb3d80a3513a0bdc082c2b9ef74a98

SHA512
1a41c5d060414f2dae9dbec82e9e93cbd594f7bccf0533cfdc389d8de07565a4b71bd3d3f758a57657c93472a697d55e3049b9b090a92eb83e5c98f5daefa61f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
b1286176a47a9d53e1ca43faacdfd446

SHA1
f8c063d39bfd4b4211c4e83a2a12126eec34d28d

SHA256
f5b1dee9f990822fb5619f970db0771a7c6a9993b43612ddcc1754beebd7279d

SHA512
9fb37036bffa65ca277087878439f8fefcce6b148ee3a32577f9d7724e42b61973f0088562524626b0097efcdb0bc45e8437e9f41b9de4de2fcbca4a5bc14588

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
a04d82364490244280122dc2a9f39e42

SHA1
12beec5e1fd8fbf87ab368d7ef03fb14d33cb25b

SHA256
443a12b52d6dce3eedb886ae8952093b81594576b625fe2bce41b85d1e48b9ec

SHA512
e04da2120a388ae655f601531c43c738be3c9141fb700e5d372376c5a4a19251a6771ac608897322a9a80445461ec0c3accbf9723c4dc9a862d21b9be727602b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d035ad7682a21716c511f68659b09866

SHA1
d965490713f870ec05aa0719a01e461729fb29b0

SHA256
d305dd3af929cd3e6b7b358a2c1518fb188b5f910a0ff7290f869713fb229859

SHA512
905a07038dbda4f571ee7b3d2b707d85645344043a234f6a231f7c267dcb7a460aeb55619410918812c9cdfce99f53b14e99f199c8e90d65bf1f84d448b5b71a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
98e57c3325bcda651788491057d5d712

SHA1
87b95620eb65b95e618e928b2660fdebe9ef5289

SHA256
7cabfc81f50c144e2626fafecfc9ddd75d7455d1cedb47e891028a8beb04e59f

SHA512
0a105b3a5d36010cc701c57fcce6f8c42e0416799cacd209f532ecc77cdbb95fa9c7d421cba01ced9bf291a32bfc40df5c3b580dd233382f1fe2f76253646614

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
fb1e25e044fce5e67a81a9ca3adfc8f6

SHA1
9c56404526d3881146d871c61d852c5b1c3ac21b

SHA256
37b10940f8369f4ede336305cf4b79481eb03163fff3481f2e9d6feee2293889

SHA512
6816f79b2e9343ed3500a72519307360621ba27a282e302e26a5e685935440e154ebaca1b7a901b9caeffa83315a712cc281ae81f240a81b226057bd5d4b80d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b634317e001a16c7daa54f78e0ced494

SHA1
5b7e642727fa3e578d4ab5aab27787c980d14bda

SHA256
c4fde75d5a8c194e5b057123c34bef12f3448fb4a5adb5ae997c54f3026f8de4

SHA512
91dc9cbfaa66ee698cf00cba53623241b2ea4d6db685afd2d7186724b029b4929609e7abb2bf5168aff95b99fb87fc017425fc4b6fa7bd6d0c3d2f2ed4d5ca7a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
cbced9768885df4b6361318cc5ebf35b

SHA1
33cceda4ed20cadb2cee4fb9ef451a7d5ed44674

SHA256
8e28a6188053fa0eec224cfbe2950181197288cb5bb40a3fa80b2f03e046b9fb

SHA512
aea94f1c1040e39bb9575fb415ef8c40e7a99f9861a7a9e52b6fbe787a494fec5edb1aa18f03c0a14d84571161ecfb30c5c6eb02d87ecd96160b9446160c9660

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
319687d81b234cddae420eed76b2f656

SHA1
49fe779556213c220972eee5ca7889915019e04c

SHA256
2b6881de99dbf7fad880b7564c7a37969975c353ca615cc9d3338c85dc847b13

SHA512
65c794fbfa66703841c1542a267093bd97ce961f7f7da6e4cbbbe8efd392e0d91bcd0a965c9603472fb8e8062da2ed4472b923477fd50918280eea0baa44d273

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
455246c1303a1302e0ca62fbc5e76278

SHA1
41a40b6825b512452e4ce3150edb2e13c7c3d3e1

SHA256
0a9370f9c2fdc79ed4b6458c05fddaba5d058e6a4126c526e3c3f06f908c621b

SHA512
f047afb188890b3a47648f91d35657f7f7fced956df0e2651ef2432e370c102881b18ba7796b1751477f70e77c0a8c4955be819f049be0824eb56b696fb43b61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
2da821a11d72df5d732d1611a1b2beee

SHA1
528ccab50bc3375fb48aad54c3ce2883f31c3e7e

SHA256
c1226ba7240f483b9e2220ed2b2f8fd0af5031a853581b0a95fc84024c496e84

SHA512
27fb23726e92b85a060004a090760f8a022541ed25ce34fb7a97790f4bbbb41cf7621e266fbc296efb08f538cef5e36ee5c90370b7820b72c95ef1950a0fea7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0c94ecfec7e6b2bb13c925f644e3d9f4

SHA1
ccf84251fd0bebd205e4ccfb46bd31edbb5b27a1

SHA256
ebe5f31a053ddd0e60ee64c7144631e534bdf135fead94c38b89ae886f97def5

SHA512
63baa546b2b23d1ba2943505884f487f15600515eefc663ef4f9fc9902aa76160f21e77e3a862986f6e6443578ae588f2ce11326c73209a3726ca5c3df70ceb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
07ec0f1002826ef00003c9d0df1fd2d8

SHA1
ec2e7c73f327b7b8452484fe6680dc8326dfc677

SHA256
dbec0d36fe2b029181279953967187267ee09c0024b2d838b89031e24392d214

SHA512
308ce12091f6bc5210bc9c46c7478e1e9ca53397b686cfd278a981a1e3f8b9842a0a29f53fc1fea760ff0c9802f9308ebec3bbd169ee861207af6beb8f852956

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d09c59f80821c09484832d9cbb2ae736

SHA1
87d5ec9d96e6c21453c01c729196b14ac55ee830

SHA256
582d957fb98861533d6060c30a3d8f8a50bfb28bb302d25af931e3bfbc11bb5c

SHA512
b345544b97f7e56eac8eeb704ecf7b968f18b0d650470fdf54f3252788ae99237c461e64b823168eb9b354a9c6c6bed73df820ef28a5b63e98958b91ecd1e134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
a19ea4e5bebf95c69362e03434e9453d

SHA1
1b22099b960778a35ae1d8eed9a48d4231db67a4

SHA256
8e4678a86e1bd7e82ea9109cfec3facfad6bfd55f3acfc5d73597dfb868fdff0

SHA512
2972d94ad89c53bfcd0b91e8be25c2f01df0b1c397eccd7ff1b8e12faafee0c2783ec049942d90660da64950c950ab0f4ee69ce1679ebffd634a685238485dc2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
82bbb4e3bb7e625e1449cd52bddd4b91

SHA1
ef4651471a257a6bb3e8ece9705481f7877b30ea

SHA256
abceac368f935157fa491a5155174d59ea42c2fa0f31594b8e55582b233a31d5

SHA512
56fa281bcd5f88ee3115e0f961c07fd3e12e763dd26d5bc433a02c34772e7c8e4a17bbb68d69e8f3a8caeb2991fcd9a0b7d64c33c645294e688cc005616a3def

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
befab425973a0778a8361bf84badaec4

SHA1
7a2f56e8c7d7cd6f870bc861dbc53d914a19558b

SHA256
b5efa5bbfe42c8eb815741fdd11a04b8be8f845f44399e2baa575945554d456f

SHA512
85eb64b3f9a812c56ab4cd8c7d36279ff6f4222e0b900368488af9d3c552f165aa9ad3aaf92a4406ea0e9c8a2a2e55e8f1dda2bc87943740ceba09e78b17cf48

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
beafef730d1f672a4088f21156d07389

SHA1
de6977a3e62521c1b3a9ad72d4aecf5b7f554965

SHA256
67dfe8bca94034ef0a1056a4720c79c8bb81e727f7a180d92c0257116f167af0

SHA512
88217ddcfba4d0a94a6b2f3f0ba1d05e31e97604e5b54fb7166de95675daf8c5616b831434e169baee4ad678d9e3883b28f7a9e1e5981b571cd4d3086c994642

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b1f9bdb4da26b3f5783e8e839fc0919

SHA1
e307bc8cf02990ac22f1efe5d09d80670c76aa37

SHA256
62d5fc030eb7d4ebc07df53ffc0fdfb6c6db23715308dd1d84649da0cf0e38fb

SHA512
fc77055d592fba64da106dd71825f08e978c0d909ca98da2072c28ee44a0c6cc822f0124eec7c01798d1ada3c69e9facf88a92a97e6285f6f80b2519bc9cb432

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
4f973c827c377b9cc50e5d0371e953cf

SHA1
ec793a16d2428cdd75a3b325e0e663e3ea9273b1

SHA256
b62a88c52c215027da2ce67e2ac663cf2714dfa890d6c94d551cadaa1189e0ec

SHA512
eb71d8dce0b769a08d8c894bebde6a48eb67b4af0f5120f2a1b314ccecfbc8adc126abbc292d16abb09918878c3684fba0f58609711ba2feb7830c294f976483

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
26689a707099e5399fb5447fd73b6ee7

SHA1
b43d2ad7c3f4980b6aca38ece6415077aa556e53

SHA256
6048fb4c784a96ce4f0a531868abd33dd6d19b4bfcfe03ed87e86d67cb06e679

SHA512
8aaaeb64c22e8798e73b50acc221c99757c9b2e09d43510f55881f318c51232a175a4a5b37d543d675e19017d1c55de60bb930f4ae689d45a6af581ae7d0d0bf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
341ef124bf420388dc01d7b9e2794c8b

SHA1
d71d017dc6f4949f563608ec22f09aa1f1db5192

SHA256
886daefbb45526e3f833e0216cb4d99a79047514d554548566445f8bfac6f915

SHA512
569c867e2c2ed7d8c26ff98b8e82b5921bfa979c32d87140ad064a3b404c6152e66b9cfcd7d0604ad921464b54d894453c97534015df8a4bf24574275b4698c6

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3affde76525b6feaefd5ee6d84a63f51

SHA1
7536b9853ee8dcecbd869b557e46b53341dde328

SHA256
64d54112b679832eb3a0148821772ce6ff46f4c5305061c5f9751ce034eea3cf

SHA512
144d187ab83d105a8f34733e4ec9ba2c766bba3f31833dc7c489a98ca27af6591a8af57b36ccfa545ce29a2b1fb3341d6fe3a1b0a77df91f530dbc494e8e1425

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
1e24e63abd1eed3b7928964afc54c9d7

SHA1
66c564f6c55d9c0a5f974f9aadefc981c2b042f7

SHA256
2ab232546e268b4c145feaa62e1068091de8e8d4ed917ddd9662ba37cb958167

SHA512
c29cfa1c31e0c88c63c0969d1b8c91ef9c09f07ea9fa28d460787f855900851ae901522fb2f86a5ae22e02ae4b50e987559e71a55edcc5425156d591c1dae476

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
07627df7fa7ea5fc2d288163358325a1

SHA1
07e1d7dbc4f35c058e78ee2e1059564903529fe8

SHA256
e7a8d24b8c764a0474ca2ac9818663d505c19e4ddea857f9d33590f985b945df

SHA512
6c082e4006126a8cf77e666923e1e90b9d0ecda5ab4dd1cb204d785ffee4868dbcbe53e19dde932ef3ffccc644fe5c33481cabdf201398212a63de14fbae348f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c6f1e8e7c021e1d0ed62f0610b4038f3

SHA1
fc9efea3e75c5b7d6de58d2e8489ef60234c82c1

SHA256
cc37b48f22e2e6e08de3d55e41fb9efa4ee12a9641316d7c8aa71c26fb0d30fa

SHA512
e5487954d52f04f1032bf41ca112b493a8d4ad9ffc42a10adb4938a2d2c14b6ab38f589c26a1d197c154b375a5257fa724ba57db8e56b111f638981849233708

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b92f64996c39eae4b10b8084c2ab2a67

SHA1
747339013a6140648e0dd26e70d0b0d370055b43

SHA256
f64cf61ee178fffbb4106b398cb2c1bebc7fcea576cdc17931c3bb83d62ae715

SHA512
cff8521fcdc4423f8ddfde9dafa3d1cc95dd1942a42a4d3a580f31625c7fcd8975f5c39b30643a6459ac7a19c6150690c895128289e5f9bac5c8810c6b8b9f3b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
67c7a26e90926f30d1721c21271e168f

SHA1
ed0f5264068efa86da1d3bbd90a6571810545392

SHA256
921fac287120508b3d62776e7ebf306a5d2e455f47f2c9152f90545cf9834f23

SHA512
270c3e42169ec951ef4ba96ee83ab7eaaa93ee9de77b1c3a4592ee685f3223f1ecd6aed34368414aed67e6daf2f7425a71a7bc29a679abdd6b1e0893ee361151

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e4f742c98d68029afff0e16a1f91f046

SHA1
91fed8eede54f60657dd25d45a95605c5f872fe8

SHA256
dd82fa01b7341ae3f54052dce11519418d3f87fd31b9a15d8a1eece179802492

SHA512
3e254b48d0d141973153ba7d9b71ee8102e37e72cbe580508d50bfabf2896725504ad2310dece62625a5f9c8cc20c8a5d8f06728b95c73241949cc868fb6ec7b

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
f0ee18bf1c7d4dc64245205bcb31166f

SHA1
11b05d071be1ac18d46c09ee9e2e8912ccfb3fee

SHA256
6f52bf8ceaa5f9ab05b0b5edce39507cdc33824657f8f81c89f1e63bce6c5bf4

SHA512
5dce360693bda60e73e4e45509e341c0c3520534957980eb05d5520fb8470b66536df53242abf0ac8b9a12478697ba8cef3ce4c0956a79aac26bb7297fe1b354

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
16f6bbd4e1cebaba713351b64aa18125

SHA1
529760acb4829e28f21f3113b53cbcd781a04360

SHA256
975dfcd33131a9d88f4cd6ea94dd05bbb4f59dc2fb977a17738444a396b07275

SHA512
f23247d68c0f1a91fa8fd3cc92f8e0473c2b7442ec060bde779f059d5f1a98ecdcb197c1a029736ffc58003c1dab11e13e3a5965c7427d13743f5d8fa9a9b288

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b1468c22f01520b57a6b7d6d6c5dd843

SHA1
1fa4bde6818d1e5f974bed554e9c2616f86b0693

SHA256
933f2ea83a89d0423561edeed21f24211cfbff1a1959e777b6192e5e0997e4ab

SHA512
31162dfefed50fedb74cbb42e8e6a5d59feaa333430cb16f2b6fea27a7b5214bb705bfc7768a1305952bf64f7b5a174225ed58dfea43289d36f5c7ddd9b9f855

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5a0a1f7372df3a0e2b17ec97fd1d5ffc

SHA1
feb811b9d733a8222bf8afee682100941a1cbf2a

SHA256
b7754b9981e0438c25bbf57cf51023f42feceb241a9b383ae9bf70b37703fa6b

SHA512
b682c779a689710a843320cd25f2481c9549687571375966660ebad45b0a46a6f99790c46fc530928c26c6b95484bb77433fce6b999d99926cc21bb582a0987b

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
efc8ee930042a158653718ef671c21c8

SHA1
f60a721ac1ee53ca2072bbb913698a1afb73ecb4

SHA256
f423134af6ab129971ad8d7b4a26af28c2d2a1c9128606fff02566fb1f70c4dc

SHA512
fa19b55f1ed520501d0f209a7e0e61571e7cab6bb765e76966cd2f23d1f31d68990fb8da1f0bbecb6ad006244343c5d148d3e6e5274e4668dfad0e253d5eae2a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7a5e170f908b558681849097ac4935fd

SHA1
e31bde102ec24bcb03f70909938f4ad8dae80192

SHA256
1c084b6ae5fca25ae45aaacc0aaa145ea8358a658d9961f9ab5b6eb0be81ef58

SHA512
325d8bc395a3f2753fc88c36e97eeb91fe64422fa7374e0229e30327e51d4e9a7d32bdbb0f892063115a0955d7cbced7ba1dea840e6b68ce676cd54cc5d826b4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
31d63b98d6d92808cc7c80ad7c42e09f

SHA1
1a2d9fb834dcb2fff77d353a2b60b076ec348b91

SHA256
a07392e2d133028236524e3c2e6e1b27e38faf3b1208bc73ff0a14ad523f3634

SHA512
a7ef33e3400f1c6f5c7f59c0041df765d2b6b211d79f5d67d9e3e7a3eedb7677e92d977257ebfd3204b6de334da8338e1ea393a7045f4c688976df8095cb1735

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
e3863f107b52b1db0fe14a1e53716151

SHA1
2bf3c4bcb8228b48876e85b3ad65c6fb7e86b305

SHA256
58927d79bfbc7dde09dec7fea0a588bde7e7484aca05a4de2253e79542596de0

SHA512
b25219744d1fe90d7d3f92c43c0cdbfa0101fcfad2f912590fd5ea07c85af6c41d01bb1d4d5861a6f9c13c9e050b7c75a831c34d31c43804758d3a796d7f216c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
19501b423aaa15d37a12249bf6400e0b

SHA1
9ec61919d8a7cd48a11e0e569eb2263b5098b0f6

SHA256
9f532613f412c858c90b523fa4ba10e70b88337c44c1a4a2afd3052e410f4f8b

SHA512
0e262a60769a75f9656caa60387c4dedb8b305f27544514ad593983861fb72ac066c64e85745990912530f9bbf69a06eb1646bd9299dc1aa0fa26ac13e4fe103

Download Submit
memory/1604-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1604-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1616-192-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1616-615-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1828-120-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1828-229-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2128-102-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2128-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2736-59-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2736-53-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2736-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2736-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2784-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2784-621-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2888-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2888-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2888-22-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2888-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3036-156-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3036-465-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3056-476-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3056-8-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3056-9-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/3056-73-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3056-0-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/3056-475-0x00000000009B0000-0x0000000000A10000-memory.dmp

Filesize
384KB

Download
memory/3100-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3100-619-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3244-616-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3244-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3292-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3292-241-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3632-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3684-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3684-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3684-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3684-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3772-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3772-622-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3852-613-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3852-181-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3932-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3932-567-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4420-34-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4420-28-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4420-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4420-35-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4420-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4504-253-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4504-133-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4744-87-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4744-82-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4744-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4744-76-0x00000000016C0000-0x0000000001720000-memory.dmp

Filesize
384KB

Download
memory/4832-48-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4832-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4832-40-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4832-46-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/4852-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4852-623-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5080-115-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5080-217-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download