8e6791002a1cbb9b00235319e71f68ab520185f48d2dc4ec4aa42de00801ff1a

Analysis

max time kernel
117s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c79c08fdcd271e1752204421917319f0N.exe
Size

1.3MB
MD5

c79c08fdcd271e1752204421917319f0
SHA1

4d14e99a1a5cccab6a68fbd0c5bbb3b0b3fefe6d
SHA256

8e6791002a1cbb9b00235319e71f68ab520185f48d2dc4ec4aa42de00801ff1a
SHA512

a9c2bc2cbcc607e5abfe99184035dd77635c5d5e71854ab1583b6846bf2c599d56392d86f0f7aa909f39ea52295446e8d02cd92e49f69f0d6c044fb01a5274b4
SSDEEP

24576:x9Rmlh8t0D+7y8G2G9yL0cMoThTR9PyuLzpQo:x9m+brLC2hTR9quLB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1556	alg.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
2964	fxssvc.exe
4428	elevation_service.exe
1956	elevation_service.exe
1608	maintenanceservice.exe
3580	msdtc.exe
1944	OSE.EXE
3892	PerceptionSimulationService.exe
2036	perfhost.exe
3356	locator.exe
620	SensorDataService.exe
5024	snmptrap.exe
4828	spectrum.exe
1596	ssh-agent.exe
3664	TieringEngineService.exe
2208	AgentService.exe
3156	vds.exe
1676	vssvc.exe
1244	wbengine.exe
2356	WmiApSrv.exe
4400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\System32\vds.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ef4ce78a5325400b.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c79c08fdcd271e1752204421917319f0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F23469F0-29AC-49EF-9260-16E5DB697B1C}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c79c08fdcd271e1752204421917319f0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f33a9236edbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b9424226edbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccbb2b226edbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c4308d256edbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083a637226edbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000014354226edbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083bcb2236edbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
5072	DiagnosticsHub.StandardCollector.Service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe
4428	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	900	c79c08fdcd271e1752204421917319f0N.exe
Token: SeAuditPrivilege	2964	fxssvc.exe
Token: SeRestorePrivilege	3664	TieringEngineService.exe
Token: SeManageVolumePrivilege	3664	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2208	AgentService.exe
Token: SeBackupPrivilege	1676	vssvc.exe
Token: SeRestorePrivilege	1676	vssvc.exe
Token: SeAuditPrivilege	1676	vssvc.exe
Token: SeBackupPrivilege	1244	wbengine.exe
Token: SeRestorePrivilege	1244	wbengine.exe
Token: SeSecurityPrivilege	1244	wbengine.exe
Token: 33	4400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4400	SearchIndexer.exe
Token: SeDebugPrivilege	5072	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4428	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 3652	4400	SearchIndexer.exe	114
PID 4400 wrote to memory of 3652	4400	SearchIndexer.exe	114
PID 4400 wrote to memory of 2900	4400	SearchIndexer.exe	117
PID 4400 wrote to memory of 2900	4400	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c79c08fdcd271e1752204421917319f0N.exe
"C:\Users\Admin\AppData\Local\Temp\c79c08fdcd271e1752204421917319f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1556

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4908

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2964

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1608

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3580

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1944

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3892

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2036

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5024

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4828

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:632

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2208

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1244

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3652
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d9ea33079a3eb9a8f8f7af935fa467a8

SHA1
d7761d84dea24d600f8c611a7e38b76a08266015

SHA256
f18c5834b60b213a13015020f6e4ae35bc01a22c6d36b0e5a4878b7cf1cb57c1

SHA512
f5719e7c3150fa0ac4b1b359b7537633fe858f17544dc3a31aa5526bc8738439e0b09c1f4654e7b4e295faacbd9441e794d7562c0ae00a05f6e5c56dd592935c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
b21646e16571122041b4e33ec7caf3e0

SHA1
60c81a1dc4582e6b6ac44ed7e3d43c78b06b431e

SHA256
cb179bc452c5eb951c450c62822582ed629da521949e69492ed79896dc796333

SHA512
22f0ebd35ad43830ad89d4041d02ec9e41789011f1099d7e65ebe71da6bc8518d1a4ac0f5eba8c4095cf9e64d0942a4efa710a6d30d83f750637daac78764b1c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
0cfd4ab7ca420db0f3048a1d42e34a53

SHA1
0264623bd088980e463d5a46880cbb173d36c411

SHA256
5e9e803fc4c34d84711c274c52a4ca6b8bfdb483c310631482ec127b7f7fb345

SHA512
ddeb9afc5e50f6ae58b029e601fd60af21250172c168a97b660adc704ee0c7ce1155c31a65346c800b1ee15875d62559b04fb2627f6e41314eca4caddcf30890

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
955ad57d1ed83a9e83137770b1c2e3fc

SHA1
ddbfc4168df6ce8f3fdf0f2f0224e6ee9917af2f

SHA256
329f17d3e747191c611a67213b56214ee7d526746d1baa1c804f0c1c120a6193

SHA512
b27b8ec79d4648d6367c65889e1c4707b076cd61346cb4aa7812a7b8c5dbcd422d4c85adcf6149fafe48f87dd3db7feaea1de6e7196305158dcca72bf7b9a0a5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
da0a4b30b276cf145701fe86651f33f3

SHA1
3af21f3eba876ee2ec5e86bd60a51090cd8dc90f

SHA256
a31e489a9e17f29770bdc7c99dd277e77a250c855e819f1a61cef69bd805326a

SHA512
7bb701bfda2ff2615b012d2db8096fae0c1ab6c5efafa5bd32e6178dc876569c3addc32feb94ec54c3bad1247f32af8317efcf1dc3d5a9433db389a3b72cc01b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
d009be6e187f4567987102319565478b

SHA1
101b762a668cfcc6526b7627d6b177d6df23ad3b

SHA256
2e013cf23b2f7df98e89108c5d2dcc6dfcea8d087b15b0ad702152a57e9574bb

SHA512
e706408eecf08630730cefecb882acbfa661116e640617d774ae6d08fb2d93f4ef50593fc0585947cb3b8ac803d378e6883fb74d1cd0282268e334514b22be72

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
e2ceea475a1ec4ac7c92d339b182abbf

SHA1
e712021f1b65075142c05e0e77c0ea81e6e7022b

SHA256
7ed3f46dfcf19a146b8473567ea1b8544a3266827bcc023530d886be406f995e

SHA512
19e79527d163f1bf9bdfd9e3ab9c45139d2d4ad4a268d2a56a08dc17a073f76c45cba9b1f018e5622cd7e44b6bde86c1ea2c270614c5fb2c9ffde2921d5d77f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ad3d50a9c9e6bd1656b69e95746a70e4

SHA1
7c0765a7eddc7831037cf6219a19c8c0e0ecf873

SHA256
f25131f52dd949299cdcd95f6d5b2912ec6d679998d46de840e626e92a7b8f5b

SHA512
bef34ed0a96e38118f1e13d91ce132965233cfa8b555ad8e9dc516a2b3c0bf2632242011a5ea16b3c2ed1acc7a070b23ee12fc48d1ac9651253c882ac401a462

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
613856e7641317e06ae0504d01bcb171

SHA1
9acf7fbffef98da4922086816878e43f0664e294

SHA256
3e6e17e487c8eb8eab6bc306769baf4932004658353a42e9ac642256fff3594c

SHA512
81cd83f5d3b25f368dde120042ccbf87c3f730bc92b42f56b531a8da679786aaa8b619ae434122a1b40de68d6c79f2bed8d69e47ee18a0d804b5d4d3867e37a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3c346363aa0c7abe6961e1c30855529e

SHA1
7a16490bea6eaa45ce0e29fda3da236aa56dc452

SHA256
4b5032f9df90e67637c94d93bd031849e0dfa0ccdb5e1372e9c67777a60132c8

SHA512
86e09fb8fc1e081371239325035ddf78180a32512867cde8825e0af2b7af41ae1d7ad66caabaa27e575c50156eb92a34937f27dc1c8c03d94a845e00eccfe3db

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f4b3554dfdec29bf14d301518e635108

SHA1
ca528f62abb67e1eda425faff07f80fa2a4f98f7

SHA256
38c6f796de369f827f7d3fdf901a14635a8ed919895103dcc0adc2231f667091

SHA512
97addd8aac85ffab9ecd4817976cb55aa0855f40a65ab2fc06abba10f27317d6e5828ef14a9c012c67796fb3af2b53572be739e41468045a15472b1a4094de9c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
658655512d292dfd79994b3a082fcb8a

SHA1
5ede6566e8dc932737a1ad27a65ce8d030b42509

SHA256
a094ad258ec1b50e8d8d86a51e09355afe41cc6ee46b8d87bf52abb8d56235ce

SHA512
88ac8181a9150b6b315d0fad72e59154c942aa0a232eff4b273696102586974d008b0832349a7f3b2175f4333ed602bbfb2981d3861c3e2b8aee97f00746602f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
7b138fdd532ac0b19374bc01c1f5b79f

SHA1
9e9603849f3c22281af77250c2087f7218d08a8f

SHA256
381599c71f0f6769bb6b8229282f9fbd15dffa182b8f597e58644fd19043595d

SHA512
53e737a808b1bed006e1f9310b543ae35440fede5a43e47a8538a0114f18a6ad3c42a4d1790be6969b641514237c366699bcd7d228c15012be54866baf503634

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c8acc6ddcab95ba058c341657c558453

SHA1
59e62908918089fc6374611da6d55a7470f02cf9

SHA256
0addb31300d0033680b1ebd0d01c9e29db3c14ffaab770b310023ceee69d0bc0

SHA512
8094204da48fc3a54beb3627c07bd5b002d4f0c4ce09107700e88bc49cc6acdf4c205810f3e38a95077fa7e81b646b67530568a84a9498962d7184090d88b16a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
227e175693a1af0891db62a85d198199

SHA1
6dab41faa54f2c70473ea1c804c68cc3b9c37f20

SHA256
f43013c5a8991fc8b82a3582fbd0e9c0d7bb2b27fc9c927b19cf88faaedcf1d8

SHA512
6dc4de0fe58813e708a1a2807b681d8c4b54e7126c9e27f03fdecb251a465cd804103c9233e460d3e366aa6785ea44d4c241467a35ace8e8007a8b6442c2d0c6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
9e42edcb45188a15ac2077b68981d4ac

SHA1
07f0e01738c531976382e8592cf305742ea00774

SHA256
0f205ac693758ced68d0337c80c0d42ffe43f241877d03b99111788322928acd

SHA512
21099d6a05ffc46be24fb16f27e08b2fc293fe3e653575d92e0170f425fe4ec55c693eab33aa0c36e930bb8a897ace3d4bda10a0d1c2c94ef12315c42e98aa0b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
fe5a32f3c056abef2f36e4d3fc7b9b21

SHA1
8482b195dd27eb8ca5b6c0703253f6d4edaa7b57

SHA256
2bc62f33a0d0c9a3a57bbc1795a75b066f6821cd2755acce5bfb29455ff3eeff

SHA512
9cafdb45ead8e45fee7ec74d6ef292d05c59c2b172ab5093d1c0f4144f1d240516372c63a80a893e56a76dedc1fb73441d24fdd5cbd8e47eceed7cb894fed1df

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
7b05ba58380957a7af47037994c54df3

SHA1
5c3c4b2edd04cb090bda9abf30247983fbbef8de

SHA256
23721f589c6dbc8fd8e624415f11ec9eab047caf9d61213b3d54062fd1f1679d

SHA512
621b63cf715803f465f63d4a2e68d66b74376afaf4a3ef0160b40be9339348855d2092c0b162f2e30bd1772f192089271175b321c2c3dd23724f8561bf8d574f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3074acfe79209211090599e16c6fff6

SHA1
282760f67d37a6882bdcc67fc12bd2c5cf073bbc

SHA256
68ae763255a776b5e4cf72a5fe1b5ec2f9b87326eed5ab95ae3d9f4b9477eade

SHA512
f6b97779dec372e80c4219ce083cb734d1615138d7e8996930e3d437a2dad49eaaf9d85eb93d1a26d963b647fdf69a26bb5b756370145ede15dbf6a10f7d8626

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7933d85ba622fdd1a8b37e72ecbac277

SHA1
480b3438c7d4d3b652633d57842d6c2a5c4a34e1

SHA256
96d27ad452f59d6e9e29a5ce96c4799088888467c569f84029ad3f4e73d86d7a

SHA512
67914a16b68536ad8be7ab25a6e1f598bcb84fdf1abc832caa3cd62929da14602bf1b251e4d471394ae5c8a0ac88943523e554afcd7b7a673f0366f2e3b461e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
dfe95a6fee8ae34b44bb035b6ef38eb6

SHA1
aa1ef8a86a2204747595b73ec5205b91622dca36

SHA256
38b8b63631c83289885505c381f2eb7dd88223203d0a0a37db71e58047a21285

SHA512
21a07f2b293ca429f54fb6ce1e55a2e9eeaa56f63a69a466fd77f308f4a831b18397de520333597be0b67e73e9923c6f9723da7e9da6c2c934f3cf44534a6d08

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cb600dbd00b82af7ebbb089a1dbc5a6b

SHA1
47fda7fe936a3765f65a03ef2611d90de3671e5e

SHA256
b871931fb8e131977a6d95d4821134e76fa5b713be2d825c4d4c0375dac89cb1

SHA512
3c83be289e638b33efe8b81ba29cacdce614c6100beae36ff3f65532a60f8a6880c23aa7e56b40adc9bb516c5e58b58e725592261012130338122021f3f73cb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e98858647c6776bf57dc6b3e9535ab02

SHA1
13e5e5db2b3eddebd01647ff74788c66751fb68d

SHA256
373532ea5b271d099882962fb736f9369bae196efd7cc3b5e401b4091d7cadd7

SHA512
c1ae566ffc102ce4ee03bab7945906b48d0eed80624f4d2cb6a316851822302f04097ae53411859a63e29e76dc862c3bc4fb67b44e81aa5b552688f288fc0069

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
247c935972303d3d3558f7ae2d60d4b7

SHA1
63523a0c04c5e4def235c74db8a91e31af44225e

SHA256
ac0978b2947e186cf8ab4e28d3eff3670b3bfb067c21afcf67c8295e36ddcb59

SHA512
a9b962378ee4dca8141c65e4398538430ac92232baedf176427898d09482cc1d878bace0f444dd207564f0bc9f3ae01e6c26251424880e6dce7a407ebdc3f1dc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
f2d2cf49b8dcfdf5de0e88df56ba7714

SHA1
529d8ec4ab1985928a697a2262e0b98c86f52325

SHA256
e36c2317a7746e409d196b65ee43ab769424f66c64161c073640e03ed6f94581

SHA512
2822ece1c06a66aa79b859779aad530d91c689019c53bcb3b2c3c9aca3d6ab554b6a98257c0d40979ae82027c4f7cf3457f7c6c12bd1938496199f5bcb4cf5c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
57b35928f1456d99a2cdfacaffd0bfe8

SHA1
5e42bf70b4e7b60d7d5e9a5587f0a909395ff3da

SHA256
366db4afbfd8fadfd1b2fbd4f3a4a1168b623fa3fd7818df1d6612502419e9d0

SHA512
62caae82e42caf4813999d6e523568642a545ac6c11d3a8e7a3cd9cf9d33861a88d8c2b8b8cd908f59f66794ac5c73d82b3d03193cff73fd5ef7e43b133c3566

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
26d88378fc34737fcb1cbd415317a508

SHA1
dffb8f9019bdd081899b2a63f2fe5bd42dcbfcef

SHA256
a81e9655763180cf5a48cc55912bbe8d91672416d132836d0aabdea6aae149a0

SHA512
d6d6e9866799489d60ddf8b2fa04de6d0a0bad2d85a6f97c7f2125ad4f61fd37b8ecff51f815fa608b7f666b8594d5f11ed0cf3b44cf9c925de21c1e641340e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
ab1b5d3bf92038c315bab079193aea50

SHA1
458b9b8664e8b768c4d0c898c4154726ae0daf74

SHA256
420ffb99304087d492d7c1a1ca4fa7541a43e5dbb8ab892a1848c162b94da7bb

SHA512
e65bbf3687abb6f90eb358a3560b99a53e525be8d653662c07d08828358fd152e135b438e0f7b4854d84bb6e6d3130a93e2b3ec995799319fe1ec6a17abca264

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
435f738daee9660d15a7af59d76a90dc

SHA1
ddbf3d9278606d874e778926ea0bb333c3184d93

SHA256
e8471f0f44077fe83c997747a0e56dc61253d633e2a3263a51a52ff388382b76

SHA512
100a4d53487ef6b4b2cc1952d1abbc847c9c5e04c1d905956d7798c53b6da5133eae2d14ba6f8a4340b0d051e8a1839f72f9462560f444804d479ee591aa37ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
129c56a3c2794b15951ba6bee67eb1e4

SHA1
803ba5706cdaeca36bdfa050b2b16bfdab7a318c

SHA256
8ac97c4fdcb38fda36405970a58f07d27ee23be999d4ac1722d1ed8d90aa7aa3

SHA512
6d8b36fdf07c8cfb7c4d26c6244f284eaefd6830f97acfd70a8457d5e30113236ef8b37fd06e0963ded96ee778263df3877914feffa775bee3d1be109b1fa866

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
e9317adb8998312d98b3de15247ccbc7

SHA1
adc3dacfb90b4ad510852264c5b38013449ed78b

SHA256
a33e77c2b36514b2c8145a0078fa7177b2e1e707d0bbf6844815f3a3820ab130

SHA512
e819ebe9994e2cbf8b0b479c148ed91c1299aed67dfd058a744db3d74852ddf6923e2d931b5f5204a98e35b27ce95e85e19d24bb511b971ddd04419e6e69b9bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
29747a898c7aef04874579ba87fdae6d

SHA1
2ca45364c95dffc114da085113af769f01d7c6bf

SHA256
3ff509583be9dc3ac4ec6f37f82698d4c26d5f372d6fc225716f3f1202a76aa8

SHA512
30ded2dd499c9456832d9eb6e438b71f994e7563035ddf94b7f8ae8a544d5c67e852c4d9cb751fc3762667f6ad0f2d5c0ec0ee9f7431300740ea8f436f7c0542

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
93237337dd78b9dd494af98a9b80715d

SHA1
f2a052f2680f9f3587c277467703b81b5f0b99fd

SHA256
6232f1c186536f9c2230c5a645429c77f610dfb68c6ccbcba5e1c21adcc253c9

SHA512
8df05cad43b410fc9245584d569ae72690759c8d6b4fbc51a2eb816aa20e997fc6f14da15a9d10ccea647c52184f27ac0d4f1f86ea07c15c86292966d55a5d06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
15528ca4aae30075e249113a213c8de3

SHA1
bfdc2c80580b93733401b404e6705ec5ca385b37

SHA256
c8f3c4b32f3a0215374a744583951b97f2e119aec8c550dced4b7fb13e3c3962

SHA512
18332a6e47d6e25fd132f562923cea86d5aae526c1d028bce5559b5e1b20617e43be9711dea21ccc0e5bb41e1db75e78de47570c45f8823e3c57aa8fcc6d583b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
ea4f0c54314f8810ecce8ef69b820d97

SHA1
833ce70ee7384a4ef1e2ddadd6d017a08e686d6b

SHA256
0a049eb73e5e7a7723b6fb570df3ac3202428936a212fc797ac3e074b8e9fc42

SHA512
ee49d6005ea76927d64860185ec057c8ba39680174c32dab44d1495caf3703c31806bfb7677ecc8dc38749b1e6104a14ceac546d08a4e9267d73295f826015bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
0adbb26162772446885b1aeb9d1b8fee

SHA1
1de5d70a8b65454ae93984772db07903307f2403

SHA256
a84369c61796d520c24b3bd1687f2fff4d352429a77ecc40861dcab4e0a1ae99

SHA512
cd3e28a44470712b57243d0f0befe6791138103335a00bd407754a2a632fbf300143e01f04416e25459998c7d342102d63c24dced10a6abbd0ef2029427227b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
4b7d6019f8cebd9fcab53aaec0ded304

SHA1
aeb9b9aeeeac2c029a619fd047ca615adaca16f5

SHA256
9cae0cb2850a21819d723710deec214db9af7c79b0cf7c10099c8532d529c87f

SHA512
ceced051c872be3aa169aecb2219c24f10a55071fbaa95d0d2b68b94915a8181492744820cd2754df785436fc5dbfb0b71f715d9d2c1bcac31ac8342d62e043e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2a6ba9623465c08c9c64f9fc9259ab99

SHA1
5691db849e81c50db8c17a7a4537c528d521ee57

SHA256
3559b462597ba7803a93ad2de5f6d482b65489cfaf13386f0b676e7f757e8eb4

SHA512
d479f15c24cfbe77c5ddb4febad15038878252ff544b908814f61bacc8c7c48bd39b13329cf1f0e8233eb22dc302833f7c9429d3ebc6c2640cc10cb35c4539fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
6e5c83bb49124e0d642d5e2860b4b6e2

SHA1
b900817cc988f2a6c434679672afbc61cf2b6371

SHA256
a8e8f6b0e6033696df64040094db997d5c2661a1323ded695c57ddfc5a16a40c

SHA512
4b40f67d93b761816022e7fae53e4b6cce6c607978b0d8d2c2201c5d74c0316c272d1420be17ae66e072c34bc3e31c9486fe663f52321ab49beb8efad2f196ff

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
44540a94941c7410c40522935b79aa7b

SHA1
9d0ab299dfff6619fd1eeca0e97f59220ec5e401

SHA256
ce7ca0129d1937cabe8f7f9dbb830878683d0637da78b186151bb23b25a0b690

SHA512
db32d4b170bf9e983b53d04945e592e961e1decb7980296bfbb101b2e3cd0c78b48d05518935fa80b867cee315957f29ebbeec3b2566d9c86b6a49f760885889

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ebb3dea766c7f007461873086bbdbb7d

SHA1
49ad4343d8fe8feb0fc5d6e62420dcfaf21757e1

SHA256
1368b1d0a68f2a4d83018f254c49624dcfdaf55515201ab42149639a094dce35

SHA512
01ce6e5b58c310d0bf58361dad7e7874f3cf24ca09f068e0822e7bf36aa21d5723c95ab44c5a534fc84a8a236023cd56059d0fc9d2ba54aa6820ced14dbe38e2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
7b24e7e987d177329670a24306ef4bcf

SHA1
b4a177cc4da6fa61d6abb9c5261ee90cabc63b29

SHA256
23e3b3923634b556a9019036918e314a0e45b502fd99c175812d0e7f23114133

SHA512
74092e4f0b7648f837b5c2425222a7f2d4862d2f7347d5bcded1a07c801502a64a511be420999add37461ab4d7ae48a6eee97c546711a1cbc0e3382ade2290d0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1efade745be68d6db930956192af2bdf

SHA1
d4421abd442058e23a32fa290e05b358ef3d7fb2

SHA256
221980a8156eeb89382a350b48dabf9ea33e588fba985cb5e7fbbdf1281a001e

SHA512
6ff65343c8534719eeffe6bb13880a1ea8028b04d8b506cd1cdb7b4840e9682c3b009756cc50e29ac21587df7c74b1bb00102e4e346ce7d91de7f5b9660f5571

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
382657eaa58965526efe3f7282d6e933

SHA1
c1bd90672f2a470a7e856a2c95f5fa98ff5c0f0e

SHA256
ec1f24cc4f59230489b8dbe7b43f35b43ad6bc1a7431c46afd75eea3a758e4f0

SHA512
e8187c1ba340cbd93f4b2d16bf17f46f88efc642f924fae9a8f1281a57af0a81e8567f2e75ba08d896acb2f56fe84ef35f37fe63cd219f9510b1136edcd7ec21

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
9456ffa84233d2b7b3b4c657f2cad191

SHA1
5dff291907ada34e8c83c6101beae54f421d11d9

SHA256
4f9aeca60bdc1e885d9c8e6f93425c830f6cc044d61b23d554601e4f079a04bf

SHA512
64bf06ba8ed93d3a417c553d9c1bb76858404ca88207657fbd49afef8de9f30c5807361824b6aaa016196df573345fdff76360da77a0e60f355fc7a1c45f7fb4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
135c9554f03422df7f06a21d939f361b

SHA1
84016ef420ff6583598b9aea28032ced3affb92a

SHA256
1b6287c539677d6c993e5c861024a011fecfc6cd30c129c3cb963a71b8811303

SHA512
6aacc610ed44b64b4c00baf8298665147ce90765c9522611138d4e9c1a593a12672416ad63e188de672d8edfb7f382a28f597362b989babdf61ff02ca4b3862e

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
27a0f69912337c92a7cfaf29e1535d3d

SHA1
e760e2226d096bdf3d131f5e487bccb64c512e34

SHA256
b3fc4948a80fe50ed1c658a7ce2ace6e7a426b1c5a5ae851789f085129864996

SHA512
072bb3817cc89f100354eade71974519d9bd0993eddb62bc102b586e91097e5d6f5587907f32de08cac9fb5420f4b5dcd05a3dc96107075eaa6aee1af5c0fa16

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3ace2ca33d159ce7b19bc4a453334e51

SHA1
e20d79fb9bb33c9dde9d1124cfcf75dd1fd7a760

SHA256
210f5e3bd2d0de50daa889379152a4632d56d683d79bf21f4dc0f8a2b1215323

SHA512
a5134c2d1ea8ef398fb81519f4bec4f6ef9fcc435dc122116cb62de14f3538c461f4e3e22e894078b99fd6f672b31257d9c7a556d7b8ec2e24d7a0d35a2422cf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
22d8fef9be922c767135dfb33fd3f681

SHA1
dacdfb0e46358a7e96871a702da8d1da040b1243

SHA256
2b8f3296348b985b33f98e60816a9d2ed66f4fa1adc7c4d41b70fd28caf46166

SHA512
8f4aa733a7429390242ae27f23810097912c11f4bf7e83115778b85eaef27128acc97f4ae7656a66e837a0ce2f005491249fcf82cd4f39019f7d59a3522e7640

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2055037884fcef3a9b1dbda03f706200

SHA1
e04ce085df92ab26729282f99347d2a6197e8460

SHA256
2e068b87dd4d7867cb77a8d05c0e01623aea2a3c8ffa9a8b12453fb300cd0b9c

SHA512
9812f3683a80f179adbe615f74a6da87f8f9ff3fde152ab7737ef74315d7846a6565bc78dc73eb1974b3c454be872e864cfb1d04c7616f3c7bda0d760f30a7e1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ebfd1fc0e01f28367d51f1b7f17ed682

SHA1
f4c610eefa0673bece92422cae89ce82eaec70fe

SHA256
61dd7f0a0127989eae03ce9e80e31013a3916726ae11fb2ebdf9fb4212c52fb7

SHA512
e0cf1967f902eaa5ee83635b2996df01bfc2764c84655884b3ab533e57840db18e4fc90802ccbe4022b152fb230674ff7b104ccbfe15e727472f40f98aea31d5

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
68023c7ac8fd8821d8afe5e0fc51df8a

SHA1
866e8bdd0d5db4830aec5146bc80e5ff104269e1

SHA256
911ef6ad51bd4bd2cf98c23ff2bf84d26d4baac92c7513ef8c23fbba0a89b912

SHA512
ef6d1c0e3d58cec38b59670cc8c3cb2f64cc51e6d26a4d4f4bb23f61f5366afc080ce49cb67558fa28a12de73271f8ff8a9a347402714c3c2a9567cc756beb47

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
dd8591e41a7476900649346605caf614

SHA1
5a943694b157e3b5a5207a5fd3ee5e0ba1fe40eb

SHA256
ed31a853e6bf3f33e128c0b68617039423e844755d2e58e066c9169e1cff9dde

SHA512
612f54283c2862b127dedf46963ea202f03522152814ae7c58b29eba4e70e06cb4daece92fd6de39c3c9efa6b96b46ba2ba7fa5d669e4d5f4eab53e5c6a352eb

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
759f564eb19a0decf32a6555b0c6e17c

SHA1
5e932619f291559d6a556de2f67e29e714d25843

SHA256
370668895e6aed737f4130b7b8685d2cac4d2ad310d83f20c01f9eb53971339a

SHA512
0af33343d83fff3b2b39ceac8bf01884429679c873e04e51a0f6b52ca34e3841aec373d9c6d0bfa34f5471fe01ac6c0a67637a617ff962aea1264d038ad0b013

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
12fcc7b510535210f8e0deaf8ec524a8

SHA1
673492e574dc9413379eddf521f681e9dfaa187b

SHA256
94d0996b280cd30cff6e3de3219e9bc0ba143d1ab52817adc60882a3b9edfe29

SHA512
2ca9dde661bfaf3f7700565db459a3740ab787b21869c1a9b7153756d6557e43b216ed708ff8d7d6301126f8bbcdbf62a23a24931da90c856d724d60507a6e05

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2def2fa05eb53e6d6182503868d828d6

SHA1
ddf737f32e8db779cdabf84476a3e4bae6235d4a

SHA256
4914cf111ce5e3f836575225817c1747999bef20477782ac7478e8dfbeaea642

SHA512
48f7f0c0205973d0e015f55daf7a1586a9f186729631b4c4588edc1d67ec95b90b413409ab5e67ba877e2e53fe32ae932dea6b025148462db15e303dc88a33bf

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f67b7df15f3efeb173c09d818df73ae9

SHA1
6077f0a05431fb6328da600d09189104a69910e8

SHA256
f8a73fa28713458a16cdd555dbe2a0652bb7e9e486d3acbc772a8a74e679e3ab

SHA512
b764b367776f9f8226ef6920b3a9390ca067a4b9f3257e47e4fb475fe2ddfbe744835ace06a8f9434f8e0791cd131475758fafa9095c29ab3628c8487867463e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
eb0b01b9377fc4bdaa2f796bd67416fd

SHA1
7c7a661640c894b514f953bf5e9ad73d0488b921

SHA256
b4a8d853ce0a64b7929364b9b997796fe81d146d62d873f75319f002ac7c1e40

SHA512
973f78a0a90203b98ead4d3d79caebe800939f335dcef80eb1e5f9e1177b89c01acc89a466d764925e5a33b5ff91d498f7a3b6137396412def226bafc50092a1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
30deb53ce6ef97da742af699e76ebccd

SHA1
d6bb79627aef8baf8c3939c9aa4e6c435b7f3043

SHA256
7abae41f0f4b2be8905ae18e320c2287ae312f2469e35c83fcbb3396ae50ae1c

SHA512
a0d49808030a33bf9de24d012d23916be861a737693b52750dda1cf590a9f38f2bede50f3036181aeb00ca7ca8f48b27bf2a98532335627144a8c6f14eb02120

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
c97cd19cbae9a1a6f3b62c279fb470c9

SHA1
6dec5e7570971bdf1ec045cf800a240b7b4f306a

SHA256
f21cbcff1e05e0e170e65987771c31af17840606a05925f1165fad7070ea716d

SHA512
f393b854ca40b7725355a3ccabe87dd78ca7dee0c540de374a5aaaaf1358680a34c45c26e1ebd99e1e1ab409cfbf9686bbcf79843fa0f6b92b25edc395c8281f

Download Submit
memory/620-513-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/620-171-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/620-116-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/900-82-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/900-7-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/900-0-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/900-6-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/900-1-0x0000000002350000-0x00000000023B7000-memory.dmp

Filesize
412KB

Download
memory/900-284-0x0000000010000000-0x00000000101FA000-memory.dmp

Filesize
2.0MB

Download
memory/1244-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1244-582-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1556-13-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1556-108-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1596-574-0x0000000140000000-0x000000014025D000-memory.dmp

Filesize
2.4MB

Download
memory/1596-143-0x0000000140000000-0x000000014025D000-memory.dmp

Filesize
2.4MB

Download
memory/1608-63-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/1608-61-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1608-66-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1608-67-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/1608-55-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/1676-580-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1676-160-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1944-74-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1944-80-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1944-155-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/1944-83-0x0000000140000000-0x000000014022A000-memory.dmp

Filesize
2.2MB

Download
memory/1956-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1956-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1956-50-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2036-100-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/2036-105-0x00000000008E0000-0x0000000000947000-memory.dmp

Filesize
412KB

Download
memory/2036-110-0x0000000000400000-0x00000000005F2000-memory.dmp

Filesize
1.9MB

Download
memory/2208-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2208-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2356-583-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2356-167-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/2964-41-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2964-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3156-577-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3156-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3356-166-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/3356-112-0x0000000140000000-0x00000001401F0000-memory.dmp

Filesize
1.9MB

Download
memory/3580-70-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/3580-150-0x0000000140000000-0x0000000140214000-memory.dmp

Filesize
2.1MB

Download
memory/3664-147-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3664-576-0x0000000140000000-0x000000014023D000-memory.dmp

Filesize
2.2MB

Download
memory/3892-89-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3892-95-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/3892-97-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/3892-159-0x0000000140000000-0x0000000140206000-memory.dmp

Filesize
2.0MB

Download
memory/4400-175-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4400-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4428-128-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4428-32-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4428-39-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4428-33-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4828-508-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-131-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5024-457-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/5024-119-0x0000000140000000-0x00000001401F1000-memory.dmp

Filesize
1.9MB

Download
memory/5072-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5072-24-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download
memory/5072-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/5072-109-0x0000000140000000-0x0000000140204000-memory.dmp

Filesize
2.0MB

Download