ec4570b28ee1ebd3aa04b72a09658fcbb9e32a448ef121012012e46b961844d6

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 08:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

823af361a90f60bd5ae3b6a1256ad2d0N.exe
Size

677KB
MD5

823af361a90f60bd5ae3b6a1256ad2d0
SHA1

074747f1328c0f64f7df02fbb38b6a1b493127f8
SHA256

ec4570b28ee1ebd3aa04b72a09658fcbb9e32a448ef121012012e46b961844d6
SHA512

e72511e0ebbe1748c8394a46c87e6b1047d2167ed99af5b038dc06267cfa09a95e59df257f08b1839cce0dedccc5d6dae2b801857cabbca051d428cae74d2fb5
SSDEEP

12288:9vXk1WJNTpWSgN/wwRN0UL0G/TVOo3HC75nSE33b9YvFH:9k1adCN/j2GLl3iFSE33b9

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1632	alg.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
32	elevation_service.exe
1604	fxssvc.exe
3752	elevation_service.exe
1696	maintenanceservice.exe
2008	OSE.EXE
2996	msdtc.exe
4860	PerceptionSimulationService.exe
5044	perfhost.exe
3420	locator.exe
4644	SensorDataService.exe
532	snmptrap.exe
4976	spectrum.exe
1384	ssh-agent.exe
3312	TieringEngineService.exe
2980	AgentService.exe
3880	vds.exe
4656	vssvc.exe
2968	wbengine.exe
4044	WmiApSrv.exe
4164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	823af361a90f60bd5ae3b6a1256ad2d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	823af361a90f60bd5ae3b6a1256ad2d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	823af361a90f60bd5ae3b6a1256ad2d0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fd967f0720dbab7.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	823af361a90f60bd5ae3b6a1256ad2d0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	823af361a90f60bd5ae3b6a1256ad2d0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CEF7DB4F-2246-44A3-A17E-9C5870D211DB}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84812\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d93697870edcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070dcf9860edcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000888686870edcda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009dee0c870edcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9c624870edcda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
4304	DiagnosticsHub.StandardCollector.Service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe
32	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4184	823af361a90f60bd5ae3b6a1256ad2d0N.exe
Token: SeAuditPrivilege	1604	fxssvc.exe
Token: SeDebugPrivilege	4304	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	32	elevation_service.exe
Token: SeRestorePrivilege	3312	TieringEngineService.exe
Token: SeManageVolumePrivilege	3312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2980	AgentService.exe
Token: SeBackupPrivilege	4656	vssvc.exe
Token: SeRestorePrivilege	4656	vssvc.exe
Token: SeAuditPrivilege	4656	vssvc.exe
Token: SeBackupPrivilege	2968	wbengine.exe
Token: SeRestorePrivilege	2968	wbengine.exe
Token: SeSecurityPrivilege	2968	wbengine.exe
Token: 33	4164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4164	SearchIndexer.exe
Token: SeDebugPrivilege	32	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 3352	4164	SearchIndexer.exe	125
PID 4164 wrote to memory of 3352	4164	SearchIndexer.exe	125
PID 4164 wrote to memory of 3392	4164	SearchIndexer.exe	126
PID 4164 wrote to memory of 3392	4164	SearchIndexer.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\823af361a90f60bd5ae3b6a1256ad2d0N.exe
"C:\Users\Admin\AppData\Local\Temp\823af361a90f60bd5ae3b6a1256ad2d0N.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1632

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4500

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:32

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3752

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2008

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2996

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3420

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4644

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4976

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1996

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2980

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4044

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3352
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
93eb0f8736086182eccd3c62e83e5c26

SHA1
a1e78ab244f4a0507e62cbd02258682ceb02f773

SHA256
e8f55d07cb55b4d22d24e47ead880c1bcf97d73a62e808e50cbee0373ed46ce5

SHA512
a76bf6dfd01591cbf80960a51ceb5478f69df1217cf2a219c5d790eb8343f54fc44bc9170b99adb445417494050c9cebe653fb19f367fb76b0e723f88a894876

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
9ad782c51ba51f56ac7de7c95160305a

SHA1
7d3ae4c444369e89d3b0a92d1ebf1afc7a6717b7

SHA256
ef461fa4da69f7fa36db91d0f0bc5353a3427b3d1e3eaf593b7fc7113cd6634a

SHA512
291242c6200957d5162b33600ca1c4b0a59a3977e5dda000a1bcc1f74794272bfe9e48921f16cada6edf5556f1acb67aac4e02b58a07344fc93784bd1695844e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b8d64c2d8bbb92fa609cab3ee8f93021

SHA1
dda9ee7e586cfcc96f2cfc8b5e2bb7e6a1e35483

SHA256
cbffab5b2410a39234fbbc6272d4d2c67ae78a5ec01cfd3ee4b5ec57c224a84d

SHA512
67e44b74ce03f58bf9e8208f22d18f1dd3b3b0d5af0a2401dee9816f446d7b324a663b2fa141b9a9912f99d78912f0ae9a87867a230feda695997e0936ccf414

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d381f316c4b0a37bfdd9abc5ad07ed14

SHA1
3034ff303d261ec5db70d2d7febfd3c0bbc064df

SHA256
59d9f0d424cee02d774720902a54c8fed1345d6180a9eb4cbfe84a36ba33debc

SHA512
e13d8025fc538cbc9cae0ff33e2b5db6a5c1dbcfc831e23bfb1ecfcc09d6f302b4b3b6415a5da9db97458b7376caaa436d8cffdc1570ae278b78020348116fe2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
48c51205df8964e8d1e3f61cde4f7715

SHA1
7a360a681db9d5513e39d9d6d5309f178fcecc85

SHA256
4a096ec33c92103915c03782be8caf1753fd430763f552d54e2f96c06866d7fd

SHA512
a60fa451dd7a9fe9d9fc063197a37aae89c1fffc1f3fff9be7bf20db125fc28e725ae5d414697a6499b35bedfcc34b17a9829fbe313154e0e84710d3713862bd

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
82d0453707c73d1b58fafdd0aab12f18

SHA1
9b10719e09f11be85eacc86c32f4f7b1ee47d0c2

SHA256
90edc1e2052f50b67dafa40ac9d5894e29d3d4c6b43d8480959ee05b83eea9da

SHA512
d421d1e76cd2b947ca7e30cb79e36f6ce8eab87eea5e34dccedfc43d52dea6b466dba4d29144ce5f576f12798bd737b2ab4be860831cc2f96743f5a3c32c8f93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
296a9024d237ea6c04a3cff6406ae508

SHA1
b8fe2e9f5a1ddbd69f2b92f2ceabdb6088ea15c8

SHA256
34b09285cbe531590a5b7666629faeeaba595fa7e4f6a01898a0387cb76c8d6e

SHA512
2ab82fa16609120572a8c56510ec498dfb34f20c5041ffc4e00ef907fa320f5f12e63c9cdea47362a6c2254fe51a989a50ef7552116fb3cb5b90929aafcb44aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
18b649b41324a64ed78015d69f00d576

SHA1
bb2b17ae262d81db76b517cb31aeab0cbb13f19a

SHA256
3d2b8278a4f42f64b5c7e6c64746eb68d606797cde52448b4f19092a9f5ba643

SHA512
dbd2d147de540b160e983b4463900556520e8c07c28e4eff41c312ba52ca43c407a63d6d0558a9300f1269dc307ebf5ac2038ff23f324b10c0837bf25ccb689e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
73fcd1157a9452930df90229da7d82fc

SHA1
18039447348047583f7afa4c65e0f184bb71f80d

SHA256
18485716d45ada124f6be4e96952802aeaf24cc89ee44dce4fdb0f871553a82e

SHA512
3f665d9fc72af207856d130d03259dc3cc77e54b2d7d2c71d16600c4dfe3e4bc52a93d1ebbf9b6af7c0367c72019ae3a9874e2fea9c893aa3bcbd64fb00f222f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
68f2d8bfdfe03d858112102c3c382969

SHA1
d6d2a8c32e4a4b5ed1ae0df4be39455e5d780b0c

SHA256
d2c935668be2d6bc9611ce66fe722df45a2c47aad708dc842f83425349999eaf

SHA512
2ea2ef0f7c784ee98cf789f7a88c75419b13389c230f5ca1f82f51678ebbd4e29873e9cc8ca2a8e4a93d32c8f2d252150e6ecc4ced069cf8ae7ca598e832b7b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f429330f5dbe4c087a1b5de73e1ded4e

SHA1
0fd041731c67dc2b435812c5668045962269d5e9

SHA256
8e6d1db40aa24c5c5745f6900953b4720f42ff8437fcca435ef19208ea7202f6

SHA512
89f62624585b3e0e0b6904bfbec0072041d77419f0803c32b723b1172ee9095ff83c1fe37a72e08c92e04dc8c4397730f6beef4828a6f6086cb3ad3100c6bdae

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e9d8e260488d2c6f8785eb880e81349a

SHA1
569b61d134b00a25b91272b91bb1243cccdebbda

SHA256
602bbd7dfbc56c14a912b83ee6ef71984d141f343d7cd86ad164b035d0768720

SHA512
4585274f7a016a3083ec871d88fa36a57c1bb3a17fa31cbd18d58feed37d71deb7e60b4a057854e70c3be5421b6dd04a198c2239371e94284f13920c07b3a2ac

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
cb3117beb65ec9f1851767806ad4e867

SHA1
6cd9a26a0091d4ae24808fc03e6116420937510b

SHA256
90a2d77873947702d5e973e3f4963a7ee1279c3eb8a59a24a7740877e8e31f16

SHA512
b0efcd8c83287f57d8c56cd350ff0daf3fd6cd0fd08e8cb77c13dd19d8d0b54cf04d3d14976226080456ab3d7350d22f911a700ef8ed83db725a65b89a0bf497

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
f010fdd9408b05ef079ee5ddd9ceea57

SHA1
2856e3256b7e9991052c8edd0c5970050ce7c7c6

SHA256
f9d3ecdb5cc82c18a5d77e3484f41a3c3d4f749418e532aabafb251ff75b84c5

SHA512
a5eb6a9ccbae450845ce2a299e73725c74493d6ab1240f09bcf1d30896907ac2dfa246c2ed44119236476fa1f16fd125eb337f5f7079ad1d240b177d16828277

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
62623f0dabab52d09b47dc3c633df4af

SHA1
a124cbd606e3ab5b23fed12e3e18f6f04062db3b

SHA256
2a20255433135d9a1dc9e9e01658f792494bd9f417f88600e7e0a655afcb84d6

SHA512
79dd933c1666a693b2da2d1f0e072ada15a888f39ba60b0a99fd803e219ef0960d69f167c7b4a28e72ee5e07fcf609f7f66700c65b2040d3174cd04979bc9a82

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
8fe4d19bf56fbd397786dbbd315b67e3

SHA1
d0e51ca3a39cb9ff8e71c1c99f37624342217a8a

SHA256
880e1fcdc57aba396bce9d70893ad5624acce0e027da68461ec657eafacc959d

SHA512
21503dd36d4aa73e44a07fc95c8b469ed97424f557b493cd2157f98dc53eb7f59eeca634104f57aba48b6ad68a5450b01a7571b297c19e4ba04c572514bcc554

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
953b8e79063614932515498798396c8b

SHA1
d2d08462fd624cdf500eaa669c840312ee96d84b

SHA256
c7b523ac168c70adf950ac0078b12b2fa92ca41df8c1eec796c884f1778a28df

SHA512
c070ffeb0779085d49be813d00a4d1a9f2867e31c9ce5bb6c1371ffc55240bb394742d1115183b68906228106ee69b18434e17984a68e46a18f0c5947d77c2cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
63d3320fb2a4767af20450e892c5f1d1

SHA1
0de67d83912eb7dcf0e5148dc0db3914735b3034

SHA256
ccd620d49d6ca80632ce92d32f3ca139836d2ccf79b74820c827b86c2a3d0b15

SHA512
72f9ecb2c29d2fefaea3ad9eb93574cb7ce2e548fc891170560a1f195be62ea5675c7ea59c964dd65f0adc845a04b82adc3867a73acfdaf6c5bf389a7eacc059

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
b6062214c6d00d386e221d923c92fd6c

SHA1
b19d81384df9bbd84aa81f6e58071f6a0fca6691

SHA256
74441dc0a5bb155f2cd48cf36a298df722697cbddfdedb2e8275bdab7d8ccf2f

SHA512
bf2acdd490219133944d470989db6a1169a642095c7556b186c86a8182bf27ac775a5ed91fde479ffc2963db6a417fead60841f89c63ff37328052d5b5a5222b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
1c1db4dc1065f773fcc5890121543665

SHA1
a7d1fa46f5fb8de29961b9faa7b7ed761f40fe85

SHA256
46f2a95b9248d27fca71499d5e8b607697dc4a1eb5eb50fc8d3e0e9efa83ef4c

SHA512
64ec973b8544d7553050e176c6749e88c7a835aac04fdeebf47454935a28127995585deda8b503b0d3b3840ecb28949660326ffe7f6088eb69a1619f973535c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
36b42d6c9d2a769f02358efc3694357b

SHA1
32faa5bb72d9dd71011df4a1e1b6cdbe897fe54a

SHA256
2c8182946e88c61233ebff31b571497757b00d338cf0197b849c227ec9e68c67

SHA512
02cb2f6714ae23089c14ac7d7e99bb2f3c6edaab2c509fc74daf02c609a702685a759146ba447fd7845101d4a3fe3c8aabc31c8fb155949878fd4d382f0d81fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
003dc564a287250f06fbbe3f6b0750ec

SHA1
95748153680cc199f072d2cc006c63ce18dacd15

SHA256
b95184a799a181f65ad3b42229440f06fe06e45287a5aaf654bbbe37c8485b70

SHA512
9a2828b3b97fbd22169f0e3ad8129944199696fe58b46404c6bf63aca3d499e5de5ccbf4d78ce22464c41de68e218da3a2109e962600819dd6f4c3fa07c1dccb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2bb2fdbeafdbcfb51c0c2a4c57e11852

SHA1
d28ba2a7697f64ac7f975317b01a56c208bcb13b

SHA256
d109b689124129d9ecbe01cea514600b76d1002f7a4e0cebc1e7379579db3315

SHA512
932c68ececdde3c277fc9dc6343c0489c66c47b33c3afa34cbbd411e25f4948c2d98133a27da423463498dcd2eacd418c1743604d23d9b2644d50f36e51d135a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6c451fd52c2343586210e895b08f4bad

SHA1
1ef9da5cd9723d38cae8c81e7fed29e714e5cb2d

SHA256
9c6c5ae620358317b5f6702c0f9feb336a3db2881c0c46623967be812a96d42b

SHA512
59fce355b50a27bc5945bac77846e0e60be357aabe645485f3a79aa20f0810c28eb579f7a5f797a3cbb652e988c623b527b6cb2b98071282b118f75adbc86fd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4c66f70f37703cc71b4485bb6a60face

SHA1
fd62ab6777ce652f3fc0c33ba42302f0280bd180

SHA256
37ce008eea2d4cd603ec5aa9ee90e32881691c985e7de504a6457924efa24514

SHA512
1e26e95de8fe44de7118c05b6b8426c4f14d8c2e58aaefbad6eaa2667c65649a9af0165d9803ba6cf23fa43cc64ce6dd6f8cfccf4c978cff0e3f33bc99afe672

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e19d9277d3b38cc0cf17eff6c4840f8b

SHA1
4bfcb24ea9f03b191228f69b6ec19005884b3a80

SHA256
9c7b4ac2f5019084eded47fe4a21e517d6a6e96469d1846d2802925487b23ec1

SHA512
ac2748e63caf0a6e640d660b864c62bd8393560f1b1947517c8e235cdc90011479a7a439a10d833a52de52c0037fc55541e14e23c4edba5835a8d35592d78b39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
c747449321e7428fbb6268a720087aa5

SHA1
2f56d36b369f6d751579534aca64829d038703fe

SHA256
0ac7f5de6d62865ad23a22c740dc923a8890057660f73935b5da307f9cb36c5f

SHA512
0a03584308715e302e034d2e97092f48b22023a47b7b8cc04be3cf243708ba013dc01acde07e69d7ef70d0fc9647c59c957b2894dffe981a735e9d32bd027462

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2dc07b73ea5ca83475c81be9f89f5afe

SHA1
a6d9b71e840af66f587ae63dae3803129373374b

SHA256
cc7e791ac08041b60457d3c9a927293464e51d3bf771aaa41bd52e3ec9b9f3ee

SHA512
381e7879e3c992cceac003c4d172b1278dda087310610e0985d731b490e1b452b97ba7c55bf57ac11a0b12f3359ecf3130ce4fed1028f78bbafba0917e2611ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
d80676b79eae0aa75f112c4012ef8482

SHA1
00e7a7a2e36d746d51760021b8a1f738a97204e9

SHA256
85d5afb7d5ad392261d9c7fda3d24e5e240c6e03e67fdcc51e8ff9825867ab80

SHA512
8d5f9d38ce76f78b215e22304da4f59c1138b0906e7200954853fc28c1d4ccbcb002d2e1eb71582c7dc7d70f20866235c134d424a8284349b11416421d969c84

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
693a1f48de2af6c3d581c526a108f961

SHA1
e013b54e27559bc23e7b08eb53f422165f75c50b

SHA256
8c84d64d65246e29e53cdf6d0d84f006fba194019da39cfb4ffa8062ad51e446

SHA512
1ad33abc115137f78acfdbb20601f82cf40b849c49ff106d751ff36853c41b1759d2a4ecb6b2cb90f14a93059cfee874f1b669f6b7e70e5509310973feb64d2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
41c7c1e2c86c39a57f785772c100bc3a

SHA1
faff69e68b4147cbec101493135062018c6d0b35

SHA256
f13ea11444aea5c4d80681fa25caf0ea22e38618f32b25b535c7ecfc97042afc

SHA512
b90955c22e4185db15da4e641fe6a5a04b0386d0b515f967fc1c6908deedf271490d31ec730ae32c93aa5014daaf1ea02c8c719c294bed61d70e3cfb30732c7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fc7875c0b60eb9b98e7c0aca928213cc

SHA1
e3640bdebb9c832b62722e5b1e9d04ec7e6324a3

SHA256
c0589978f8dfe16c532c5324822af7cafee813b7bcf2de265d03c344eec61c02

SHA512
f8832842d867a3b1b6cfd670ca6482d49c135839055f7fee5a41a52d8aeadafa9e22aee3e9df0440bd2847ea76f979bbf7c96cc2e67e5699dd3a22af9263014d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
90be3ac9f1cc03c50540ed083a88a149

SHA1
792601577e0cf56b14c33f45ec05b259b9ebd4ef

SHA256
b93d30bc48bf84ef3e6f3b94b4bee56f5cf34b22fea8dfd7f569772f59ddbd7d

SHA512
284dfd511a8211f284ecbee6da17a06d1c4ce43fc5c8a9607a968aec54c0562273188c9e871601e47d3b2eb8f1102c64035e494cb061590448a907a35008c97e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
907e9cf9cf112d255558f6004cb932f0

SHA1
f4f8d4c1d3dbdfa27bce51c449fbf0aac7f1b62a

SHA256
f2868da70ec38722e9bb48a0c58f2bb95491cc2afc3ac45f7406bf6da18c6461

SHA512
5780f377fd882c4e3ad99c9a3bf7883813283650b1ced5b5a6d30f6eac28ef27ba3efda75bb9ca3d2adaf5ea9ad9c7e37255203b806de3bb0a62139602dac9bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
0b5b1a8ad78780169a75ecc6a777bb15

SHA1
10f3e11baa02e37c371f4d68fc484839a2a39bfa

SHA256
20318a7c0dbbb3f46a386edba51724ff45f221d5444591af5ac4ca1e43aa3aaf

SHA512
e00373fc6932d1d87058d201e5505fbae9fb81d2c618e4e50f5c83c56cb508911f1bc5e3fab1b026933aa109237a44ad57a437430a4a23dd0baa29d4aff96194

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f9b3b49c4ea9cd992f29e1354941632d

SHA1
a4e930f11e5e593313a331a0ba860b379b127619

SHA256
a2730de46fc493234b11d167c789b6cf1fe9681e0946d201c0a1c04e75217bd7

SHA512
c3cb16112cf6b3ca2350d9ff546f8bedfc938dacedcb9b1cc94ec5a95cbac924da17afd620341ad5d18a2726a80ae29311c1044fb801a726c38c1c147618d65e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
647a9dfd97fb2973e95e2ae9058d189e

SHA1
f8e7508bf5042de638e205b2768c01a5e7377ad0

SHA256
ac371773b5c909f29ea9b7ddab9219ed96c84f31cd853d91d8ac08a83dbb17dd

SHA512
1942c49f7e333541263355b9bcc1f4b6b9ff853e4ba44c4531ccba61f64ef0048b5e0a59701b964750b811fae3f4956c810c3b2776ba76469625637e947e60b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
581KB

MD5
8970e4367d6dfdb227ba41eb7de9a4e1

SHA1
4dc77f8292434859f49bb2ef9df5759475c4fa10

SHA256
ff7d66d8009bbc9e75dbcd330aeca35dba1c060a37d127f1e79d4217c738ae7c

SHA512
569e599ddd2f029887b0d2f6dc55adf98dfb0c24a75f41cdd79d035201ac0113c433b21ade955995d9e6ffe18dc96567a238a0e600c8748ed4dfdd6c74490f1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
581KB

MD5
3462bf82d9a0ce9f6e1e6749b02caf3a

SHA1
c84afa7494cec973a4c9a7df246449c09b5e92be

SHA256
4044585a868cfe3f69954c4ba5830bd047d5df0e525c9f64a0c19660be5d7c38

SHA512
5dde80ad49f0af9596bd93ff521d236bb7a8c4e8b8b41d6e012088faf344293695356b50fbd6c9da083fd8285ed27c927c4f8e28a9fb0900ef095360d6ab8ce0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
581KB

MD5
d35de5ea59b0d11df3e365b3df45caf2

SHA1
b802f078ea5064d9997607a0754a5d3c7cd85d18

SHA256
269f9758233b2a803dde60e1e51692014f0e0bf99e9b312336fc808bd7aab940

SHA512
b6786f53c9095de175b0403d727c6b9fe86220c4b193e45a0e03bdb3143e1e818fc4b31c6b601428d5d003736706acb674687118acd6f4c2e9214ae2c46cbbd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
581KB

MD5
f6699945473647939a2d1f336af36b19

SHA1
821b9963ac8ab0db8814bca2e5b7ef31535f6297

SHA256
f7dd53ed4b3151ad020018ebea1bbe655195e7c4f68f8a6f6d9b735750c949a3

SHA512
bbc655dcfc51c975c8efe984d1d9a04851ac0ce1f21e27c20f64ad1e2d443c1c430d14865e58f317114e9c3a3c4fc86078e45f58c9293d88a7f8c1c9101fc0f2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
92a7f26d2218825610102a2e57ad7916

SHA1
6f06e9b79bc31a4822e717361db48dca12f6753c

SHA256
84cf3c605b81ab9f481dbff0905571ffa782c7bd1859a63975c2862188b49078

SHA512
c27b3adb7eb5785f82f1cc6881acc55bd02a6e523db62ea767413cce073078b0a0071be45d096e56ec4c61f2b785d73c07c15dd1a83cbc571eac9a43fe0e1e7a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b1e305b24257006867d267045d633458

SHA1
492a2fb2f6ab9fc90ff458b27eb7b1719f14fafb

SHA256
809870a58aa5cf35afb9b608f7a7810f1369e25ad54c0337db34b7e1f12a14db

SHA512
4885882576efa3dd51906ad04cc7313c3b8bfb21a60094b0d21f20f5853725118537b15496b8ecb6df450fa430ffd49ed937a479a20dd2014639ff3832ecdc8a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
27b1610a7d04cd08b7497f81c4021dda

SHA1
f854eeef1c497ef1095815d1bfddef390afd133f

SHA256
8acc5d1998facb4307561b38d9fb11bf7eee1cb0baeae2fef26f51417d632570

SHA512
24ac1f9d6d72895cb0c302883887025b68a9d704959e91c56e79766ec23e34e622b15d750c1d917b17942034e09469a57cd8ee67741860afc5c42969d9f05fbd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2cc42e1d8d6da1f6ddc5b0dcde94aa03

SHA1
1173714ef835ee1df71108849ae9f202ab09ae78

SHA256
943cc504a00b5a301a47ac2dc52f730f6bdfe91446edf11187149fc819d93cde

SHA512
7432b0ed81e54dcb5181741b01c179e7514e3d8058fa9415cffabba633fffeb7eb1847bb4bdf7586b9e06363fc8259b1c87d6d7b0237f42e97eac8e94560dfab

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
222230411e96fa5bf9435f2cb1d49129

SHA1
1d7958d1c8eb8b6d996b1e82535e58c3a5ef4634

SHA256
101535a4a8bd4648ce3bf06f49073823097fa6d3674006c8f90224f8fd0af39f

SHA512
69b652c8dc811a59782485f12bf4413a95b1a78f36d27ddbf46f52b520ada0b556f9f339c57a2dfe65b4aa37898d508e66045378930e37b6340f500212f0ae47

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3875bdab377cc20cfe4b10fd252ee65c

SHA1
ab1b6e7b6c0d7a0441963b4e27d5f347b1a0cd04

SHA256
33acd2fa8234c9088f1d6f2b999a5504fc5bef9aef1da9c6a1e557fd59d5865f

SHA512
e4cb470334849d783d2be2a76cb9f9d2cd48e37771e23108dd3502955a092491403c8016720b397fa6110125f19fc4e5ecd2481206cf9f323724d7a68fff7ef2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
68a24f3970b794a105a5a8a18e6a807f

SHA1
96cabc5268078b8f6f5b2d7817266a049ae6fc75

SHA256
581a3b98b8bec40d5e119c121533f59c2657dde9386bc4722e604f2e50ba73b9

SHA512
b0b3158c74440ebcb875d7495912838c540ae4f317b8f70d8455bf7ace2b06f1337c60de2947130148d3635549e04a4964095b839d5949322c8bf3c726e4fcdc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cbdc7d4dfb75a7213c3727428a448677

SHA1
3b42c385bb82f8273c811fc7aac6c50fb4d8d056

SHA256
c89f33aa51666d7839f2597bb7ff1eaec2390ab131ecb99eefc74159ff22eecf

SHA512
466961a6f4d2352a5d02293fbfb13cb33c453bb4363faae6f24eee0dd8bddf2fc0b4858a7beb36fec82ab9ee74563230d6364f68c3cf1dc937be84bcdf51e72c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9934d498cf8a6d1a0a02935510bf9a9f

SHA1
35930509ec21733ca914052a1f2aa4ae400eef3e

SHA256
bebe90941fcd2a83546f5df612ebda37ed69e683b98ba3195ed85f08b5e4a364

SHA512
fad7cf847f5fb1536ac5d6f59f24eafaa07f609b3966842f38ae4df95f043c6f1d6305ba1aa1883d35bcdb0209d047adabd9e91e81a0072cb511453752510804

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
62e7a73c8e637d639c5710478bd73222

SHA1
08d14d101e222911a54ea686c1f743e48bb7e50c

SHA256
f1e105c6b20acaf196d3833d43c741b1f1b4ea8e7e4f217a6f6bf60be754ae47

SHA512
6eb1d2783b84956cf5f19ed6fe8a6d57cfce32a7921c6cebf53bfce855378a8c75d824bbbda52bb356a5220c24731780cc5fb582dbdcbfbe30d504dfabccd7a6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
004aa5d033fbcbd806c94ab0780e0a82

SHA1
fff8eff74d6bfc6c68b2eafe589026f153aea937

SHA256
4dfb988a4dde210abe5e770dbeb64f76068ce998cadb390e71006aa15b444849

SHA512
cb6a90ea35ebd51da9ffcd625f5b74b4e438e8b969dd49b9de8729f319b9014f49a9bad8538f871e033a10ea28b9799f020c38fe3cd9f31c541a59285e3d2e48

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6e66df9db4cd0e8331bd591a94032bf1

SHA1
4ee581e919b6ab4b0d9ab2ee8454321eaa5dca84

SHA256
41345f582e05a9820763fd1a34e4c957f61513106ef38a071c06136488039ee2

SHA512
df6993387cef2b087831f059ff3920e367c8ad23b2c58e6a36d90272c95ae2322f6622126445a38df687cdb5e95a6c4c8f8a273f0f63e933a649d40ab2f8f15d

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6671c9e1c116386e379d64c24c8d0878

SHA1
2c34ec9033a3abe16f66a9c7e0dee39710c8b4d0

SHA256
6e902d5059f5a48b1dc74e6c1d82a1dd23dfbb9cbf3c68f9b5327e220f7a4d3d

SHA512
c3873575d08ec64de5c414184cac50675300e4f77148f235ff4b08a2763fff963e3daa3be193e95072cdc886cc10c711ef7d25e684af3c74728d1d026adbb828

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
76386b6e08416844eb21941eafcc5816

SHA1
8e06261ed7acfd59703e8d0f2fe3d518f087493f

SHA256
faa1a2f2bdd6a05b488986633039d1161b087bb099a3ae7efe338125aff9db38

SHA512
87536db7cec066741b53c9db4380c37c5aee920e85ff8ad48c5683d4f45c7f44c17a200a8cbeaa9bad4f0eb0f4d3a47668780965d4dd7ea1ec2590e6c164c5cd

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1beaa5b776c45293e817c88293ae283a

SHA1
f98898103fa0e76270b9003c2341a329eb304a62

SHA256
a72e4b4672b85d440c28a08ee8b54084d5f9452c173c5d83b6285ae96dd1eb70

SHA512
1a6699bc3f8ff3820761eaf70d122969a436cef28eb6303de4293c0f7ccac6d7caf933df313060c3ffab8ddee3288312b5f05ee3cac7d87176b98f36842c51a7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f2bdefd546bee566f81f2092e8676cb3

SHA1
9c686ac94e1e47254d4ee6681e81ef8376fb3ea7

SHA256
8c288351c1c9a5f4ae01fdd6aa3664f4bef05be95da850c97cce8c3e1a6d8b68

SHA512
f313ad556b09689921f11e87789bad5c98c39e02c55750c542aa51a8b1267843c5ed2e4df42b1fe160fda3b824ace69edca7a5c5a8bb2eafd33454ba24c76234

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
31c927cd2e2e0bf2d8ecedf6c860de2b

SHA1
4397086d611f0c23423bb450c788100e5956d135

SHA256
0d12c9b123469d7915aecf5aa41cabcdd8474cd3024c57c013d01eb973083637

SHA512
318ffec49be888491ac8bd85b6453388b63b546f3c1e6253662c9a8174585ef027f016266a9d7753fd06182ca3c073f56b06b732218a4c9fb6fdf4a4871d64de

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
38c60c86a9a499d9100fc1aa9c9cf033

SHA1
ffad5925478a1814ee9050b5175043cd7404f3a8

SHA256
0dcfa608abd33f08bd61b559eb5018b543976dfba47c0f879a6973d88e33dd54

SHA512
82afc92cf0b75be142a78748510c97d3a87cd2ca6eb5fc3d1e8ba9e591507b560d0bbfd16414e4a88b653ab5265a3a7af3c339321b3ca2bc87ff68e1b04f2cde

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d10a2cd800034a56d4ac34c1b1c8df2e

SHA1
edb416955e1adf5bb00742a122903536b58c636b

SHA256
424a614ce1ff98cfa5b184a4625e7882318a9216e32d1be2d11dc443ea2a14db

SHA512
796b03e668b5a52f23fa33b431cbad9fe5758bccd0bf91333da0c2560a982753426d0b3361087a07254bf41ec0c740044667abb1d3fa1a295319be9f79e533ae

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
55497828d28c92d212d2be992200c5c7

SHA1
c49148eb1d656856a6378d9a05104233eda469b6

SHA256
db99a6165066ace74ec878f80e492f0530834020d8ff1991404aa7a948519d3b

SHA512
56c968ff59c339d042442836085715440a54a92eb15586309d4f60581f2aa1073f7e9a1a6178a4fedcc5ffca7076d9bab21f93beb06ad7de7182ee3390542014

Download Submit
memory/32-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/32-33-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/32-42-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/32-240-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/532-284-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1384-305-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1384-542-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1604-147-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1604-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1632-238-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1632-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1696-58-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1696-70-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1696-68-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/1696-64-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/2008-142-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2008-78-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2008-72-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/2968-548-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2968-326-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2980-315-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2980-313-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-317-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2996-249-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3312-310-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3312-543-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3420-277-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3420-329-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3752-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3752-243-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3752-54-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3752-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3880-318-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3880-546-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4044-330-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4044-549-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4164-335-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4164-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4184-1-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/4184-7-0x0000000002260000-0x00000000022C7000-memory.dmp

Filesize
412KB

Download
memory/4184-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4184-30-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download
memory/4304-16-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4304-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4304-239-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4304-22-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4644-541-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-334-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4644-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4656-547-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4656-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4860-260-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4860-254-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4860-321-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4860-253-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4976-540-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4976-295-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5044-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5044-268-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/5044-325-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download