95a6cf632b2a875eb38f7233bca559143c3f06216e459c059251a7b62b8b7fa0

Analysis

max time kernel
117s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 08:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acd7d069120120fcbc09aef8d0369100N.exe
Size

648KB
MD5

acd7d069120120fcbc09aef8d0369100
SHA1

05786ab1c635d7a27a9ec78e1e968cd87d2bb382
SHA256

95a6cf632b2a875eb38f7233bca559143c3f06216e459c059251a7b62b8b7fa0
SHA512

ead07f6dbfcf2c904640c9d2f2caadb35663ac848c6bba14b3c8c389626e9bceeee5abf642e99b016a9d4d12a5d92ec558f17d1c9a624ec2c853a6ecf6b55241
SSDEEP

12288:Vqz2DWUEUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8c:4z2DWHatr0zAiX90z/F0jsFB3SQk/

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2012	alg.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
3016	fxssvc.exe
3540	elevation_service.exe
4528	elevation_service.exe
1576	maintenanceservice.exe
1596	msdtc.exe
2180	OSE.EXE
3460	PerceptionSimulationService.exe
2428	perfhost.exe
3400	locator.exe
4692	SensorDataService.exe
1840	snmptrap.exe
4396	spectrum.exe
3888	ssh-agent.exe
4620	TieringEngineService.exe
2884	AgentService.exe
2636	vds.exe
348	vssvc.exe
2196	wbengine.exe
2164	WmiApSrv.exe
3928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\53de699c6c5b9070.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\System32\vds.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86687\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86687\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	acd7d069120120fcbc09aef8d0369100N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	acd7d069120120fcbc09aef8d0369100N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043d2d2b870deda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059d756b870deda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b0eafb870deda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083aacbb870deda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008a8f72b970deda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e8967b870deda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe
2272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3232	acd7d069120120fcbc09aef8d0369100N.exe
Token: SeAuditPrivilege	3016	fxssvc.exe
Token: SeRestorePrivilege	4620	TieringEngineService.exe
Token: SeManageVolumePrivilege	4620	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2884	AgentService.exe
Token: SeBackupPrivilege	348	vssvc.exe
Token: SeRestorePrivilege	348	vssvc.exe
Token: SeAuditPrivilege	348	vssvc.exe
Token: SeBackupPrivilege	2196	wbengine.exe
Token: SeRestorePrivilege	2196	wbengine.exe
Token: SeSecurityPrivilege	2196	wbengine.exe
Token: 33	3928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3928	SearchIndexer.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	2012	alg.exe
Token: SeDebugPrivilege	2272	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3928 wrote to memory of 5084	3928	SearchIndexer.exe	111
PID 3928 wrote to memory of 5084	3928	SearchIndexer.exe	111
PID 3928 wrote to memory of 3392	3928	SearchIndexer.exe	112
PID 3928 wrote to memory of 3392	3928	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\acd7d069120120fcbc09aef8d0369100N.exe
"C:\Users\Admin\AppData\Local\Temp\acd7d069120120fcbc09aef8d0369100N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3232

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4688

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3540

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4528

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1576

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1596

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2180

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3460

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2428

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4692

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4396

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3888

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4620

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:348

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
06da44210d41b73cc245b752b11401d6

SHA1
ea9b995202ca0e194addd230ff238b3438f6a5c8

SHA256
b27c40e2dd62a816b44f46a4f331aa9df829ece8765747e3873f7c11c0a2d31e

SHA512
1278b39a38d4803f1b98b9797b4718256b27478bd6fa2d443f43abfa5f8812b07995e8517bdc6a0aa824b1ebfb82a58dbea5ff6856236438b039674c1a483ae4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
18bf2f0c9d740aad4141c7fbc8c35b4c

SHA1
a7a666ef8b094005f6d5b5767a2dde298927031b

SHA256
0e4a45df9a63d9f2a4da532b6790258eadaa2b6c2d2614b6b0cadca2c6154b57

SHA512
3ee17b0b66f9c3cadc4b6cab1c2a127ed43c44cda3e78d14e473c7fcf2f5116cf1e9071c1291b93216888425203173d87b2ea5980a21a8d2f14c2a941673b7c2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1e71af270751a5f7eae9fc31a9941739

SHA1
28239ce6fde7924656bf3632d8122a5d256a3968

SHA256
be4c886c8d32e4468a8bc54aa9be7133e328ccd1c1bc98a02a7c267b826ffca3

SHA512
a9a9192df531de019612189f72d0612d4a69626243e54f3c083746b58c1aafeaba762cfa065dee0f1a17dd9ad7d39695cf1c9be7e97a426228863568666afddf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
73a4c04538ab48141f000f2b9707b6ed

SHA1
63fce4782411a02fc07845538eafbfef80cb9151

SHA256
5be45a3bda7b0549c65dc26c70d0adee058c96f1bed7343ad178537d96254828

SHA512
1e32206c936af5618d6e21834d8e69e99248abd0b03eb06f45b7524b2bbd15c3d22adb9dbca9ba6015bb9b57e8742c788a576d0da68221a8244358c1967b56e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
75c9b9fcea63eb859bd1c79a89a63cd3

SHA1
68bd6f94c98277fd32337827c8c1d85323c6caa8

SHA256
ff78fe65d52ecc5487a9c433eb914edaa393dbe3881015af0ae47524608e2c9d

SHA512
abac28016482707b2411559944e8acddacc3a0d57f1106714e40041732493d17435eca8451e525f7db4adc012211a71c2619491da249451c73d6d1b705212cce

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
abd642dcfcf1625d8f4297db5ecea7e5

SHA1
ce0881d688868e18cc6fd0b9e60f20dcce9bd60a

SHA256
701640c1150908f0e5325eafac920068764dede5caf2c6e4bc9d25113a72fb82

SHA512
b24433e0e812d57600985ffa5ab6278edc291409dc9e5b60a725a1a781d0d64077309a15b40a24a5420ef101c03f3e8ef49a177cd9f3778d1bafbbbde52b31ba

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
c87ee07b8738a780c4d8c4e722e76fe8

SHA1
b480bbfdd2fb8b2af44b56c32436e2cfb8ed5ba8

SHA256
8331a121bf2273bd132a801759570f957ee82dfd1248cc82b2b63d0b6e48f01e

SHA512
b39985ee5e81024d30cc2858e7f340d847001815cc6ab5c5a157f2e046558e17a1861a5c995cc806965769296c1c875ad3de4da26bb36c97795c3247a86ad4da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6f2e3a04169938e8029da81963ab8ae9

SHA1
18def4b09d070d4dd44303b47dfee923c7aa443e

SHA256
d4e6a5dd782590346527083cc82e3b0f11e7037baab57243bbe60e9c664bbe76

SHA512
5b39dc9872b15db6c85f0b63ff6a467c2e5d0b79c71a51d12723feb7839631c5de4528f5753959249a301efa5aaae900ed92694465846e30bd3769d7a7e9a99b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
18f1d3d0006dabb69495cc5e988085b0

SHA1
fc44ef0467062eedc77822e52217f918245b5fee

SHA256
2ee30a11c73e810e13c7d53a0e42458cce1a8d26ddd12441adb1aab3399ec531

SHA512
8d47e3f24b383729458576ae5890b547f0b64baae06a75fbd7ffd330560dd90cec211846b37538069e3c7cfdb54d6f9fab17eab4b1e2488fd683a5ce4288e019

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
206b2a40592ef0bc8f4d2195ee06feb0

SHA1
6ce2142157dc70f6ab685fe22b6f1e8d01e8d512

SHA256
12c2d12af807df64d26f13b1928b4da5fd8aa297efdfbb5577524a5d437412f7

SHA512
e45dcb5042bb6986203ee9979306e05c5b1ab21ae442e1e061c005b9f755924ffab35f6a57f8baa2b7d76f190a11819a6d177b9d3072937d251f8992b3954eef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a6c866b5e5eb1ea50ef0951f88907638

SHA1
e42e78543ae3abe8ec034e7989df98815a8fb974

SHA256
bcfca27f910562cce5e371edd5c93c947c6682f764c28eae1e4338de8dd52998

SHA512
244a6a76cdf84dde9f84c1e015f84b48f77603183564054263a54f896ff4688f7b645cf199e177dc4e6e889456c9acb7f23d5fe6a9b070a0a39b12bb1012d4df

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c76a62a19400fae3e905daaea56e8ce9

SHA1
90f70fd74bd99862ff544da1242bf6524c63a452

SHA256
919b342bc6e9a9013c7406f2234df373d554b8bf161e79fb3d1ce6420b698f35

SHA512
3f60274547fa72e5c07e9794b84dfbd4b85f05d21de61fed653d6aecfbdf7e4b0ec547e157da8eba30e1881343c48ad7c443eb7bf6fd8281eefcf524f521aafa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6866a039562b67396ef40a35e64250f9

SHA1
bd2341a68580d7acaf5cbd7d808e83b76c4cea2f

SHA256
281a7bed1f55347b211063d16fc157e04c86e879bb56a5c421006107bc4e1979

SHA512
ce827dd622d21d8e30f4c92ef296a93ceca89ea5885003f00cb78f0b0bfb119dcecc869ec16acf1fe8c2dd40c653eb85ba42e3918f61602d2277568a6c3452ac

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e3fea1b507b76eb2c8d468fbfd84e4b7

SHA1
d8d3e21c2deddcc3d33998aa0c0ccb2e16f8d870

SHA256
d0ce8725158e0952d54ea552b953a2f565a18276161243f9b186879ea7bbed2a

SHA512
19234bda67f63b91278ecc9643074aa5e45fb2db9b6be424d26bc26819a7846d2e18836cf940411b981096667e11ccb5ac0637162f7bd6bb3424ab52d7eb7758

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
60c0d4d75d420236309d4db2142c61e2

SHA1
6bf524c3a5f0fd1c192aa70468d146a2f2e33f14

SHA256
4c1f989045bc40af67453199e9b9fcf0b12db78154e4b2915be96d900c013dfb

SHA512
a9b505236bf9ef27d04d8b7c69575737987b354ce61ff1a3fa177c714397798ca08c85ddeb303fb815a341047df7576c6a34dc301f82b19ccf4ec2a1062fec22

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
ac41f7e1bed30991ec42df9cdc7c9f17

SHA1
1e3a9efc5eafaa41b0628f159900bf818b046789

SHA256
5b996180aed635387edb0321c414332e11f2cc83b2057d440879cf9e2fc7844a

SHA512
e45cae54a308433657bb6084a6e89be266d3be9549cae7600fff989efee03b3ac53d5f3d3b83762ba1b99df44a4ff7bf4bf6ea3430b8b291e0b1a2c40bf7f0db

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a43109efe28587e898422aeae5ac7508

SHA1
79a0d41f9b3b4fd91dba267e4bdb974616470980

SHA256
3a2f7c134fd15c9d8fc2211422fd9e3640b249c886c117e40de897dba4002821

SHA512
06106a5b74e15a28eebdffcfe4861129ea544dd79263c62a9cbf21b3d2d7d86a459e124ee2b8083b3f5b3d12a7195706352f7f7aed12b04c56686ba2759a1dde

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
9df0a65565a14cde255b78f23cf70c4c

SHA1
dceb48e82e463a5f8b5ff337766bb48830307e66

SHA256
7b118276c4dc5ffb52854abdb3fce52f69d3d1a076126acd09abcd8148f87ac6

SHA512
9023109fcbe4bcb9abd21b3cc1354e1366bb053791013db15049fb87df917c693cd7068fd4a3ab6e84ad970a70a4af6c1c8af7a3ba0575526297122f8a408438

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e3ecd4fbe3e8c6763ac1738a5a07aaea

SHA1
24457297941cdeb5442262e43f5e99fbaf88abff

SHA256
51c25515ebf95b34302bd8dc9bd0e1c131fd126c13c544d7efcc4cbba1c13f65

SHA512
eb17167257c843ac544d5e54ee2691862a380b80ab307f5c95b2fe90bff684adf2b922e8a55a2dbef51389f8b3bfac7a99488871fe737c0a27c53a1495ef09d3

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
70c5a3f707afcc9e8b035f1880129cfd

SHA1
25f6dbbc36bfde3567023ca781327c5a93bdc2c8

SHA256
ca11d4f9ebba1ae25c89668125467c7b94f41438fc085884e12f387f921f3c22

SHA512
7fb3b86da4dfcb372558d2072eb5506c8eb786d04860c1e4cf89273f476179dbf0d79cd77517bddb29d5283b6918e38e576e6f9c2d9f3c837b74c50b960b76d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
46034a46cb489adadb10e39c68617070

SHA1
e2f932859617a7c69d2d6a62bd293ed3b22a91bc

SHA256
f6ea14061dd79cb3c0331eae34a68a566fe2233ae5ddfdb49951215639811177

SHA512
4202aac97b282cc9840fa61ee9e6acc28ab79455841d88c867dfafaa1812956ee36001abb06c69c2f438c666fb30f0d70b3d156de45484fa0fb56690d00c732e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
72db7cda2b7393856937194996c5e94d

SHA1
468efb97322eecf59bdc15a3fcd10c8fd98814e7

SHA256
2fc6f22b87b7fdd2f0b6271a378c1711e96ae42c1d735f1382a5d607e63ab2ee

SHA512
760e48cd81d9b135c43f7ee89c006d7e0c251a8e8daf946295515be6f04edee60d4c0982278b934612940cfe7c4dc2c653c81faa184e8be15ce3d9e0253ac580

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fe992790169914eb28cc3de137a6665a

SHA1
e401412bb381c5deaa02640ee2d2315aca767e85

SHA256
e4307d2de45c40f4679dbdcd88c1682a7b343522446804d193607fa413549ebe

SHA512
be24bc79856fb31d6a1fd5a1cafd4b2267da53a525787503d1c48bd0855cd352d866b79534fb9330166d6406445c87ec066e1f29c70811283285744f08e84c25

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c367e80f698e6b71ddd89f60b4cdce26

SHA1
fda38c8f99d3d2b1a1971d54eb3b89d5c919c551

SHA256
ea47454c150920aa85ee00ba18cf82743e6a5aff5be134a180b90142a97e04aa

SHA512
813505a34cd27b6b1d5affcabd84141d1667becd0c6fd1155ea905df430fb18abae001b6f497485f7d785fa6ef03724539f0b0bb40b4f36aaea47a05a338d358

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
b6dc32a18cc4e65fd7fa985e24444c7a

SHA1
ab52823d88f8afc8796e211e2e632a0da5b55d2b

SHA256
bbec8553a6494aaada550ed0e5737a7fa3e5ee4f3a2f56f980b62572eefe2380

SHA512
e1197299c65d35b4f6bda0d6ad14175829e2f4e7274e7a3aad08f84d54e66302f814fad8840122f7fbd1f0a5b15ed8dda444d71e5ed4cd3eaa5c6006b1d83c43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
94ae40e927739080de1458224b30e145

SHA1
a76fb017b7cd560eba5aeae66d6500f455dbec82

SHA256
226a26f6e9f1a2ec26f23194e907351b173938e5668956e37eed72fc4af7a40b

SHA512
341a3de7a61b1901b0c72549c3053544dce55f0800269b1433b2bd387b5b4c0d3208bc096e1b454722df5589a69f1e14443a4b468219deeb7e02a1535897cccf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
ca2415f32075a3f7b221bc27d6cb667f

SHA1
086f72330957377d15076bf6038a6758a47b7e37

SHA256
55dfd473487b31b6f024352fc4303a3beec97e6046aac414109f83b92a4ed44c

SHA512
ca5fc53c1e9c238587c797a2fe631a943e7066769606c04915a6d471d154c71eb9184a035f78b417c0f6e1acfb56e008b9bfb0db3cf20bad6b2a6f8bd71c18da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5571493e0fb314f7ef794f91c513e9d6

SHA1
45f625d61ecb621491e787d487b002a0e6ea5d4f

SHA256
ab74bd778a7905c33c60892ffc8df7c57f4333413815413c675c04f96df93d29

SHA512
9decc16ab4dfe1e20ed9e0b5ccb8762c963b32cb30ab27f11e84a20988d2463b7d994d019da69e7665345afa2b640cab9ced60d498b959573e0d4564013efe59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ac8a1784a531e9cc0254d9455dcbb6af

SHA1
2f36437acc548a9411b7d8834fb394d909d382f0

SHA256
3ead5d30809edad6c3e6ba53b8c8edec11077d5d6844fc4e516a6af00b1bf5b8

SHA512
fddd4a87225e51dc728d4598d8ce03227d266e76d95a9dd5b518ed45fdd3c0a5c274a6739dfb3756d2160d5956c0f55621f68565b92adbbedd63cfd88990bea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ba0a5b1f88c5a2d2ac5b505dcb5c17cc

SHA1
1bb61554887ce515a81532e740973db1ee52c98e

SHA256
1778697ad5ced968ba0e11b65e2ae360cfc93eb2b4741b5fb57caaf87fb4df83

SHA512
da4f9440a14d27b354d0ee3bf2915918d4671c71633c92e43a5ae9f19282ce05c7e9247556b0ed155e2ec3224d1e60d9e1548a4c1981faa5551c739a0777912c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
63c7f98462c940e3cf3a626090350745

SHA1
60ecfb34ce4d5f1456b5cabdf41dad40ea111ae7

SHA256
d4ff39dae9b8d10cde09c749e14c1d3f66bc92485d76ffdf1df57a1feb856dae

SHA512
e4e886579b4ab7e73797aacbd87f183ac441769674084a37ced67538521382e3f1d68826ac7b924bb32ac4d20677dd86004c728a120a7bd77baad4e46fafee99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f6d715fffbe82ab461e9372d48a8d6c6

SHA1
1c2cb2a22011e6001cbb78e8553aebaca04cb03a

SHA256
9d888684a892d2b59ce2afe26c81e5602b87f9c3f5001d4e39857e1cfb490de9

SHA512
5125e42086cfb63225b7dbcd6f20dba4988f715f419ee80efe506d52be673283e9c54edbda406cbd4420cb7f63958150fd1e5f6114f9d7b609020f2901d371d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
36ee5a8d5a8ac8e430fec7707ca3f446

SHA1
e08cc40bb4459697e2b5fc0053f3ebe121fac0e5

SHA256
6c89f91ef9c928d2d37c6bb0c6d8f1a1479c793012ccbd61acdc0e237df8416d

SHA512
609896eeb7f9046c1768c32bfef642707e6be017211cabdde931bd75b1f938191ff611194cbe59400d596413f109dacf50e658073014836008a406eabe05aadc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b3749c6e0035ce74ebbeede9271be0bd

SHA1
f7ee82a89d5e51c6b3b7aa35891ad79910b3c6a7

SHA256
824fd8ec712d4e94bd60e38012bb96df64f7af8cbeb58c56f53ef3f52fdb7b49

SHA512
d6ed683bd964fc9a514cf41e0b6fa6be1e38e79d434c639940c916ac0e112634e81a2e8fae7d4f4f44ddb94222e2784f5e789afff690da05f8658168500c3db7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c78dc35f82cb98502932e2a58e7a7314

SHA1
f1a51ab8d06f6478e423a5e392d99e10bd543c48

SHA256
c63264102898bba9b7ec126ee2551f8be085f3ee555cdb8ecac0800ac4eacdcd

SHA512
f0f46de757b6d38c0cd1135e6cd0f315dc0451437576908890e3410bfcfcad4c1266a45e49e4ed955170fccb254b3c27d386c2e0868c068185201d62ec04709d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
4994d2d82047a93bd2325062d1763f4c

SHA1
3a82e123af105c6f2ccd2a3f589e4904338fd302

SHA256
4186b1a3619f5b093f9e178280a4099adb74ea9ce6f081b656089f954b8917e4

SHA512
d9edd631672dfabc800dbf324514565a85832d0a7de93ac66e530d79748b034377e8a6945ca549c41c820baf416321dd473e1c6b0d1a443f5e24c8802c549d6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
86794b1daac50fcadb96c1e82f8f5d03

SHA1
12a1a00167a9abec74eda0d308cdde44e39a9217

SHA256
513d1a226277e1b44fcfb6dd111c1d9adc70bbd82ade1f17d63227badaf275bc

SHA512
9e2c6c3e5a424725864941f3b02b09c06fe6eefbc1a78b54d1e732f55e795a45495e8359fadecd1c937f44ef843e3b322936b5843d3e3330e16aeb699d82ac60

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e5cfe6e4389e98e6e2ddce0195976250

SHA1
970b455fe4ce58365eadca688720b764ec0bf36e

SHA256
41f8bf768a6833bbb4d6b146fc820e65627788020d16fd65d9b594335e411ee8

SHA512
67b5bd7d1dd9c04af8a727d0199b04f458bd6e725d87e31ac712e9580d0a7582bcd92d6e5f6240dbde3c3270f6fabcef7af2d9422c88ca537fa81b5fa1b013a7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
2bb7ec75a7ed3665b0248c3404c85ccc

SHA1
4c5ef19ae9968892cd37b998373a618cc7f35a40

SHA256
122f8726d54f20c7b9ea270ae98fc7939f4d6b3c3c3443768059af2db302cbac

SHA512
a8e2fe3676fb03438ce98f35296d8381f44e369864238ca62b4332769b0492bbb72fde7edf01d7aa746ccf6e084fab93aedf411560ecffddc684bfc0e8c9b5b1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ae95215b83a0fbee14125f98d25d62c1

SHA1
163c7fdffb497c59cc1833b52727d2e0e5aea2d8

SHA256
468f4907219d775d18698107ea6d2f4230c0d1ce7ecb8fc88475a8f3ccbe2fe7

SHA512
ef46cd9c16b26c7be90cb3867c82c407d524603db704cd3c3169962f75200de7b564193fe0cdbdd973c0c7c5295a5c3859bb1fd35d4a086bdce4b1ba2347639d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
df07898093d0a86f29c557d3cc0328c3

SHA1
dd5a8e6f38924a59aa822edb782b1eb0706ef1fb

SHA256
92c0def8c74f9129211fa4f1476380b9de33e431adf46a0d866ec49edebd5ee6

SHA512
276b024e83c099f06424c09f4c50f0088d5ea0475756b5133829e58442b39b1507c390894b0e34e92d4b2632de5952a864a22091be518c882066faee49170e66

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
96a36ad52c1642b4f488d3af1f6e572e

SHA1
e07eabe884bb31578cf5362650664014c1f8c556

SHA256
71e194cdc8084c1f59fe99dd957703bacc860f1d59a13e9df6fc1810c1e57ac9

SHA512
ed40d3a53989541df240b14651f9af3a68bb1338504a0f4394c84c1e0d1836fbbbf4ffd0d76aa6c755efcbbaa51cc0685aa2738f891146c3f1f9a9c8e95dcf82

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77731fe96e0fe6f1806416012260fbdf

SHA1
bfa7e3916cf248a9b91c9921756f7b8182bb1ebd

SHA256
dcaca3628408cb99303d4e6882ac1bceae864794533f15f63c62e0cc17fb8e17

SHA512
8159c56217572bc0baa4195d9ade8125aa09185abdf4cddf10ab54dd56c1c822a07933703721ce3e390c00be4107270116ec83effd689b366e6ab2fce2e83cf6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f9ca920417a3acb6af46579c797cf7ba

SHA1
9591c274915d3e0301ad72330e70cb7de4c203e4

SHA256
2869e2f61cd5bcb76f6e5f8df66cec7d9c85c40b1c547ae84d42b3f821e392ec

SHA512
5c292152e53996391e72558b3bcf0ab9a5bfe99183e9d55f361d5ee4f61225ac73a560fe2de4f82245ae13ba0f51987fd1a785eda23300ebf504d4780ac9493e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c3039477680cf69eb54a7d7f20d4b5df

SHA1
9ace0ea752ddee5f71f2fc6e93ddde4c75d0042d

SHA256
8614168ec94e1026ace334d88a6361affd96f978db1f82a3bba6d8351a50c948

SHA512
058aae859747ba8fc433d13f29235b0b7f78e7824fe1e87cc2c1bec03ed8f1d75eaa1505d680de42100c47b6f4caafa212c0823e04217f6357f0e536c08b9c18

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
9f7772a16dbfb34662fa17569b657e36

SHA1
e84e3990a3c8ba5b93ebb4e511dae802a0ebd737

SHA256
f4e0f5672f3730dad35440fe54179a9c2286b10791ca0e567f4c1d4bae48ecbe

SHA512
54c54dd576913e0ca4b7c8ac8c278d0f295bc92d54900d0ae4d238814c343115f6bf97f8bf651fac5a86a9f224725c79a67e35867f12f4cb4b318399309e6446

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
c26ef7bce437e48b884e4f34758b56f3

SHA1
9bad8ca88db1a90add36c20dccf07253ab845824

SHA256
2d3223ae9945021da58fce8067f177d2878d123de59a22d6097ef7f1c0a245e6

SHA512
4d5f3641f6b715142d2194e92a886d0ef52f70f8419c4701c7037fa910e1b1488603f5114b96ec1c16e4e457976226ea151eaefc0585e9aba877e9d3cfd4baa0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
72446a8bb88ffc92c62f25c6da60c865

SHA1
e37de3ec8b0a54a22fdc5a0bac379ddb210bfdef

SHA256
b881d9b4a7b1208b7739a13144d52e935736b75916dc8dee26b0bef13a6acff9

SHA512
14a7265dd227e39fb3c3cbd62bba4ed0ce0675aba2ea683f9bd73753b8ff6bac56c01189d5f1c3ed138e1c8e0bf8cada01d2c95762ad4a7fc1bd6fc49385e195

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
904e57c3ad60a6c8528034d99442fc7e

SHA1
1d21769997bf3bbe79b8f04c8d7f019ec98a3da2

SHA256
20c3a24acb38662248c396113f8399e91dbcca587c1658bc35ae37850505048f

SHA512
3a2279fef783808cd9734aab61d0123156034c02c91bb8e80815fbf98c4eb0dae2e8961b95d1a4d1c50225be5f3cc561db2f1f501a197ae4039bb1399c0d3adb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5ac0058c1e431c4fbb1c3f8c8f4672ce

SHA1
439c9611598c5935ccdd0f7aeb1138b18319d625

SHA256
e7a2875e2d0612c3b51f14ec59ae2d7e3b690fc973e7acb50048bb7104fb5a49

SHA512
75c3f7b6ed675cb406bb604a2eab39e64c21aadc41b0c691cbbbb1fce953af064973a46d2928253d518a8fa14bbe7fcf68737c0658c3356271f58c86ac5e1c4b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3d7370cdaae76e36c27372362028cfab

SHA1
8a2ebdb754b9fb05d0e0fead6cd8a38db8393ead

SHA256
4a16dca11be9aaa45a18d0cc588211da7160963a0925d58bb6f4c9916694a20c

SHA512
7832721316568f5bf9997216994e76a1f0e105ce6252a1c73c705dc0b452cbd881b4e8146594803be2690aca25ff3559ef8c57d222fc5538cfd3f7bf51ca2b27

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
98821ac5d16b9bcdde557c8d5d2d22bc

SHA1
402899df1ac58296da53b2c362c31e2e2b1c053d

SHA256
9481e8ff60627b0602529f31e313b134753bbf5f8fca38eb9f594595783e6e99

SHA512
aaeffcb181cb38d1141ffb8bad6ac3f1d671068a72ea58882e7aa1c7341dc7928ab88b06713f95b466a03c232cf763b4267cdbec91407f868e5f5c655cddfb1c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9c69677830b48bc249a902e7265f7fdd

SHA1
e9febf4b4c24cffd4df756b524f798d5e7b43156

SHA256
5ae24909584a066b16b9f1d3602092ea8e67576061dc7456b702a6418d465f40

SHA512
63699fb0d953e4247dba0a3e1df8dfcb29d82c04adf990d8711fb1e52d7492ce6051fb93bb3cf5261adac06f50f119729821a5d578cf67fe26d1f212cb0e05f9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
fb113d75cad7d12553fdceb6a6bd507f

SHA1
4959c4e760a5d474d009ca8d74d1d25b41effe64

SHA256
de9d2eabf6aefd80e86cb360303e2ad9f2f1e8179eaa39824a537cbb7e74f466

SHA512
4a95f0320453b70b802b2277c07a38fab0a0b6fcf739f01b66f93f7c4bd08b8ea8c18c54690bb24d34b1954cc22d2e42871655cc8e8f84de07e35bc19d81b5b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5507afb6fcbcd35a49f147fed9ea8652

SHA1
7eb62337fdd38194e9cb85916ad85489503897c2

SHA256
eea01f1dfa2dbd16df5e3581cbc44dc8ee804aed26eb6539eecaa6a1be20a0ec

SHA512
edaedaa501ace0e83399deff0c18a9d71d5cbbea2a1e503c8abf82201704344aa2434df56175c8280c2048fd9ddfebb0fea632c99658a53149ce2c9a2fb3042f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
b5ab18f99939f4c5b9842ce66eff0873

SHA1
1ed6465d742ac6c9043b49eb037529ba544ee6a0

SHA256
7fb25738103e80f11c156ef51b06da7eae34bf2d7ae3cd65aa5257e7920dd357

SHA512
facd03e2e0e88eebc8c1b7c699275900f1629e4dbe77e5bf3fec90582fde7ba89beef674ed6b7820f7e690b69fe207a97f7f28f69640f6bcc381d02da039fde0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3ce0e5ca772f80ff3d3b5ec51db73116

SHA1
726f4073a9db3834abcb3710110eefeddd8efe0f

SHA256
012fb3389af5190817eb353c6cf3522a31575d8ad75724be6414ebc2f6c4ce63

SHA512
d587a7e585674ca5e5dac674641f3bbf31a4c93933d9e104ab4ba4eac21263f274bf649c3938c17ff3d9eb97c85b60e8d2619c94c20effd0eebe677f956de773

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
517cc46298ed7331bd96d7293c8044dd

SHA1
68b4ef1af1ea98a9ffb9fe4f2ba0db8f7a4ec367

SHA256
2eea93a0a58b5429573c9ba2226518ef9c91fadbbf96db161c4eb10ae6e28a1d

SHA512
4b5ecc4d9f792cc1d2ac4e3cd88ff98617b093a2b58234efd83643d3f387766850a8b34ff30a884cd66a0ce53fa8080f2f33d89dbf6514873305ac600754ae45

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2a9d98f6f7e2c9e9fdc4aa6aa980c177

SHA1
d76a9c6757e5f20bf611b1ed16b85b15d4e6226f

SHA256
58a525b393508af87bfae0c967d9d1f2182942f87e6e3ff56146d6f470b2e01e

SHA512
01bf4f58d2e76ba76066ed2ad50c11d76e093a4b52caf3e3fbaf1f5b3c7f6523811784a197aea84070a9e946eb301daefbb655027ff40bb21ba70782f53f60d3

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ee6584e712441edda56abff213398936

SHA1
b08a5f4f2572de3dcdfa0076cdb8355737145756

SHA256
24ce84586a14c850e88078ca4d2adadded9b3d32bde9d89f3d520d32d5519edb

SHA512
9e1265aa47b42e71e71bf169be52594a89a50444f14419b76c54f560020f2c558082a40d72c8852c8a78a925d5d16a855f4a6db260afdfd057c1e0adbb84ef5e

Download Submit
memory/348-267-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/348-607-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1576-75-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1576-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1576-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1576-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1576-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1596-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1596-89-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1840-225-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2012-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2012-14-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2012-20-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/2012-212-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2164-268-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2164-608-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2180-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2180-605-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2196-271-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2272-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2272-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2272-270-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2272-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2428-214-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2636-606-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2636-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2884-200-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3016-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3016-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3016-44-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3016-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3016-56-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/3232-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3232-9-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3232-1-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3232-73-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3232-558-0x0000000000AB0000-0x0000000000B10000-memory.dmp

Filesize
384KB

Download
memory/3232-556-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/3400-215-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3460-213-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3540-54-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3540-48-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3540-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3540-601-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3888-227-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3928-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3928-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4396-226-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4528-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4528-602-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4528-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4620-228-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4692-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4692-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download