a871ea4efcdf300317cf46d06e9cf797ab0ee5232954024af7cccb7b3ace4862

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 16:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3cf2e6978ff432d577ca8447436790N.exe
Size

786KB
MD5

7f3cf2e6978ff432d577ca8447436790
SHA1

a3ac2217c72db4fafa3ae5a893a819b1d38f3a29
SHA256

a871ea4efcdf300317cf46d06e9cf797ab0ee5232954024af7cccb7b3ace4862
SHA512

14e9046efb794e0527f04f4ab0355eafd255ef845db80005b5f3d6be9e80a1cacc4bacbb75ee9f462c458ba3beb7756dc7f53ca7e8ab3554743427184d4b21b8
SSDEEP

12288:RvWxHwOJ6z4Tfx9QfRJlARaGdf1IrOrNhyRfLz707YH7lk9wl225CnPkKb5rdRYd:RvyHwOhTJ9svoKFLgYHJWwl24C15rDY

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4688	alg.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
1752	fxssvc.exe
4452	elevation_service.exe
3532	elevation_service.exe
1700	maintenanceservice.exe
4836	msdtc.exe
1660	OSE.EXE
2124	PerceptionSimulationService.exe
2432	perfhost.exe
1324	locator.exe
2628	SensorDataService.exe
4516	snmptrap.exe
3364	spectrum.exe
1084	ssh-agent.exe
912	TieringEngineService.exe
3436	AgentService.exe
5048	vds.exe
4256	vssvc.exe
2504	wbengine.exe
4460	WmiApSrv.exe
2324	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\System32\vds.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\77136a48a29f13f8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7f3cf2e6978ff432d577ca8447436790N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f597670c0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc642471c0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008bcdaa70c0f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007b4c8d71c0f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e8f59270c0f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
3216	DiagnosticsHub.StandardCollector.Service.exe
4452	elevation_service.exe
4452	elevation_service.exe
4452	elevation_service.exe
4452	elevation_service.exe
4452	elevation_service.exe
4452	elevation_service.exe
4452	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	368	7f3cf2e6978ff432d577ca8447436790N.exe
Token: SeAuditPrivilege	1752	fxssvc.exe
Token: SeRestorePrivilege	912	TieringEngineService.exe
Token: SeManageVolumePrivilege	912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3436	AgentService.exe
Token: SeBackupPrivilege	4256	vssvc.exe
Token: SeRestorePrivilege	4256	vssvc.exe
Token: SeAuditPrivilege	4256	vssvc.exe
Token: SeBackupPrivilege	2504	wbengine.exe
Token: SeRestorePrivilege	2504	wbengine.exe
Token: SeSecurityPrivilege	2504	wbengine.exe
Token: 33	2324	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2324	SearchIndexer.exe
Token: SeDebugPrivilege	3216	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4452	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 4912	2324	SearchIndexer.exe	113
PID 2324 wrote to memory of 4912	2324	SearchIndexer.exe	113
PID 2324 wrote to memory of 4644	2324	SearchIndexer.exe	114
PID 2324 wrote to memory of 4644	2324	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7f3cf2e6978ff432d577ca8447436790N.exe
"C:\Users\Admin\AppData\Local\Temp\7f3cf2e6978ff432d577ca8447436790N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1700

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4836

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2124

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1324

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2628

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:668

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4256

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4460

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4912
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ea9f3d37c788d11016b44fe582b89ec1

SHA1
3db9ee6edf790e85d93b441af71ffa51efc36dfa

SHA256
5c78ec16974b19f56591ab0bd6d3ff668b4d026b0f11e89360de11a97fa0fa49

SHA512
e0295bd3f9fe8e902e98e7c9a3f996cb0d341e5ab328fdcb3e70c655232a2f348cf9c93116ccb04287759760210f600b40923b26b16a1bfa2960663ef7bb3b37

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
cfcac8db473dc7857f5d7385fb20e53c

SHA1
9663e799ddfec17c0c27b452939611be870de474

SHA256
cea40af971ab62d3ccd853d1fb24d2cefd752f01f748cbe38e357bee550de7a5

SHA512
32377af62050a5940b525260dc9733fde51ba8bba6de0d9240135c70a34fbd9262d6fc22c05e84d58feca0297cf86975281184ed761a37c89772ab70b666bfaf

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4fb84724ffff7e6369b189dd75385a97

SHA1
4c8e662afafacb41fe629adeba0fe9cf7e77f022

SHA256
397093a3631c91b979a674c95f3110d8c0797656840f5321b5fdf21b75f153d9

SHA512
171fda11141feab37c0c7b426f99796d980999476c5481ebfa302a0831dc164c259fe67a99bcc5c414396520bfa5b0acc46ee8e3f333a146fe646d0d14d71737

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
62cd5160012b3ea81d0535603164b26c

SHA1
fb09e1adfb749ffb90258f2eb99709e80313f3a7

SHA256
7470b28deaefff56e51aabf95eae05c442b6291319efbe3e878fee57464343ab

SHA512
c2e3de41f9aabf505ed37dfb8532db68d20e0bf7b51072e7ccab20c587a544d2ac852f44ff3ba140bd6197525bc7624820ce2532b8d8b577ab572e14a44cfe1c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d7985c5b58afc8bad66ddc838a275faf

SHA1
a9225473484bca738b3d1759756e01cedd26ab1f

SHA256
17e1d9295388d491ab5a2915a41ca4d696010488d34c2941c6dbcaa5b214b88e

SHA512
e24eba1e1d3c10274b77714c65edbd3e904338839df97668014c28fc85e3a9fe0cde631fb3b70e71184c918ddddf9370a8e2f8f673f160e460b81d309f599018

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
bef6acb9541cc1742af50b5a7ecede77

SHA1
5fba71b157c6ded042b2a1f35aed8bf1b9c2f003

SHA256
62d5b78d6e8951a579450767bb8c4b6747ade5ea245d7ec8f7240aad02f1af6d

SHA512
f055eb50a811423020fd484542875dc8507eb7d92a0532a199887a047d4541690585ecb77b0101d46a5117ffd308d69b6bb7466ec1cf7bcd141ad8a0c01bc8ae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ed4c7bbc246df8ae8a29da34393fdc70

SHA1
ca0435dc38e6df4435d96823690c0adeecd1abef

SHA256
60778fcf565d7eb523dd2cc8cc8515f3f6bd292b2e3f3df8783d049d3f8fbeb3

SHA512
9c3140bd4ac158ce30128c069a80abe30942b3ecbfb7fb3ea7290c3549512bddfd3265bd85fc751947f73a63d2306f4b76c8a4ee27289b7fb449b830c9bce619

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5b145e6a7019c02d3ca183336d69bc7c

SHA1
e74d1c5e8616d21e9e414e51221d84c829909af2

SHA256
d3056058d4a5e60dc4dd4ef3a0b2e651536c0b9e597297605e34ce9acca24342

SHA512
538e5f2e55ae6ef85ea7399e6a6e9f254862b31e5bd4a08d6ad8acf6abd2435f25075025ce9796bbef1b03756fab65b55073eeb5292e4563b13fd4d19610e651

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ba8075484365647f3493f7664a992fec

SHA1
7f35c6c5b49909d87577ed26661deb4b8f16417e

SHA256
beceaa2fc55e43f065e5f2e705d1a38dc6380fd3153680d7aa4575141a41c643

SHA512
b180d0b41a6a7d2c3e5a92c4c9fdf1b981320d30956c329a7ec3bc5c032f97679b9e8821c466ea833daadb88959ef34cf13127fce819c20f5627e4165b3b1485

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5e6b8af1fef5b7f2fcfb4325113ee6a3

SHA1
66292bf7d6ed7305e0103d344cec4cff231465f2

SHA256
d227e8fd8c4621913b9df90c551d292fca2264d4f6831d68eace3bf377aecc43

SHA512
048b0704480f2ace11904209bb799861a8012a538fa675e434a717a662039f6cc31abf1701ac0de819d9e7b8f810cd1ba69de92d2c8533b249823a4ecc2fa294

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
29680b10b365b03a6a46290ecea4b5d5

SHA1
6cd6d7a3a91ab15fbd9d054fb5ec2ba46b4d4a8a

SHA256
a0587780468c5fddfde4cd7274c8d36b2008a0a857a2366aef76f88ac0e5b816

SHA512
aa0387158881b5b326185cb344a18be4015d427c990993457bc39ae37718cefcf8ba2f1a689f6965b4bfb0e2c00eb4d45a1d2c4f390f658085fc16c17787bd10

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f33aa855e0e463122a7f09f9a9aedebc

SHA1
44b178d482de509a8d1981206ba4ac42f1dc1ba7

SHA256
8389efc30473bc33e210fbd2b48707c265331c6256ea73142b2f2e9154fbf5ee

SHA512
37a20dd2c86b16dac1633da96a5ea2ffd6c4c09a1ffcf07def6dc6e835c5740b2c1ad0468da85330743a7cb48179fc3c45effe3056d0f7613c29e0cdc3f19f7c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
761210dcf924a2769c892c4f2d6a7b1e

SHA1
37860fe75f85ff65f8de7bbb800dde747d7ec070

SHA256
ea14071f05c9ccfa9566f74aeefcde0ce7c7129c0ef531f8a813d94f259e7b9e

SHA512
30c431e7bc1b5f03abbb977788557fb570e324e4e8c4308d628960c7d4e8e2232bc11f1093acd040c39aada8edf44d4b34a5e9101ce9e39e167b6c1b2c8b1a3a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
2bb142bbac810bd94c8dc4367a417906

SHA1
e88dd1b6397738cf9ebd79bb62d8d2fa0081e2ea

SHA256
f9f17d846da8b5a84639142dd234a180b4ede27d3a809a12eec6e378c6bf3ba5

SHA512
1cb13389c359864844966a7caeb23c0ace7d2233184d00bf459ab5a7d33a6bfb2c0d049d2c572b325b37f49e958a9bad27613da99fd5271ec1c532427502bf34

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
083db8e15575450a7d88b3c3bd5e0812

SHA1
eaab59c527c8be404d489c98c1fd89e5b92a5307

SHA256
b4393cf27d7b253f298a83959db02d4b176ead4191e2e38ada3d917142e0d002

SHA512
9a80d2655918f078215ba068efd7abc759861df961ede25c8d418df2830b4aecab272214318813b79f130ed324840a4d14171f2517bd138cb9197db1789aac04

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
85501755d6654eca5c4e3f36ffac16c5

SHA1
57c7c2165f916a0c3271bcd5b3811e4e451864be

SHA256
5bc53ae84e7c07a60edc866a9591294fddf3978fd993bc6c66a5edbda3c15a5c

SHA512
7ae18dbebd10b4b45a1c8e9ee48f6ee972c6353ac024713a8d5625424cde20bf6336431e9be88aea46dd2da1d129e7dce3cd41484e031a9b9d006abecc31ea5e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
a2f7891ab48f8eb0dbc8f1ef8593578c

SHA1
0273f12a74f1347d6dc16b395e29dcb6a379cb17

SHA256
a709c6b7c0ac18e93058af02ccdd9cdd9bef778b4a24d4f0ec514e4c20163a61

SHA512
7d9179c6d76730d918739a4f6683caa9acb35a2752d5269de7275f3544148e9d5715dff8b1de7ff046a94aee1c0dba1cf74c0fc7f8935f4b9993936287c42854

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
66a800065f231dda0c8e494a230ed336

SHA1
7dd9727c8b11a926e4db9eeeb9c6c2d7714acfa6

SHA256
57aa65347fea5b6a510231c3c2dd2dd16b6385d741869da9d39a76df5e5690c1

SHA512
468dc978522b8c44f8b2a782445b5572d0b9939bc9793c8131123385d227d9eb41784783c608703092743d368c066739f1bee414d5d48dee09ee35d902956f54

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
575c45ae34dd73120ad6aadca7f85b9b

SHA1
3441699807eaea1500fba7474d9101eb1e95a253

SHA256
889ecb2039c927500d74ae3a778b7ccb120010977c3b0d5d25d50f630b5fc64b

SHA512
d54e372fdd97019784693f59fa1f821571dfd5d53aa8d61d8aedfb8d11e9f985cf1e79702d8e3fcd7cb1c689413f23e8b50bcbc0c922676f3fdf0b95c61056d5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4d8c37ba6cf4b6472e17dcb4ad640327

SHA1
29b08a1c590f1afa3755f1480eece499e6fbe112

SHA256
814830abb70fd8068c2dc51bca2b8f5e548c0951151d3137e80d71d54973e24a

SHA512
2553acadec37dce16f7ff3c4dfc431968f560e28243480ced8ae1febb2a5e173478064274c2f40d69ffa8b08d7e8684a19a7d941eadc46c82e940402161e2510

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ed1a767204bece2dd20f12287771f2c0

SHA1
2630d7f38782fc2834e10be0301b03d11bc89939

SHA256
309adbef51fe9225a407be2ece3a1b08198de5927a1219b662b79b5c1d750806

SHA512
e169efe5a9dab2fb3ae1a887b31b964964774e575ddb3df776758ceea3c5a44231a0e2a6fb3d1bca64da93ea06739dde81d7e89453cdb1eb6ce5c5e56a0c1207

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6c9bb130a121ac8a785e18600720dd0f

SHA1
4ed542645767936a771f226406f9761ea117d391

SHA256
82164e708952d886ca699e9f2eef69ead1402885a65d8b54d4047471df3fe4af

SHA512
0de3941ffe64cada9d8bb13ce9fcd015aa0a9a9e46cc9e14e53545efccbe6ce537144897045f0f38fa4192bb84535012607f83af34b24129c40ca8a95c1a08aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
5dc1f425b59f0f4f19e4238456017e45

SHA1
198a018f998528728c3f8cb78d5a3ba98abfac47

SHA256
b1ad1ae644206cc06a82c19dc5483e9a82d286b90e946a52540721c51901073b

SHA512
a804e8ffe6d29f5e09e0e9bf89d651b394334f5e0255547a84b14fed4029aebe6bf3956ea1b747792b773faabdfdd5ef5e8dc140d7e999559f1f13d6d3221585

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
cc621f01ed258602b7734d6c3573ada3

SHA1
a297ccafaddf60f80769871cb1ae4c09bcf151be

SHA256
da0bb83a8ec7c701054c44ce8ff673e1a9661aca06f92d1e7015a407bd74152a

SHA512
ff4d16fb9f89ad8967a3070b320f137543e52bc08c39083d0e386f6ac711fc4a7aa9f7de71ab4e029a0f9d893f33ebe5569b7fc934703b988301f7211fea2d1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
abea163ec636bcb0fef39b8101ebd48e

SHA1
9835a1291c718280ed3a870c7ede700db2078b5c

SHA256
02cb6d5518ea9c33a282d6d3acabca5957548854013914ee05d03b5b637fc1c2

SHA512
30f2be02bd8bb8302b5c3a1704cb0728e485cae617ae22407eac73d80baa7a46b3e4ba5709bd20d90ef7f1a7742df0be4f44509c56959714f4bc8535d8002078

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cf754f8165bc4dad669d348101836ea2

SHA1
c8e57384c4d2b954ef38c2b14329ed996cb67433

SHA256
99d2925d116089d80f908804f86a469d53f2452ac0555c48017ea3e64f441601

SHA512
8f926bd52fa3a25773f8fd5ac5e4aeb9c5be166caa7da06d3e3d3d8da772942f508bb2e547ad50ef7a3de3158d26beea83c78e65d09ab295a7bd0b7c6b5a2b2d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
bbdc848fa7ad5ef8b9d68a7e2c04f3d5

SHA1
8c12d8c11ecb4acd654f3a5a9b31caebd4497653

SHA256
c76553ada9cb71da64f87c278e5c317807bcbbed32cffa44f472457a1d04b897

SHA512
7ffb1288cb32145ba12b04660223fb2fdcd37f674e8f601da47076da4f1ca21412e5b02fb43737701bf2e59c9907f62b17a8cccf19a220c0ba64ab51de617b44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
e979f17b2b4684a5752ce11949705d21

SHA1
e4dd15c8560ab413d77b63534cdc8b406ac9515c

SHA256
6c85c45978971088b65d37ecdb4b3fe9a1fc3edc651ec9e7e6bc892115b1abfc

SHA512
dc8c9667f795d06c582963d65e05b73e7d5ff725755e7520fccf7d6e115c042c8ba38901140388e8f4694e36646027314e6ef86fba17e563f26f27a891e35991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
12d0687d812609bfcde792d3c74c928e

SHA1
4976833ddcb91974201af0f1c12383d16708bb78

SHA256
504f55724fec74e0af6c92f172fdc04cbac74944f16b7614383836b752f5e55f

SHA512
eebb4736115d25183d57edb88de3c8856f864f0530b967bd40fe81888a22f1f851ed2d86ba77f8fdcc40e1662ce425248262ebcc5e433d8cd7e540cfe8a84be5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f70d4b6a453ada4aef366225abbaa4b9

SHA1
c91ef50498af5b3b0d17b35cb490f47ab2af2fa9

SHA256
87d59e5e91c325a7398f6812eedb14c171cb624334c98a793121eddfd5486d36

SHA512
201432dfdac5d3cefe81e5fea8aa18ddba84c4efcd5b41a78e4ec5d36f9d8518fb98b54576ed2705e6322d5e245b269d053d9b30c459dc196583881f48540163

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
b3fec392399a7524d8453ba8038cb8d8

SHA1
3a9db3044fab5cc0d248e32bcc84455f682c8bb0

SHA256
2146d5592c867335e76adad1bbd4c41e0062bc93b2f4414873f1cccbd1e70714

SHA512
5be88265e18d1dbf78ee782b35ee058519c37309bace13b77d7dbda8b24c7b0a648d77fe5b210a05bdd01499699cd8e17226b49ad5c9e1bb5d689df98c6f6b17

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
da7840cc53f2824be6aeeb194cd67967

SHA1
08277b961f19427b581ce7ec4a61bf604f5f32d7

SHA256
8f77be942586457b0a9bb1dc70ab5ff95c9581854e1147801afeb926834d3321

SHA512
5749da7a999ea4ea182e98efa30a2a7bdb6d7f20d53bfc3642b22af0810b36fb1b1502726e7a0c1843f66437cf139627b0d2b6c357c11fc51c87e3e85672293a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
8d13cccad94479490307ccbea5816533

SHA1
91a30f4200c950da8a04e91427dd07e1d731a631

SHA256
4ad7942e20dfa70796b12fc00eba0682503130c9d342cc708eddc0e052d05544

SHA512
b29fc0e949605d3329f463cedfc97e1b9d17fa93a23a6ae8ea23b76af67f155f87c2f7794b65782e62387bdc888a773b110a3ae82e13690941c75da1c0ade978

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
d0b6e7ed9bd20ee5097fc301db3f3c55

SHA1
8858587fc9d168e646ea8829a8e28e82fb368e4a

SHA256
0b543a79edd70cbbd35d75f919f9fe2784d2a446c534a32aa7ddbe97a1385dff

SHA512
d8e1f4aba77088340028a1e922a2912bf21012186542108c06cd6e61cad078136b1b98437860f4d32316f913a4ab160a2c19fd19db33452356b8003440091010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2f618f2cf8842c612f4acd837f8999b3

SHA1
6c503d24afa51f602906f0ec3de09f6e1d97c295

SHA256
57d6fd9a8b57462ebcf0a95fa17f96e7a79444453e09a6556c57c5aa6d0fb618

SHA512
a1c855a74acdca07d864f5686e4f2f0e19e4c4fbd76c09b4266415a3e725fef1ccb61425c3e26f3a5cdb9190ec1f3db1f86bc61bfcd5f11dd267e235085028b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
011d177692bdf98de13d66db3e95f837

SHA1
53c10a09548950f5ca9b142012bddee7337f3061

SHA256
149f70196a2b6d699b51f088b6076e3b41bf58b816f96c1d6b89237fccf04f8d

SHA512
6807d0b0137df47194e7b5ba24d1e159398659c6ecf4b9a466081e13b93436d1502bb1e5247b2dc5dc20e77a20c96ec28f8cfcf20baf53dcf71291e2063dd177

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
92ad32eb7767007ec72c857f4375ed7b

SHA1
a0a611797ab1b5b570c34841251138349994b867

SHA256
cd2414fd39e7547a2d7d45ea1301da7ad4e7016dd9ac8212ddfd6a56575c06c2

SHA512
3f44532ca498645ee705385aed29e004e6e772fdc794a9e810c86e1357cec09f225c1dcf97ad40dcc4e1fa0d0947994ebfde0781905c3e35f6fd8bed77b0284f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9336f8175abc99fdeac09a59e07a3ff6

SHA1
e0d995f7d9ab90185ad2be7ee1fa5dcac005212a

SHA256
9189c059c1280ed6dcad556a48e3e91c8cfd28514b430d9889232e4b42a0ed9c

SHA512
5bd10f0aae178837c1662bc3be3fc4032143a17064e710ea2af461184eb2d25e9af964e0dbfdce473053b41df31045e91160a001269e13e9aab2f0d4d7608655

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
1bba82ecf07fea79e992ad71228adc05

SHA1
02a6998d234dacbe0eea2f3a1349a08c3af32d45

SHA256
47a31192aa7a8b61e954a1624280089d62273e0347c726dcfc7b6ffe16f22355

SHA512
9575303329d0eeef2beddf851fdc196f0c04c78815289a246889c9ea7150ed818b8c87f950447acc802b5918f5435ae021950d593f0a5fc5761cbb828d78cb95

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9695cf70f2a9d2e5b99eacf638431380

SHA1
2050984ad27fdb1c289e6713515caf033a2d5032

SHA256
de00741a731c0c93dc529b614d172c8ba965aaa098a815b889deee7f1eb09fb1

SHA512
15f10a6604be03d4db70dbd6e6a8597dd6d6f987541b5773d40c8371d77cf3b8f43bdfd1676e5389d38835b8a35b76fe002da3ed724c5df23a77a584a20da87d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1656412e795e13a1d8c5a491a8ca77a5

SHA1
65462ab8a9f4963dfdf1503b9218fe62eab05fc1

SHA256
8ef6ff16922e5c598a1083be62a92e1a1fd5f7350a1004df635a83eb8c05d6fa

SHA512
fb212fae3bd54b898bbe4ea1f070c3b9c6b9391e8e3534a6c0600f74b4f7f3543753a286ee31bfa48434ca7bb4b6697799dc69a8db69f4d582718ca4c44e3673

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
2899c2c71cc6cb811f8f6b30fe9767bc

SHA1
dba32e79824e48d5b4318d7fde1c90c2ee9558f3

SHA256
561d5e9c5936a8047c743ff3012555b700867b749b98f318a9a4f33a4c629d67

SHA512
5e21fd9afce3f92666ea9d7da2a070f8ef6e7e207778214941a97f3e3afc420c7aa7c0907a9197c0a0fecbf4242159c056249593b7493e1ba3cc76861c1ebc98

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
95583aa0212925cbb0f9d13601a43b46

SHA1
f1e33650ea3dcc2e9e9469e3943271e0b57c5a18

SHA256
2e4cc478f31d7e152e90838fb6a978305f3e20808ef1b5b10d1e20e8a2650a8e

SHA512
ad70480945bf02ca10487e7850f33fc54e0060dc07dbe5ed3509b7e8c7b5974f460f0e4b0f5c29161723cf685facc972b8ad7a994b3cfdbb77b54b498677653e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
27cb2a0ad10d15ded36a571a49594775

SHA1
ba30ba148e200b6ac93aaf24eedc565955adbb6f

SHA256
94470814539dd236b52c8246dc65e95cc273230720f748ef95b6bcdfe2a5e56c

SHA512
f625dd4d6a6644f8e0545a3b6f93344584b61da18022326b316a08cbf6d1d749df1879ae4ff58b0f8f6bc26c9323988348bab90a694d2623456cadc482714b19

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
cfe5f691e1af7eb6e2c70806ad66db6e

SHA1
926a14de3821e1cef6f7be70a437b10fa4c8e67e

SHA256
21227dd4ec76739c85f9dbb7ed5f6b7d690aac69327b151d4a99abe0fd3586e4

SHA512
b5177137199bd0ddb4dddd2de237e558baef1675188afd2938d32f0da979c4238ce16ca8e8ee7fc4354cf4e9fab828dfbb9be4a3afa339feb98e8282a1ead364

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0bf32a5c5d0140251deaef355e80328d

SHA1
15ab11474d978d2925affe7d949b96cd7d0d3207

SHA256
68aa1fcc7786569788716eaf669ae1008a8c49e690f95aef8b191371a58fa89c

SHA512
7240913deacb2dc04e6244f833eab79ab0a4e2bb274a2e212693a1d48e76596a440e46afa0ab2542ca8ec5898a3af907030ac323fb74be100c64593ccd9e85b1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b37eb91ad3a437c7e5d4060faeafa55c

SHA1
54b27582f5f26e1a1825a5da262adabc491e95c8

SHA256
1ae8e1137b324942d388c09d968365a05a42c77b741a39c41b0d9d5d3a7f173d

SHA512
2bfe4a4f2e17e208e89ed326567734fac9de2762e2f63c8a22a5235b31445cef288142ae9ef7cd5f6995dbf6b91b1e5023f4f7e0d9948268988439305736ca7c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3ada80430e3ce2069fcd4751b85c399

SHA1
d7ab0f1f8d30d5261f6f829ae687d968ef9247b6

SHA256
a2605c36127fec816299c4d0aa94cd4bc12adbaa82e5d62aecd9f1327222d12f

SHA512
677259a50850f005d29027aabf3962cb967906221d19dd90f30fdf73ec27467f9f748180e0d9315de4d9cd5ec043a2c7edbc7b15b7bd80ff27dc3d35bf769829

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
535235fcf815b49b9931a863dbe2093d

SHA1
4c0c356e58473419bd9c7ca6e942a8f1abeff5d4

SHA256
7c2a65b920dfa205b6da6d25d6ad1a6b7248121ea8ce5d587f2c967d9ce4a5aa

SHA512
0b65b6e127769d6eec4d42f9754c8bb72c5f9de9726727102e38a0ab43ad056f85b07b59e65362e6ab0484ce181db82dbdcfd1232656a126adbea2ebe5d10aec

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
62d348e059f3fba407c022997c10cca9

SHA1
7f8681208ef15ad6358cbe65513f1289e3d84ce0

SHA256
3107d5b03ab316273926597ab3cf9587275d22e78f457038619f57041bb0c432

SHA512
5883fc270a2764ccfa34d88a3897b83d0af46c9dc85f4fb4ef0d28ca5ac436301e6ff0a514867d4ac16d72a3bd1e52fadf56996cca57308058fbaeced3627ba8

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d437b00a43229b5e8284080574892d1b

SHA1
7ca203d58290122ba09882d4be311e560fa1dc4f

SHA256
17a1a6071e8ad0498f5f61e94123b386f8731d499fa93e48aa28a370467dbe9f

SHA512
6c1f40a1cc186011e4efd6cb88c4938c47f517e5da4db5905383c2b414167b7fa2007c8e9577f937627ea14be08b32e41e76434f2d593dcb620da5bd64dcf5c2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
aacbb6fb23019d9701f60409c213b468

SHA1
ddd9e46593ee8f08adc31ea06da956d96cc2203c

SHA256
b61683738f857370dd4690ca84fe52390d40e48231a519611d3be4f403732be2

SHA512
0790691c675ae6d8d88b7fe449769719fa91e6c7898b63e834fd12c78933d4c7312ab535747481a61a14674a5996d42a7a725206c4253e9630f4baca43962bcc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c71ad9d862270084a3f69473c42711df

SHA1
4677587ae5b77542fee935c775e6fe799b6a8c15

SHA256
b1f295afa76e68ed4422ba78570903ad1b326f99712e2680808d6149f2bde3a4

SHA512
14cf3015c1ecc7314c8e2846bf1222969dbf831ccd973b6367f26dfa2eb0eae61859881a43abdc1b816dc8df1337f88c33864a1ee2b4c1d419f36af922046aae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
33eb8fd330de36b95976a02e523f2440

SHA1
5f59539d78a2818a07c501b695048037e7bdd03f

SHA256
54e83e7e09abd15248a0b6796ddacd8f0227cfef359e9801691263409121f0b4

SHA512
b6be33c19a7b39b59bc1c0812dc302e2744b88260677e1c0e6eed3d88c692cb85425acf64dba92ffbe5c50ab8fd4cef1f78a434c4cfb0b7355f22253780119c9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3b04461aa3c510fb8b67d80b0060fa5b

SHA1
9a461dd65c965a6977d3920505e731b9a01d439b

SHA256
dde01fbc2343faed7c0981afbd2987f977b52aba431aaf2a1b70a263220fac8e

SHA512
8bd827f4fcd41fe51d24b96a417371657ef5c25bec69d2b0a889dfc89ae2af7ed16eb9e7dbf9a90d6419380f58b1a1031f1684a3c39e8f866e7bc4a21704c7c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
af9213be2b033910aa5264ea4ea96e61

SHA1
9a1e2ed65d04e1662b7ffc0c7d5ff244ec3667e0

SHA256
0f9a1880797904d04df12299632191c66b66756f167818e01f3ded9102c9fe16

SHA512
6bb3a479f668fbbb96a74f4b66fb857e0bfdf91f1ec75c1e697acd9afed4217330b0af347fa47ff2d5e8c6d14fc3eae9754c63dd6b1787bbf4fc2498ae2f8966

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
eb8ada4bcced9a439a95e694d8b17d41

SHA1
139bf929a49530e29b8135a799230f01945020ea

SHA256
c50672313114dab2630f09b831c90da0c3ce39d2d72190ba65f79fb5f886443d

SHA512
4311e8894e46ad199738eea2baffba25173d9ea6bf4a71fb8781d942278f995a5ad614290641abad1ad81011d11c4c54b057517f2b3cfa2389f42d60340a9a25

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
283ca6e9dd6873678d3f189e5bff59eb

SHA1
352e3452f79913d99cbd2996fb41333a22d5864c

SHA256
222a3124b0f5c120daf97d2dd8d8c5e55954c98fe96a09c4ef8b6de2055228f9

SHA512
27f9aa97d694f7994f89e7f9330b0f9c01d26d60cceca2dbc294e7dfdfaf7170486d0df83f8cd62433ad5fbccf660bf9febc10ce31ba0930339ba8a0140fb64e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b218cbb702575e70c5fb8940ef46cfa4

SHA1
97ca7ea4d034266be5978956e3f9b88bdad36a51

SHA256
a046c34b78cce88c6b39bc81e79152a2ed46cab5e4b7f57194e4f7d00e4e3a35

SHA512
26511b2644621acc286ac793a6f590a884d9f77ce4da2a95c3967b2b12596a8370a250527ab216825f616ecdc952654cfd68b6f4e720266d7a7c2ce339004c76

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
a59962d7cfcf501feeb25b24873348b5

SHA1
b66eb29f115fe4fd1848d991932a773cfd0c9e77

SHA256
21b3f0fdb613e17125bfb3e06652da0c4fb55845ec4df3c3394803b3ab483196

SHA512
afcd394ecfe2ff08cac2bf61c8e795989089c434948d4c289ebe4eb5efe6785193ac2265453188144b0d6fbfa789da4c632134b70c9d3b8bec658a3a62262f27

Download Submit
memory/368-75-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/368-421-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/368-422-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/368-9-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/368-0-0x0000000140000000-0x00000001400CC000-memory.dmp

Filesize
816KB

Download
memory/368-1-0x0000000000430000-0x0000000000490000-memory.dmp

Filesize
384KB

Download
memory/912-154-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/912-407-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1084-137-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1084-406-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1324-113-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1324-315-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1660-79-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1660-83-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1660-76-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/1660-158-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1700-64-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1700-67-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1700-69-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1700-62-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1700-56-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/1752-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1752-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2124-90-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2124-97-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2124-91-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2124-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2324-177-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2324-519-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2432-102-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2432-108-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2432-210-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2432-103-0x0000000000770000-0x00000000007D7000-memory.dmp

Filesize
412KB

Download
memory/2504-173-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2504-517-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2628-118-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2628-518-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2628-360-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3216-26-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3216-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3216-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3216-112-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3364-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3364-382-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3436-151-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3532-136-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3532-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3532-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3532-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4256-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4256-516-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4452-41-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4452-123-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4452-39-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4460-520-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4460-211-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4516-120-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4516-365-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4688-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4688-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4836-155-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4836-71-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5048-515-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download