76082ff45cc7055692bd65c79ebe843ad9a150b0366cb03b4011356bba0ffd9e

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Size

2.7MB
MD5

f5b81b9d05f904aafc1bdcc9e07dbfe6
SHA1

24bfff51d3cee692c93c3042ed1113a60aff57ca
SHA256

5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f
SHA512

916b57875f07d3d38790e98a8e2756696a06cf02424240985fbb4e195cdf1d7d07f8c96601d011264075a7ae8ca52b2da56dda5e18dfafcfa8c066d443b7b8f8
SSDEEP

49152:QyFO6qPehNmKFmWhDcQi3RJbvJwT34RpAtHGIQkFzNjteyUHBdH3F2LNiXicJFFS:1OXntLEGIzNte9Bp127wRGpj3

Score

7^/10

discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2108	alg.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1852	fxssvc.exe
2388	elevation_service.exe
3452	elevation_service.exe
4908	maintenanceservice.exe
2332	msdtc.exe
184	OSE.EXE
3948	PerceptionSimulationService.exe
5108	perfhost.exe
4564	locator.exe
4092	SensorDataService.exe
3496	snmptrap.exe
448	spectrum.exe
2480	ssh-agent.exe
860	TieringEngineService.exe
2096	AgentService.exe
2372	vds.exe
3932	vssvc.exe
4856	wbengine.exe
2164	WmiApSrv.exe
4484	SearchIndexer.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\locator.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\System32\vds.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\81a726603e6c0d63.bin	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87843\javaws.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000871262a36055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000000937fa26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000605884a26055db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d0d766a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef46f8a36055db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009db7c4a26055db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,1"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe,0"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinRAR.exe\" \"%1\""	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
1136	DiagnosticsHub.StandardCollector.Service.exe
2388	elevation_service.exe
2388	elevation_service.exe
2388	elevation_service.exe
2388	elevation_service.exe
2388	elevation_service.exe
2388	elevation_service.exe
2388	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1256	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
Token: SeAuditPrivilege	1852	fxssvc.exe
Token: SeRestorePrivilege	860	TieringEngineService.exe
Token: SeManageVolumePrivilege	860	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2096	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	4856	wbengine.exe
Token: SeRestorePrivilege	4856	wbengine.exe
Token: SeSecurityPrivilege	4856	wbengine.exe
Token: 33	4484	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4484	SearchIndexer.exe
Token: SeDebugPrivilege	1136	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2388	elevation_service.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1256	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
1256	5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3580	4484	SearchIndexer.exe	108
PID 4484 wrote to memory of 3580	4484	SearchIndexer.exe	108
PID 4484 wrote to memory of 4824	4484	SearchIndexer.exe	109
PID 4484 wrote to memory of 4824	4484	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe
"C:\Users\Admin\AppData\Local\Temp\5a0214e85d7d0c2f2fbfc204c90099e3b553de62e8b994a65b158dd22a12ef0f.exe"
1⤵
- Modifies system executable filetype association
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4388

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1852

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3452

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4908

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2332

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:184

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4092

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ca8822a2b805727115910a21f80b4e91

SHA1
10049be03fd71673d31f9a1146900b574a8f1974

SHA256
a16b0be85c11d0f424303e955e2fd80f73f312253e02219c0d82e8021b8cd8cb

SHA512
8fcd64d500e72276c04fa0cb776281974d2abe08addc5666e86c54834587a8a9df1740e7c99febbd5d1918572245186e77899e8095d72a2a83b1bdf85caddd6c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
11329b621d7c89b5cb0dfd666df13f97

SHA1
4b7e9deaf70d1ae46e447d012ecad7c15b56d7e8

SHA256
b57f6c67d650caba00792309aa0505632f49a0c415d8b21f6a87d15a1252d777

SHA512
01508549905addef0e2e093eb2341e6162f3214fa4af0f1bdc415d5220a2e6ebcf31994cfdaa4c3af11ce89e530e8cee530c550a8c953b222cd6966ae13f9146

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
44b1525e88f16310189303f811650b50

SHA1
dcc9e523df17b7d0a1a5e7abbd1a1de0e7de2b1b

SHA256
537b2627d3022172aa3595d4d337996efa57e22e8607f4a235c45d164e3cfea7

SHA512
8c77cc29adb4b50f3575c1354c89da85201f9cdcfb8e5cb9d8b3add5abd64b1b9177a2198e34b2fae4a85ce709fd1cca4d3eef976b8f08f2b3c16c5f9d06fa3b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
43dbba6a05b1951ab83fdc864dd350c6

SHA1
81240a64969f8a9d2036cf9379a79874574d92b6

SHA256
ad93c475742233749c3717f368f7a926138a4daf7eff5d80be08a036b9a1cc64

SHA512
fb148192255e370f455540f0af2551f8e4eb598364503ea1ed56acbdd4c3131bc396c652d34623381ad3ca1747244f9c905b80b8a8085f49a12d099570610bc5

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
537c2b59322c396175ef79bae8feddce

SHA1
9ea2080f390573f1b68c31ed4160929478fbb20d

SHA256
be2f738152c9f6670634d903580206bc763cfa80647659d759c55bfc5ef92276

SHA512
74333ae488bf892824df8cabb11e8e6949a2abdfdb81475ff15728dafcafa1f6331eaf21a40791e0b97f67f97ea0fdf904f9e9715e124d685aba05993a8f1a45

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
413c90abc35e75ed24a72c8bed32b35f

SHA1
196516c8ba4b6b3613b8e870d9c84f40899495db

SHA256
bbb15657552907be48783ad94c834791776224da13e60e6ae5aff6a294257315

SHA512
75ae599596e7595b2caaf2b0aeedd29b56b469276abfd5d1738d578119ae11c0cae3061916ebc640fd917664936cac0df75ce8e8d789433a13ba3d496b0c191d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
5f2289d8403e20ac9200ff1c22b83d93

SHA1
3d5fdd939c4e9e4dc9cfd0a3f793d5a9689f9220

SHA256
5d3f185e8924a75c5ba6a9f16f596bfb2bad0946f4d5ec028d85d27fb6acd732

SHA512
1011aa44a577bead3eb11e4e0b015ec1ba22045dc6814b1331e546aad6d233176810f919e0fd33b5437efd1ff865ab6ff872f3a6105acae3a9ecbf2b2d725b81

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bead72c36505f98f16130e11ba0c28cb

SHA1
c4185e09062aa3fc2544cc3af73ab8e1bac83c0c

SHA256
a04b3390d2ccb31d5c0daae15717aa02eadd0fcbc42ee9ed366e74dd84e00a4e

SHA512
4c66a5aaf67e2844b724b49f72d60ec2a68ed6969ba2b260508530980defde2b26d4a5dfe3fd4e36c5cf65390ff0522585d69c2d6eff2ac98474b7e6be827c75

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
a173f3fe405ed9311b5be11f7a192558

SHA1
2681a91aefb145ac9431910a068889f5b272f31f

SHA256
a430473adccaebfd1c190a70a1d6587dad502a001d8d3cef005080c9dac24e07

SHA512
4417ccf9aa743e7307ccce5150928d43301591350f5c05cd296746df3d06b289d08f80afb7a74220a93d2432334713bd7491eb0831a8686af0a950b123b8ccfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1108311333bad13db6eda3bd51d5ddd5

SHA1
ee88cb15cab70b2ed5cedeb3d21060f5997fb822

SHA256
5a18e1a4c18d9502baf847beffcf7c693dafdce07116950ea94d3675351861d9

SHA512
ea9c0b2d578c95ff98fdde390ae26b93fe07faffabb717109591718feef4fec6f4f5e1c2491bb76817ae2ba483ef0d8ce9f0541a04c3728904ae85ec06de1600

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
52efe3bf0941ce1944c23c810b31a575

SHA1
7e184614fbc6877d428ada1fc862ea6fb7968030

SHA256
3435c3e685ef8a072d7583b070e7b8021b8a8655db4c1ba61c3367b2a4191c3d

SHA512
4dc4d0d41285cc16be61dd95caf19aaadee39dcb06caaab257247f04599e76799ebe4f0a1c326e69a6b89457ca75509bedd3abbd831f92188c0a14161c9cafc3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
dd3f26225bf480380572597595104b3d

SHA1
b7f2e6c68744b413b46409022b1c342501b56348

SHA256
3e3c8bf6c87117e2682a0fc4c3ec18ccc274eb322b58e1aa1d4570123f7dc81e

SHA512
8f2ef83dddfc97bd0db75fd8f0d06e65ae465514fc85576c07fd84e2f49540b1b0f0389ef873b55c1faf5c5ed4f2a05d148b697988ddb51d5c1afbaafd5f53f1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
b9bb023a53f8ddf8b424593a895eb1df

SHA1
66e27a07a498e9d5d504edb150d0cbd300a594c8

SHA256
95bf06eea1831723d3a05ba6386f4c932ba088d9f19b2e7d9469aac41b211bb0

SHA512
0e9ad3a4e6db3cac01b7028be57003edecfe6c055141df8680058f209f19cc55a32170ac1f41637f32731252c2739a75c58f256a49078fa4ad726d804bf35ed2

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
62031f990a3ea579d2bf1d451e7038f8

SHA1
22aa934dbc40afc6359560e34cc76241bbcdc5f6

SHA256
e6d1ab471ced993f4bda0ea6d6df0d0b03c45a7b699e9e0b33710bfbad35b14f

SHA512
6ddbb1bc7eaa6546161bf694f93c68f72ea0b706cdef22914e292d3a9477481c454b127b592efb5e5c291ce3628f0ea1973c9e71e63479575709f4aa20c54ecd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
69f99b33340b4cf954cbb746a975ed16

SHA1
7ed7d12fc0b685046d64d496d644349c7f9ae189

SHA256
7fe586a6ed34956ddbb55805a4a2df18c0a913ceedaeca943336eb56f3dc1548

SHA512
2615220053772461ead713a7486dc8b09f99b31a604c51559c1fc4941b5b917f269193a5be8bcd14e5f994d17ba3698823d7520752381d6914d8ea569f14ef46

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d80288228d733d931098ed309c5af444

SHA1
fc7abcd064e923aea0781f1bad9f7a582f030f6b

SHA256
bd00858cf22b7ab7b6e959e989580061c52adb24ce77794c822a07d8f1a8e0b7

SHA512
be3304b2f3d6c0b35eb946ab57cc0c219998871a2936ac53a7ba53a11295f1b509df8aa5bf355da30e9ba461c2ab7174c165076e24e2e5fdd73823b1e9a1dcd9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4d4bcf0bb80b825da07c9372cb24f982

SHA1
2326389ffdd0c49058fe5292ba2d58139e4e9862

SHA256
cd3c9231f84d5089a15dd064130b69bb1c4a7f3a3a36228803b1ffa106d7c43b

SHA512
3a8c2e94978b98b4c06035a54856880b025099ae64e6ac9770ad52001f6bcf6528d758a4682ae3fb00970e92708f9c8778a8c73f15e80c1dcecc11a9d9318a88

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
f6c9a69b0228bc1b65756249955ff9bd

SHA1
e29259f3843876f93b36f06a0e9b257ff88f2f32

SHA256
d74faaf96799b5516e4dabc9a46866c7765d5b62a853d99b24a32aa13d6c353f

SHA512
dfe8c27f33f50b860f0024c4111f8fcf4dcf384267fbf6b1fd6b9ec39a3b9a442795b85ef6e0151f4df4ac711e2ced272b57717cef7bbe9165a631676886f24f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1542447ea768a8f7ff57c367aabd7672

SHA1
0caebf61545cf0979cc00fb23f09e81d30ad2833

SHA256
fa5b6f43987409b42533a943b853b6f3deabaefe8d9058bb7d218f3299f1b0bc

SHA512
ccf70082c776dc060c250d48ad5ce19bb2303bb4fcde392505f5bb06ed4ba52d1e1521f64cf947ea9480098100be9a6ab461d922620c02b416a514f1ab242171

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
d0739e50b135977c8887d04bcaf6bb7a

SHA1
7071f0d9363df216256cae771bc88cfef6dd3976

SHA256
405a6b236a4b0316b294334e9fca92c5048fa8049fb56c90af788380162997db

SHA512
964b929c5e05f5f6b69fdc3945f944d768d25bce78b4781d46dee7d8917b25a42a7e56de29387a360c6343c1853106cce63b1cc4f95f7b0d165ce4c6888747bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
30c7ce30204e39c0917f9ad09710fd36

SHA1
0ebfbf94ab7b31eda8b81764b228a0be267c7839

SHA256
c13c682d91144c4dbdd7e19d669360b6590ac82b5642a8c1f36530acc39e7688

SHA512
f6db17e605b60f0c5f04cf842ac248a291084029b8434ce1fd2ea1968113fd546cedba3ca7fe618d0810df844ba1a0df2f0e134aeb231bf0409139fcc488c29d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
876d35a37dba8408b291e5dd1a3d606b

SHA1
0ccbc8d240e98bbfe07cbe06c3d4af250348c198

SHA256
e21108330cad6cf0d755298f770ced4f47fed30c2c63ef8b013af523c4d3462e

SHA512
e445b262cd7b8931f8d21606f02541250bf4936f57b4e1a6d0d5de33b02fb2a9d5b947dd754f86dc74a6ef93bae4bfb0c3d1647ad9ab6c8baf682f6823da3f9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
bddbdd5c921379fa74bb40bf5a42d010

SHA1
34c60cc5486c546ebce688ec89a5ab1be5c44201

SHA256
866a0caf0ebe29b1941905e8f10611d6083966d89b092d52e3422928d07efe1b

SHA512
efd6b91221af026650cdcdac42acfcf37f2c1bacde4f1c02ece505ee31d3726fc7f22f423d1d47572e14b685250d43469897a9d56eac8b36b5607069b5fd95fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
d54bfd2de891371f873bb5774c3695dc

SHA1
a95bb4e775608f55ea001623656bcf1eca9c552b

SHA256
4f467203fc4a27f8fc0fc8e706cfe5d8bcd4e30f6ac6255e51773174dd38af4c

SHA512
999b8423756e07dc5bd935fd04098fa6490a6a0f752bc65817a048fb5e0a309fac96cf13b21d67983ad0932d1147ac42b17d5df5ebb66f8411e981b935ceec3f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
0e5bad10520982fdca3b6e8730acfabf

SHA1
9d2276e0719e592744d625baec0b6f36b1e16a5c

SHA256
4fea2fb28f05ae03f0f6c430f37e04e807a76a92df4f6562f048b7d110b24683

SHA512
2ef029e5ea165a9f28f34a37ad9880db2762283e65f4ce8d3f82e3b7ba191b8e15297dc74d8f94f578b31545cb4111154fac797d085a3981335a244e7425a1f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
988870df0988b586a68251202029a455

SHA1
2967026be7ef8a3c2eb7ac02347997d3f3c28b21

SHA256
c97103aab6cb31e2f5b507508dc31f35a9cb2ab87e75bfbd312768ebb763cfc3

SHA512
b0ecfb81d80f958a206af55e6a59c9915e2a2e4e13249fb0d31a6e703f61503db335763ef7a2a77e1a11109bd7f61416bbb2c08eb15976a0cf3536050014883c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
e2071606a47bef54d83ec65a1ebd15ce

SHA1
f43da1bc5309e930efe4b64f097c886b3035519c

SHA256
9e2b25fbc54a47521099e020d74f6a864051da2227adc918558e8207503d58b0

SHA512
c55087d226898c357a489fdabf5edb7dc6ca7f9b8ae3846ce4bcd0b999c5b7b5ad78d311ed74718aa6317e424954e694cdd61d079148158230dde34c46efaf53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
3b29c58160ad81b1e7e0f271189c3d23

SHA1
871852d2b20ca1f63f229885cdd3a34c9ee39a8e

SHA256
52b3e874d87a11dd7fff5193e9db55a5a0a49e1fb7ddfb98a45c884af11c5fc3

SHA512
3fef945f527f978fe3c076c9b229e74db6d4a0b0a59c703e101fa561ab71d00a11840558e2894224ed311bc5e05c1fe34073180ce9c4fcb148d3e8f9598a20f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
5529dca93ae7587eb8303e1d2eef66b7

SHA1
b083afd6722e39f52d1217d31fd3ec8ee99b0487

SHA256
f91aa2de5f7f2a31aa2ce1812e3d545bfe9a4e03962740447a8553f323c75a4b

SHA512
e5acab4722c5cf659355c69ebb68126edcb0fcedbdb4aa51ce49f7768ba60d19f26727df93ddbe64647d50eef2a1438573ac07eecf44cddd6887560b4cff5876

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8ae642a8292cf859725855132217df61

SHA1
bb3d8d354e65ed67803feb8c8d4f5500b00587ae

SHA256
668f797c2c3762150d1277526307226ef9984b7bc11060dc3244137bad05a07b

SHA512
97a2495ce2df22959c5486df42203b5c1ce8d49efb3628401774fc92a92abbc91e7f17c121c184aa124581366d9948e5f7efd1354970fabf981ebb60930e9cd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
f568136cd2ed5200de6fedfd314ef46e

SHA1
be8a6c0adce2001a3601aa0d594d6340cc50b354

SHA256
b30a515429ac5cc8e5046acecb13594d5e90e709f879ec805b0feabd11793b53

SHA512
152e002decb458f649015410121bab3d349a8429b2cc0bde008bfc3bba4fed00cee0a1f4428cdfa0bba896046a3cf0d399ad054738e849e25a5ec523818fe7d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
32f0d4d619130ee98f0878092f184310

SHA1
3f4788b36ec76aaaba274101cec9524f82d403bc

SHA256
13b20c605892fe92a03abfca7885f3b34f872066d8b946923a09ea69a248b62c

SHA512
ebedba63a18092bbd95019fcf0afbef33be9a3de8425689f286ad64ebf27ef6dd8bd278d9136a309c40ee7aba566b3e12cc65b89efe2647434017028bfcc902c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
5b51662fe77ce72ad75ad5ec4520d768

SHA1
8e50d614348734fc9ce1cedb06a3957685f64593

SHA256
6eb84fb98fa6fe58598572a853c3585e6e841fdff620ddacfcdfe5fa8bbf73b6

SHA512
f984bdb7415febdd34a348b4db1210311f8b2a17bb95625c1aa562851297b33f89fd544c1911f8b148f2132bddebef0161782a3bec52cf52dcf90ab9e0bae2ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
d6b90b9eeb79f2a5dde88831a2ba8d71

SHA1
516a96e5b733ed2523f45911a48e208cca04a630

SHA256
1b144086e8e1ddb9fea02dbc58461e14c3bd5e003f912ea51b0f6f969fb5b39b

SHA512
d292506ba08051679f55e884406f2e2319ee0232056a2b24e2607a44c470a8e6ddd51be006b68da9a9f8dbe74814a7b667c8f0eb0e410351c605163585bb254d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
d302e257edcec28996db505b20a2a454

SHA1
05d32f502d45fa4ee85d7712161dc1adb6afc853

SHA256
e6abe34f0a395f114e863c02a85eb9eee4318f9810b28711fa14a0cc0dfa2995

SHA512
a323ef1ebd35a2b7ef6ca7ad8ed7d7568cef8aae9279b29d9fcf303ceda9b8241c14e155c9f5129944764a722eae9c73160931596f0abdb2f205c2c60d279a6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
fbe01ddc28df2b1a46e6a4b378551104

SHA1
447affcfc98ad60358f32a2e00b79159d061fd76

SHA256
f4d96ceead7b7d90076a4f8604a0ed7fae1d99477c3183491b2e67010c385593

SHA512
79587d3d3c876005ace44c06dc2f99937195fb420a6e4e45bb86b35028f5de0397f35b77aa1572be85354b1a68d2a138abb854b1a40a9a218ddf9a698a5d4a60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
c13f7ef7335100c7ea7c83d01fbdb7fb

SHA1
5e9887b8d4af7d7a4c799627da58e93c52f61114

SHA256
4143165f890afc0d3575ca8d9611ef323700f288acc3b010ea72c394c039f7f5

SHA512
afe66a16ce5741e8976e51794f68d3063d57f3df0f298ae33f0f94241f8470eb7bb5dfa95f4c63478b751e2ae88edfe38f6079ad78700d99448d3200a0f6a64c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
088dea4e3280edc554763a09f398b69e

SHA1
f0c88773a9d7aa3c1e679eacd21ecbb8e1df5e2d

SHA256
28a06d2b3d2797e73499870c2a6f9e7b8db24f4f394d0d82122b42abba447797

SHA512
aa6c354ec05a97019c4d56e96c3efc3f81c9dcdd37915e1288308efa4d260932a9063b63d40950aaef65f64a701aa5e1155787235f5ddfb42c0cbbeaece7f869

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
29921c2582caabbf37c08cdadb5e4c88

SHA1
bdbae0d40a5c2a3c036d22ca2f5e154bee491adf

SHA256
695360170112537b0fb3fcff719fe99b13deaf7901951cee7c41931b518d5bc7

SHA512
ef3ce7c122dd9fd678affcaae1d7f067ca321c4efebfc9b37ccecd3cf891ffce59b69c72da3b0dc56598d2d5cd8bf18dfd3afd4c908a3362c3d63e77e737bfd2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
1db1592102e0102314b71d43f777819f

SHA1
b67efaa16d6eb9174a04e598895ee660cd269040

SHA256
2b13a7e97557658e3d6e58526bc8fb2ae0c12d70975aa14c4ca37533448bf865

SHA512
b6e06315ce382f7c92c39dcde7e5df8160c675e45b73ef7b9ac57ca462c10c8fc33c71da95a4d0c6993c76fa4168aa9cfde8860f260d66768202133d67f6cba6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ad429c81c45e5bc5fadf24c58a02d582

SHA1
e2c25d5ce4da32c40db183a51ef0a025da56b35f

SHA256
40f5046c1813d20b275475b913295c3ff14afb6525dea4db092316cd5b86ff85

SHA512
5a193d76f13f35c72d5d48e8a28b6a1de54339c86eb517dbd9573119d0052412fa6285c025c26fc02a0cf65d444306806d44cb5d88c65d185ed23bb18db48bf9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
4eddd044e92813e5ee56e4b542ed490d

SHA1
8bb7da7c8f983f638e1850bb8716cbf3daa3ec7e

SHA256
bd32e5abab03f2a315d72020d0def909b354e1f72b21b514c16c78a857059f3e

SHA512
1cbb611eb7d8852ad17605c4d488d188c6b860b91e41dbed927de7ece5ea380f4207a09800c4fc23d8c99c6182d1fd16aa78036ff250c1a2e362c0292aeea6fc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
73d906f18de4890233ae37386e91abf1

SHA1
c5dfabc3b9fa58a77407a747afddb46cea35da68

SHA256
64a456291a66b1187c95181611235979733f6e57b73e8a8fe21467d36312575d

SHA512
84692e3d15043a8f33b1ef90fbae306a2523d5a2fe50769be8c15083ecd5d1272c072a6e77a8a9617e3bc62ac29e477214747164b5fe70dcb7c181947d4cba6c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
94fc2de40c17d835dc4cf9a27c5c5e83

SHA1
cea47c6509d6e2299f5272ad1ce83e5e900d9514

SHA256
c96d520b6cc0b5227467d266c4b21983c1c1b6d0a97a299f92a3613f8c1771d7

SHA512
37e91d9565d33915ad16f440d7445cdff00665e54cbb50c64e9f256d0db9ed360547a52e8ddaffb539cd28cdd83cc59ddc320e63c62fb461f3c675254bcfda04

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
daea5436c29c40b054d5faafb98a242f

SHA1
f51e42fd77ec698221a03e6bd955eb8107066594

SHA256
90d4f20549d2a1d35d323369d42a8ebaa37bdfb777076195b7f5bf6b0d42cbd7

SHA512
ad00f9e2108090d1ea2db54ce11c4f972e91e64c7def145f9449a14b36ba29881799a19627d71e68655b2c893cadbed482c9f8ab5b43456172e1ccb80f3d613a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3588a94e52c425519c2fef2cefecf857

SHA1
85e8b8ecc458231213e4a90746a2fe7e6b6a73ce

SHA256
1b6873a8f9b1272a4aa57f5b154f609fb11cea1ea76fb59daca8254f04af5290

SHA512
a58b7c83dd36ab326c9f59b109723dff4f428681a6c198b5b24d3e4c491f9b04e394e0d4abfc814ac2a7169188da99bbb1c6ef024e6155a1924ae3a80d6f2ca0

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
ec73981e2bcf0f6b4eb5d5620e1a71d3

SHA1
288c9d1fedbd7dff5904da75b48bf86f1a5f2dce

SHA256
759acfd17374faf2eec248d7a7f5902d8ff603d01f3f0046bfc714457f75d9f4

SHA512
53fe84641d56b6ab91eae10b54181699b6f5d01ab936707dd1ae8d440732bf01650476135d93fbf8872591d5f76a958611a78ff9a99c944a73317f45500a10bf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2b56e1b2ab62788db03c8523f4ddd9d2

SHA1
b1fe6a5f886d9524e7f02ff24bfb85631823cd1f

SHA256
b9b4fa2843f4dc12b266a49e7d214fd7244be6db251197c418fb4ef3848c3bd2

SHA512
8e3402ea17e05e6346990cd1ea7775a5d3447a0fd312e8d4dd6d9dfdd7ad71884f12c24eafa6ac129ceca2c5d994f2966a1f58d36b83d0ed4ab3c0d191642bdc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e2322d03079fc25b54ce2dcd4492d964

SHA1
a26fa1e97d0130f939c760d192aeedea074e1d58

SHA256
f70468f902292f4ad59ab96791f1d2da060b9aeb3f8cc58e6cfdbf2172db728c

SHA512
74ad6acc58d2500f31c2a4a4269e70a2c2f422b96c52f275fcaf0c461a9ef332a3078d667d217db77979540bd7c5ebad2a7f72aeee6a7e5b7d51c599e7c88417

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
049019815f73da934d998321db3140b5

SHA1
6aa4117413ec5c0eaa4e230910c03ca564b92ead

SHA256
4a5e6432ab29a2114c2811ca8e2564f60f57f1b3bf812b121837adcd75a5b16a

SHA512
8878090a391c4448d45692de0d12638327fb6c7130d976a5712282cb7985c3cafddd3efd92f3d92a4ef1f4e7acab76d48c8b7383efa8a107aa7252437bd7137b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fefd2ce6897f2e5cce6a945f5c3d18e9

SHA1
758455687b3eaf63d63c72f99e33e4429f4632c0

SHA256
c0bbbaf2e52c184440efe8e1d9a4084baa9aab197ed40c370e779a37d274e826

SHA512
882e83fe55a877d4754340b7fed60af311883bbad64e1d961921482b4ecc2ad9f8451ed101347242d9706678ac78ba09d3701f30870c8e9ec1ad2354f6872e62

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
6b2fcfcd5324635ceebfa1d2c6255214

SHA1
171fe9edf04947f42c0808e88f86f4efc7a9cf97

SHA256
e5583b94f856fe0955f188b99a5dcb53dbf2a75d7014a813fa7e651acf82a102

SHA512
bc854ec7d17db0ea00a09d74f82fcf93f4f0fbd847eae1c134ad6bcb1b821a596cb531472076e5ec3e254161d013fc3b724f2d1e3b0dfba59d55252197dc72b7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
4be4cf111d6031496fa7f813304b75ed

SHA1
f762b255b1bc99094b5cc39f04f37e5291d8dd51

SHA256
8ef5ed2fab196b38577d2c9fef1f6cdd85273a6d1544c38b02769730f070f957

SHA512
a21296746feffb95911633c26ded7306174b06838837aa33f5c6dc63e8eb12068ed8ecbce06199565210d7d8a4ceafe58e92f5fb6fdc7e78a2169f001fc35a1e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
df211efafb771646962694188736c8f2

SHA1
774a9631eb5101917655f08039dc0a47e5a07551

SHA256
9535b370ed633bc307e17038c234014f23d0041931a93f1d93d922ed84e98392

SHA512
b36e8f1cf15351520e77fe1b5ae2f6950a124f698df5e6a84d4c2e5b306e76c1151b73b2eff9ac01e0470c648525f53b03e4af19ada49fa845b85d75b39e1194

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
490e61637d38e5ba8ad3c0acce6deec2

SHA1
28b308d99bc4259879d1011e48e551b3d95d5074

SHA256
56feae4866ccd73156ae074e39cb3d4dbf6ead43e111eb2b21e83abd26d00126

SHA512
6492723be21eea8948ca65791075221e80ef919a06041de6a71e16652b38018dd4e26ac24151b9eda508b44587a449c28b03ef58000d224eab7ec34abd28b6af

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
8e67ce952d2aa34248216921bf9f588a

SHA1
acab3bdbd7f73655c4cc70c2b60c208d2d795bba

SHA256
1a9d0056b95006c235bcc369912d86870817c84de4233ac82fc85c272f2a66fb

SHA512
a41a769c288598a72a5ef6118c68443dad18c4b2b2fb357542959284c239ebd39858ab8e75490b267983a2b782ffd08f801750ebac02d5feb0076b418eb88150

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a02d8f4772779380d95ca79169a9e066

SHA1
9d244bf0f5016dfefb90bcc8893fed321ad68364

SHA256
2e7e0997b8f1acc6aae901efb75e65ab5739d8ba71afb74eb65b9a767ad84c50

SHA512
bebf130fe25ec48d5e90758bf906394e115dad2d80a3a89eecf2e1eeb6d4e2c2b86da5fd3e8e248c54b1777e5b14f7d91ba25e651e4b8801edcb06b93fe01e54

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
1757755816f57bc5ce1c116dc7032bf1

SHA1
ef57bd9df6f531bb75d94abcb2edb229640710bc

SHA256
597b0e4ab4602781c845e3d1a9ceb0f45c3e9985c094f756c9f72bd1ba9e7f7f

SHA512
839e1cca78387b99d62501a574f69d14eb9172e50995e9166ae5abdbc237ac38c57d933f85781a9386d8c0db6bfeefa3b78bf243f4e2e9ffbde7a278c1380cd1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
aed4a47a267caf6afd70909a149a27f7

SHA1
8723cdf85ead5f7ffc909aea2c34860a5a79b9de

SHA256
75eeba85c21ba9b3aca324b2e53c2171feb185dafb049986cb59b12bd63bab4b

SHA512
0ebf9bd6357fbc5bcd9e130bf0d43bf6e44a362d125dcda278ad39267627d3e82c2cb0ea5ba3619e99b43b517a813650a550887fa62d30e85c999785b5eb8e1b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
649d091495fba9fbcb5d2dc428e5f071

SHA1
6042aa8b7a30b19c14c33f3d153b1ef213d135ab

SHA256
80aa75db971415c998278e210cd659207ca5572e8708ebad0f49773abf6f02d3

SHA512
519725c7e3cd3aa0c4fce3acecfcc70a4be73760e92479dd4b32f2c72260b0f9f22b6ca9774f3dee1eae2a4123bdb395ec5b1a952f4f8e9e67dcfc682ea14321

Download Submit
memory/184-83-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/184-156-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/184-77-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/184-86-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/448-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/448-133-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/860-383-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/860-150-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1136-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1136-114-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1136-24-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/1136-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1136-18-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1256-74-0x0000000140000000-0x000000014035A000-memory.dmp

Filesize
3.4MB

Download
memory/1256-474-0x0000000140000000-0x000000014035A000-memory.dmp

Filesize
3.4MB

Download
memory/1256-8-0x0000000140000000-0x000000014035A000-memory.dmp

Filesize
3.4MB

Download
memory/1256-9-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1256-0-0x0000000001FB0000-0x0000000002010000-memory.dmp

Filesize
384KB

Download
memory/1852-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1852-71-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2096-154-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2096-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2108-101-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2108-16-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2164-169-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2164-574-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2332-75-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2372-425-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2372-157-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2388-40-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2388-34-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2388-124-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2388-42-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2480-138-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2480-370-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3452-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3452-53-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3452-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3452-45-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3496-122-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3496-236-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/3932-427-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-161-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3948-160-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3948-96-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3948-88-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/3948-94-0x0000000000B60000-0x0000000000BC0000-memory.dmp

Filesize
384KB

Download
memory/4092-568-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-173-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4092-119-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4484-174-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4484-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4564-115-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4564-168-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4856-165-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4856-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4908-56-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4908-69-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/4908-57-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4908-67-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4908-63-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/5108-102-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5108-164-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/5108-109-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download
memory/5108-104-0x0000000000720000-0x0000000000786000-memory.dmp

Filesize
408KB

Download