52c657629359928d335faf3305132f8e9e927df1f416079953adbc6e2b3f5c66

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
Size

1.7MB
MD5

2402ac523f9a0d195ebff1d49b320747
SHA1

478adb9d6c0b62999841420f6bbb14cac74cbdf2
SHA256

498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a
SHA512

54f6a81e0f5a9fe190d4a902b32fa21dde5f4e86d1585e755bebb944facb21dfce44a6432d1c01158a6d29b2ba248707d66236ade3b777541e500b0b6cee917e
SSDEEP

49152:9vGC97fBQX1DP0ZkjeZRULNiXicJFFRGNzj3:tGCRfBC70ZkjH7wRGpj3

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4356	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
4240	fxssvc.exe
1612	elevation_service.exe
4248	elevation_service.exe
3228	maintenanceservice.exe
3080	OSE.EXE
3624	msdtc.exe
396	PerceptionSimulationService.exe
4204	perfhost.exe
4648	locator.exe
3216	SensorDataService.exe
1520	snmptrap.exe
3948	spectrum.exe
3176	ssh-agent.exe
2968	TieringEngineService.exe
3248	AgentService.exe
3656	vds.exe
1428	vssvc.exe
3612	wbengine.exe
1052	WmiApSrv.exe
1476	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 29 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\465b9bf5db05c3ba.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\alg.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075d033f7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000837540407d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2587f3f7d55db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc98fe3e7d55db01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c07af3f7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d332783f7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fc2e63e7d55db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
1612	elevation_service.exe
1612	elevation_service.exe
1612	elevation_service.exe
1612	elevation_service.exe
1612	elevation_service.exe
1612	elevation_service.exe
1612	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2708	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
Token: SeAuditPrivilege	4240	fxssvc.exe
Token: SeDebugPrivilege	2876	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1612	elevation_service.exe
Token: SeRestorePrivilege	2968	TieringEngineService.exe
Token: SeManageVolumePrivilege	2968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3248	AgentService.exe
Token: SeBackupPrivilege	1428	vssvc.exe
Token: SeRestorePrivilege	1428	vssvc.exe
Token: SeAuditPrivilege	1428	vssvc.exe
Token: SeBackupPrivilege	3612	wbengine.exe
Token: SeRestorePrivilege	3612	wbengine.exe
Token: SeSecurityPrivilege	3612	wbengine.exe
Token: 33	1476	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1476	SearchIndexer.exe
Token: SeDebugPrivilege	1612	elevation_service.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2708	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
2708	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
2708	498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4632	1476	SearchIndexer.exe	129
PID 1476 wrote to memory of 4632	1476	SearchIndexer.exe	129
PID 1476 wrote to memory of 1608	1476	SearchIndexer.exe	130
PID 1476 wrote to memory of 1608	1476	SearchIndexer.exe	130

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe
"C:\Users\Admin\AppData\Local\Temp\498ef9748dc6e96db88710804addbe0025e6a816e6edfa6f084a7fc0e92c737a.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2708

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5084

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3228

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4648

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3216

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1520

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2788

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3176

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3656

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1052

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4632
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b75fad91cd2ebf441c8cdd9ee663eec1

SHA1
f2cff7c09c2e773af682758875b0811780d616a5

SHA256
0a404b77193a9102cd3a775fb5da546c0edf51cfba7f118fdd8c2aeca50c051f

SHA512
9db89d6e7e8ff8f74c919ba2dd8638a65b61f8a2d9795661e0e4e9f1a3d7f316674626f35449956a782bbff6530bb459970dee58341227d522317f8612561c0c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
8f78f00e955fd3a8ffac32621f699743

SHA1
4f1347c6dbf4ec661f74b079bf0dfbb11015ad44

SHA256
8307a73570342393abdb70210bfad4b384de52860a2b47b234d438c22cfc10a1

SHA512
d8f327d121b4301a1771c0d18fa94d1e4b0912e34eec7f977f6b0954ffd85d9821e6c30fd0012c3ace5c9e5df30d57f1dc322bdfa37da42a86f9b41dbb9af5f3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
395e8d288a6b7773c1a997b9a723becd

SHA1
d6726a0e36b12ec320719c56dab8f87c91b7f517

SHA256
5453478541dd9a8227b3b44c17976eac19ef53dc742d1c659f4e79295f66df1d

SHA512
e9afd2a8eabc821a16ccf008277f11e8aac3ad4a509455a2884eca68c3d0818bc4a2a96b6f8e7daaa51015cd608178d3c739659e9212e9ffbf176226ae86dfc7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
55f999ecd58386f2220d3720564b4c5c

SHA1
f7808456078526636ddb5ed94687bd19914e20e7

SHA256
2f4bb10f46c2f79c7990bd899ae6b5ea2fb4d108033285ff96dd5df548854cc7

SHA512
b530cb59f5571ba1bf0bdcf53cd6c9b1800ce002f7fd7e137dee0c02354640d9d7803347299324cc8ea9a4ddfbea0c83d8b3e68955fb272e4356b485ec813cca

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cc2ee02aacd5602ffc300677859ce4be

SHA1
afc79208b5c512b22627a2ca556cdde6062cc3be

SHA256
5e028533b467c20b70e0b4f75d3b0a230183d57de81663355ede65c97aedc069

SHA512
3098de50d38831e82a2578f98f4d9e91583ac4f4b4295612713c307b7cc8fb08c29a977e64da6a3d98a7895b0f7e5a5555cce88e27020b78275b986dcb19f4e8

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
4351341403f90b531755b48641330a1c

SHA1
c501f2796998fa13577d40e86094b9502a6ba864

SHA256
b1e726dfd217ef6a02fd20bd59eeff436708b2f1174bfdda1fbbbaec338904fb

SHA512
1621d7062d4a0caabca92ffa03ddb2efc53d060cfe919ca547ded5c031420bc67fb78ee431df453696bfc4cee4044087c6bc0572600fb6ce719da82ed9a4a041

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
b44bf53954988ca3268406a22df4a13d

SHA1
6f63b7e25759d841fcde19672466c9f4ae8c5a49

SHA256
59fb3bb4a6c254996f102e5bb1afb50eb62874509741c1a9a4be0208c2d85ae7

SHA512
47e54c1ff463a81eac039bc163f25d5666b4334313d4fb9e34da9104585fea722127e7da976850613907bf9b5db94af1b60384824ec5175a2a12d35c1c596b2c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c0365c7f0db2fe186488e6d6c65166d3

SHA1
6316a317a3e58d7c284670ed4cd6ecf4ebdb2c9e

SHA256
388334d05ca4f077cb226429ea7f33567a3cfb4acd50e71988a589600f416076

SHA512
9b13417aa9963e8f8ac4ff15952a7a5810254217fec58ecf1795b7492f0020a6231b9fb7ce873afe672f7b853623d5fe1a25014029f376687bc96b9f27bd4751

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
4cf6d82ded9128cb3aae5e36b10f7cc1

SHA1
87be9fed7f19b566d74a949e4039c871b2f9e5b8

SHA256
59bce55a2dae03aa91fd5a9e62f7c2218ce22b4af2b6d4b137eb8c3578752064

SHA512
a09b8d0e99d7dceb1dd1b4322ddba29606e2776f50e8b00ea79baec0b334a1bb2955b8883db056df729407c7d37e29cf8e31cd0c7e8dfc3cebd88b7b8bf05832

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c57e03af3a899a7734d3ecec48b2b293

SHA1
70dc5414668656a7a954d7bd73730bc2229017c4

SHA256
c10b189c65dccb3da47d833e900059773dddaed09679d617b308b4219dafa695

SHA512
85847a91a9bfcd28ebce52a325867c1201bc70c68af4fdf7b52af5179d8f33310a2044a8458caac428bda96d3ecbcfecbd3a050c9b1b06f2c7972f30cf56eb1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
82dbfdd140ac4064257f2e7c4ff09b25

SHA1
0505dec16df28aff92af765eed46bf6fadd1071f

SHA256
32b8a865d42c1d5c6ead302de237dcdbe4b728e1f367d4ae499a34faab51a513

SHA512
86be6a1eb21b21fcd16c5a44cacbec9d3b21fe6254f68795e2e641a653bdbb782d21c8acc0baeaa054dd19bcad1fc313f2c1308a4c8a0f0e3c8d971b8bd85fff

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c1d6f7e71810538de090988970248567

SHA1
733ac8dfc61e86418a753c9013455b8f1c34aa3e

SHA256
1e14b84c13d768d7af5ab5f7b4301174684aeadd6833acd9012fdb7a0f7fd733

SHA512
8cc91dbdec45fb5423d3f80ff15a1530e507e7b2d312790a9b31b1778b990fc19f5eef3c7939ffdca06acf65bfec1f9c7df2f2cda9f4e7cf5760435f735f5bd9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
ece93a7c9a8a1bf3c74155f42f9bc317

SHA1
1a0ed90997b140caff1d940394a3ceca3a78d2e9

SHA256
a1a3133c82fb3ee8e689bb374fda921239d13e7049e007c117279cf6c196c14a

SHA512
838188dde3e45d02c79df10bc0504f93681e009ca70f0eb2a77906dcdd6198994d0ed89c62e4e4e062a1bdcb8c5136d0a1362058f5368c62113bf3723fcb2c27

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
df2ec039968415a33aa287371f7a96ea

SHA1
3b94d18ac3c4a940327f6307237a7a3b82498aaf

SHA256
f5d8b6a5779f787137a9633d212cac98dbf739e11cffdb744932f77a8d6e5c81

SHA512
13753e660bf74acbdfc4932c30fef9ca32d23d4402379ecaf00c12a46119f408af00d6b3eefbc331af9f0a446bd56c1544a8644508268a8f304033e7707a0c13

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
e26b5f849d9060a33ac40bcad4f69080

SHA1
55483f48754d37969e516a357a7a3189c99a8706

SHA256
44368d03e537068ac3049a16558ca28f6d10cd91b46cebabfee3bf62b470a1fd

SHA512
de620110e2cc6ac4983023853f6264030bcc6c35e4268d162a35eb570378aadd4a3587f2d18b027afa0f58e505a93744e958223c732fc414374ad7b8663de3af

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1c0454d40adc54b01e54f36e01884af9

SHA1
dc41649f5717805841ba75ff9888f646184432a4

SHA256
724759ed886be52eede15e529114065ba2fcbf946055b0964d508620fbde1928

SHA512
773bc4fd00f027e74963f5ff32d55b7ed285cced17584a4cc3daa4d486d1f882e63bc3ff7ab09ab7576cf1a2e661f095f49cd33f4878ac9f03c4b53f050026a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
9b98f2d70bace4f0dd59f287e46d7d4f

SHA1
90788d4c6c0c386cb996c333550fcf31302d2507

SHA256
fbdd6e3cc4b78bd755bfcb83e886432aecc4353c9864395182ae5d05bbd8ad28

SHA512
58401f4173f464c030332d32794b8130208a1a71c3a5d6dce5710cf5ecc54fca057f8a90486c90d4cfdea5dbb5c868e5cd6b7eda741d2036c658178d97748671

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
eb4eca92ed97e686e5f66b126301460f

SHA1
9f4309b115a52170800acec3ad0132457d22683f

SHA256
f9597774931ff8d6b51d341cdfaac228bdc41610dd1287ee703fa972011676bc

SHA512
2a65919e1cb92b2c9a1da21f50e3fb4fa9bdfe438ed42fb4ce34afa012561ef457874cf7357a903aa5183258a287d0f4433b51346c97220dc044e584da3c43c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
f0e4561e76967319a227b92c32be747b

SHA1
d185ddd35e1d967208a7e05919854d76b8f1f8dd

SHA256
8fdebe7914e58ac2b947649cf8a42089715739ff28d1f069c9d6b4b3bf5ca30e

SHA512
3eec4932782921624aa1ff2be3981b4b0c36259dc152dbda0cf20446eeab753b65bef71340584c2198377583c6f03bbcc9bd79da0ae71761c8ae513a4604c649

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e85ba57630aa72cd0ba89f1931d88a3b

SHA1
0a5dbffbeb2f1a9b932ce9af45d06b9a97bd3332

SHA256
2b6c1de8a1d6040fd2d53a981d71ee0adbcdb7bcda0e319565c74a10b41c9201

SHA512
0c8dcdca968f3c7cf52e55a3db720d2099dc1392d0d691263ccbd6ee8cdd29e39586247b6465e7745356429285fffc5bbf1ff9cfb3ea0c2e4ae20200d2d27ba8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fc94f6dbbac3a809d7c9c1b907b2339a

SHA1
a19b2ea3c203b62ae427c34c6da808fa7172e431

SHA256
75a6ab1b21acc594ffb204e03d6872f35a84d2f6225789ceb63cb7efcb9233cd

SHA512
cc9a8ab0edf2d62314148a18e7213a2c6fd9bd77f9e47e844f3cfbb15e67afc8be78d5299c7870d120d3c20d054390244e912ff0c584de884479c0e5009f17f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
de1e907b5c01c0e172772ffa9dcd1fe6

SHA1
d01765f508f686b83f7e550b3ef068cdd016ac9c

SHA256
2532335bf2ee1bd4eee72530a3629208b098f3edf3d28eddf44d429089c2c26c

SHA512
dc51b5036a31fcf013f23b84c2fdbf88304e2f98781481d1610c59cb3fe7c500080c1bb8e5e969e098a94651d1b95acc7239474e226f00fe7e0750323da91342

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
995e7eeb63755bf9b0714c8b8fe1fe02

SHA1
49950705c87c71d6d931b34ff4da85070511093d

SHA256
6d55d444fc1e13a977a56f63efbebdfc8032c3caf4228f194d23b75ce7ce84e5

SHA512
8ea2bc391ff5a3c84695a22fabcef6d2d165d50f238d44c00c784ac15808a549c83095b873ab9c2a77ba7617e37795d03f0759398bdcb067acc98455f31c01b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
8ebf48c8458c69f0c4c759fc8d33d76b

SHA1
808dfa0c18490a01d2a54af687924f4e0f3b1bab

SHA256
24f7569aee5f260242b61573ae65aafe0ce71101a4987419b22a47ae3ddbb94d

SHA512
e2c350c5b94ea16a0509ba2df994f7badcd785588a6865319cbfab34cf7ec1b1db1be2d37acb5d9a050bdc34ed31282d30ca6bbe4bc05787b1d9345ae595a80c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
052d0daa409e528505fe1fe219ad288c

SHA1
6f56d46e2de42317fcedd71a092a1228ff1f8457

SHA256
939a6af2f8922c3a3c17c1551753cb061d46924576e78c733b4cfd199c56b6a4

SHA512
26a614db72e82b8bca1ad73ab5b0ca03e4bbebb689141d6532d35e48c799169501450ac3d8e864b13fd61f4ae819bd47fbd1653ebadc53095f1adfd9266b967a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ed16852c48db0b99c1779975b5832152

SHA1
e878a4f0575eabf6b2ba59ce615a32f04634350c

SHA256
d358d165b8a61c0de95a6fd4fe4f756fb42c71d47a93bd9c6022150b734b228b

SHA512
e3c1fe1bbb490f34301d884cc721d01e7608475e5e9a0cb3b633cd0deeec5790cee6f75cd3cfd35e6bea65c45aea2b47f66ca54cdf9eb9aaba00e0b0f51eac39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8b31aae160cfb6945e66de64fc9d836d

SHA1
8369c9802a7b0b14d60224bc3da88b15c8fa086e

SHA256
80f489f9b809646c2d0a118f1ac5cac9f676265cb6751fafc3ce845c58cdbe97

SHA512
06a1f38328cc982e3edb53ec6e57bd40550de9b6451b8011adccec4b478a9b02ea7cd2bd74aa9e7ebb6861abd1c258c619c8490d20d67044c0cf2096158f27e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
62c8f1091bb36a11e855c7853a7f708f

SHA1
c6364e62cd90914e35d0b73292e8c78e141ed3bd

SHA256
70176db02288188863d47c519663308d7738ccbc1e4c77ffc30bcb093d218375

SHA512
c658d1732e36d97b5cb8eb9db1bf72ad93e5c7666896a93bdb1806c3e2f03ac7c467be351e02cc71167ca1d85cd434c8d4223d98749d4636c58f8c9f7eac3c99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
dec7bc198e5267b94349974457590629

SHA1
66fcfdf336be3136afebb2c7e6fabdab33b956a8

SHA256
0a69add30fa88ba97351e8bedeb7a3ba929e164a6a9ac285a0d04a0249f0a74e

SHA512
01a46d76692b2688e05b61f2c1e2269c29b0b65d3fb849de5adaeee58d51da3f6d5481811a526906f6cc36af531af23896df29f9035c83cf7178d3693c5f3799

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
8a9f4588879d5dd47b2a7a79564e00f8

SHA1
c739ac87b2d6083a4e3354b891556c0150a92ef3

SHA256
7238b06b2bcd763001684917830fddf27789be5b8d60ace2e07a88460e42a89d

SHA512
8d20bc687e5acaf3c88991dd910a331506153370b181f9bfb1d5da7fde8dee460976f387fdca45ad7f03ef2caeb8a54c42200650b3a866721a09c3ce5bcba008

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
bdf6c87687d39838a6be23c99224e87f

SHA1
302c146d4b1dc9e30d35286f21205c66073deaea

SHA256
f8f1c7cdb2349e39113ecb0d2ab4bf7ac3dbee062a9e33ddf616738765a55b2d

SHA512
6c61d6b06f77f5989b6ead9a1dee37e0e61ff53f7c6a9a2f16db83d25bb059deff65cfa93fcac053e8573258c79a39ee028490e216e47b77a8c7daeb4504e97b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
f1ea6553f24a07763e6e180b30ed30d0

SHA1
a6692c2a62bca42b280b6ed01936497c93aa0f4a

SHA256
19a7249a4b1b206be38f4a2de80686a1e89d26e26055d0d7f5183e0d110f067f

SHA512
de37cd0ece5ddbf185da69ba9a0a31265338d88c5d1a16a7b3d739f39bc9013099750b74298ad84578a34446c4b6b1e5f068e97899e1f2da05696a1a815c4217

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
06fb7df6c45f5410b4fb35d2fab319cb

SHA1
5198cc12446424a28ed88a66324a01029c6c253c

SHA256
a54908dc8300bca66d417dbec3d64fb70e789c3ed95e80e1374325b1e018f397

SHA512
e4d32b6f822ec3ddcf22541864701468460fd0a2e2ee7b78d38560f7149d34db822f6ae1d0d98251a18589257168abef6d1bcb088ab3b7b48233c8e51935daee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
04acfd229eb78c71543f3a6a3618c823

SHA1
be857a1c976ccc9210c916a0d1af17c5cd46e67f

SHA256
0ac68fa8bbb162b0d76583794b6eb6646a7afc836378517c4d0f189682fabc12

SHA512
001f2ae1be9477c2f281720e5b6763c9325479cd652070a6e59cc9fc43aa09e0911b65ed446b088b25db3ac0937d9b7542d3de47125917a63168812c99a6d91e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
25d0cb238d91b2ea18ac160c8cb644eb

SHA1
49209476f737d1d41634408e1997fffea6432f7c

SHA256
609b5357448e237e48150f9a4dbe2e802884b41c9712c87897d66ef3a5136181

SHA512
a71a71c6d50fc05cc0b5391de9dc35cae78c20473b3a0de39e620cbe2d8a581dfe05fe1d36ba31417d5c894f8d274e157ea909876b92bc878ee5e52494a4e4f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
346424b0c172d0df07d2898e6a73c4cc

SHA1
c5f666721a95b2536b63ad5c8270d39603324d20

SHA256
7142e94d7a2b09ea637fcad438239878bf0538f2333955809431ebd87aae119e

SHA512
bffd2ba2d19fbf010a014a2b8645df1d0d401750e8705b920618dc1874f44ceadc14af1512f74e9ab4406d6f183eb5289fa2436222dc9e377b99756bd402a885

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1ea3424e2e4cabd95985a1a40cb18655

SHA1
201af5f8fddc79ca81caf220c6100b962f83cccd

SHA256
b59c77323d55806a0d2b1725eeaaba04acf850d25db539fa8c4db58c3bf7732c

SHA512
928954a4f1e1835af023e0bd3cd341d3cebd10a03a07f766c7f67509e9677884b0b97d4c3bf9053635a71325065a4640dcb7328264884929cfe16f081ef746cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
eba47bfcffa4b8dfa7831b98d0f7b8a4

SHA1
474f9277cae41dd03d7ee367fdd4cef9129752a0

SHA256
fe27027db7038ef0710b5fe73929040c08d76547ddc65a21608f0b8ad417a532

SHA512
5a8eef851d7a52d6bb5d17cf982b0febe49873972989e586ae039fb754f2f9a39cffc09aaaeb9e2078ac186ce78c0398de60bb5413b476ce6e08846041fb321e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
94bd0eadc81594a390b6ddfb46dcf8ef

SHA1
76a01b042652888ccaa9b0a13eac18980c8454d5

SHA256
fc80a851215b045fe2dc459c681e01653116fee87dbb3fcbf00e2c2606ae25f2

SHA512
32606be93308c4ab785c3dc42d27f6d3035c287b33a797fdc74fead18a0da1460df611f7f997c92f0030649ce971b979fc00a8da4b2d58a1b72f63d7309a990f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
c01603ba1246fb93b390261386c34f48

SHA1
a31401cde1438f6ce97f98cd8649040b4920e06c

SHA256
b283499f868ec410cd714ada8226850492eedc1f0017e16db3ed2c6b33bf488c

SHA512
ed50e3bf546b0c67959f7fa523f13d77d5ac85ef83eae36576744cfcbcf9960a5f0a8587145d4cdfde9882aaf27b5cd97ddb3d6ef6d573b78e0f7ed283035e9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
d5a9bf6045fbabc0c94b186812dda0a2

SHA1
606f7072c6ff897d60acbeea1e5ff7555ad1d25c

SHA256
5c339aaf77e34e29b7f0aa101530f3e9b95632250226598e8aec580282cc5fb7

SHA512
78cbb88099394a3a180aaa78eb92e0159867114dd3870b314b2e878a4cff38017a5fada26f420a94c92a945177d3735d1ba9421f7a4305ec44fa027339409f3e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
32c00c6ef7b637e9d69334e33609469f

SHA1
9a2d3fc7d4b3ce65c2a0fd55fdb336a184f05d50

SHA256
a06b5f0db7df8ab68b3925c113f1ec3dfb9fbd56312254d6246ceec0fdaa484a

SHA512
5dd1c4df0ac9588aeb1d7a2229243d82498d91f479b673f2668dcd603e8d11f01caf06d7469a73acb92ba189e1b02a7679fa28cc0b52d07a9ee7b72c63a97f32

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
68180f1efab9d28047889d3acef4a8ab

SHA1
791c60bbd7402cf5fb810fd78296cf96dc2f4f03

SHA256
cc64d161fee28024767f987fce7d16731c613a18aa3877a80f5f1faea2b5d31a

SHA512
61bf02fd7af781146419c1428e3c1d90335a7656bb370007203569dfcdb03365bc67e8f454d6d8cedd1220f83bfb53adc743c72c7fe169f0b0824f20f2a5685f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce0e56ba064821edc69b09ffdd17ac03

SHA1
d9373be36d850abde3c29677baf179a515aa4f82

SHA256
9fc70719b94d2bbc275cd5bd228b41a5c16dd97086b09fa5836347e3a58b9833

SHA512
6948a24704cd9d364bc24f3a7c852c8a4101f56c9adf48b58451154268f77c8b335672dc5f4fdbd319b85647ceb5234fa2a976b4c2d2107c9ee7cef6d0c99456

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
89fe9164596b1a54179a231c01b2de94

SHA1
b9ccc8cbe77978a96c40ed76a5a86c289ea171ad

SHA256
6edee18cfc103ecf7608e7f4070093ce82e28535cec84b9a1fb343eda24c10d3

SHA512
c2ca7dda168e23156f5efd9f8f2fa8e1a25f718bf1368c37c922dbf8254e2717630cd43640e848689ed88e6ff7e935f8e9f0f89fcf7105990c65ea9d35c635ae

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f6256083d24b97074de797157ddbcebe

SHA1
e809d82689251feed311b759b30a09e3b140aaaf

SHA256
4d02985ee6a21ed229a03b400954ef78de382eb764de48dc7c23f6675c18b083

SHA512
7180c220d2e93e553d5da85f52b432a18d70518682094feb90708730d2429c886b8986d57723393105314a0a2906dcf4c1416c7461fd21eaf9da2b29a0939341

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a28639638acea02576409d73f57ab888

SHA1
c6e69334e3dea94af37932f415c934c54999e5cd

SHA256
23f722d87bec9647d0f6b35f8ee4abfdf4f77234541b421713e739a9f1d416b6

SHA512
53c8446f23e06985dfa0f4b6ac27dd94054f532aae8de993f26abd8d14a5071ceedaad6f3e711a412623df1fc540e9a3711807689525d65a3c977547d28cddfd

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a6bd8cd9f1c465072a13f33b53d364bd

SHA1
1b5bc5cf204bb9c111b8f19b93db8bba5ae552d5

SHA256
375bc7f013a4a03d5a46e017ff8301d413f10b50a9708371b492dde6599b4e10

SHA512
4c51b9d9a1aff89c402a9552c4bcba65bcb29126d0bb6b5331ab41c37595f4d9d13854a1fb87be287d2deb964195b42f619fba41b9f03293f2f05267fd372d03

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
a1fe3f372f78a3fdd64e924ac7893b04

SHA1
a24fc224e25a09dfc6099801e480ee382a3be001

SHA256
8fc5cd4e04c00065bcc8dd296abc9ce59e5f44f1477f71188fb7da5262b789ff

SHA512
ecf2000afc3276b87d99109baa65bce3f139cf49d082a03c3a48f19650fc61dfe93bcecb7ceacef4585ba66220ff95919c79e2409c3f441d7d9f5ae76dded9f4

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f1daf6ad7d875973e757c4c4c388403a

SHA1
555df3a414b7c04f74d456150b996961fbcab08e

SHA256
68251f7445f66103f76e6ad5d66af0eeaad0fa361c36892b9f9bf0deb72ed9a6

SHA512
58a2c94d03f75afc18fa6858e5d01f32092e0854c1d0864b466388c0fa52dc6fcfb60d91ed09a4421f57bdd3fc564a8b619a4cf71406504aa2f50eabb432f960

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1013aead1a93985e2796cce14d558b33

SHA1
2fb3142089865ea97fe6fa37206e2db087808844

SHA256
6e11218f1d280937b59bde8112491c337d058525aa90e97c1a5ed0e116eb5799

SHA512
394a5bdbb10a2728d3fbff23386edbabdaf3f1407f5aa567c82664ea666b37cb2219e89112a9ec07d0dbd967ee3954de318ab56a364709f899561f448c8608a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3cf5d3d8e0fffb93006dfe87322a2462

SHA1
d0626bdb87bd0221238a924f0102b7136c4807dc

SHA256
4038bc55eae39ac20cef0090b47fa5796cfbaffe964211d73d7a60dc71b1de1b

SHA512
4fce993b8178477533dcfdb86e21187398338846e3bf0d9c5c9d2c8a7349592f18644b4f3b8353f6a1be7d40da788c7062804d0378f79860b2b2df360b4c0049

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ce08144260443f059bc48f14b364cecb

SHA1
46dfae42cba0a0ad1a6224738abbf43fc77075a4

SHA256
17805e7731fe97d31086be8e23a4a13c0c613855afa28867afb96c12a0781a02

SHA512
dd65d3917715c37b3280229a090ffaeb2c1c88202c9fa8d2698145e5ddbf68949e14f4e55430a2441a9e3079c80de631056886fa38ef8f6c9e98e319f33a359e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7d8d4a19ed036bda8eb1565a7d709331

SHA1
a8bdd9213fdcd244c86f45a7be71171b7218159f

SHA256
2274947c23c72c8db8d6a89e5531858ec41445db3024edd978056505f4dd9bc9

SHA512
bf967c1e6f5820cbdd2ca0e10a84bef18643e59814957e990c6fdeadc1fdf1cc475eeeca6ac1db7c91a21d566192c6d637953d330566d52a589356fd5a416c7f

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4510bd2243e25660d6113feeb02add8a

SHA1
a3bd5d939676855b9cefd955f761ff88479bd726

SHA256
1f9c34de212af3faae2fe8aab761080825cdf295be5a3e850c963cd9f9f8b784

SHA512
93b9c114fa19d7be436d2ea0778d749fc14ebbc951ee24553453dd9dcd445f409aca3a387689b240f01c5b7bc70de71a543e1a8d631c5d11b612032f8b071f02

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
df8ffcc0e668508c7cbbf26d9788005b

SHA1
0ea2435fb71416dedab5aacce13399d2461cbecc

SHA256
e22dc10cfc144946a06856a5134eb4c4076a454bf6449a9e71f6802b25bc0964

SHA512
fd784ae7a3ffbb1a8e694489b3505b7dae04d76a9392f5dc53e2ec1ebf3a8d1ae808e5724f3fb78107712c8d11b4a7396a1a8be9c3654944c04056041a4de92c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7584b156da21b420221aaaae315f7cca

SHA1
a4bda3f9afa729531a60ee03d50f487a553a0f95

SHA256
f7f259268830270bcec377a032b4be4b5ba63b172920f4568bd928c77d09cd90

SHA512
8186c451e54f561c523e1598de3e031c191a520467842ac5f05eadef2d9a0cd0fba0c0ef97fbebeae0821aa1e14f4affcd8a715f29c98c918fa96269f6e51990

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9337dafd331aae87f7141067c5ddcb6e

SHA1
50b9565fbef9a8f042c6289ad7b9c63a68ec75e6

SHA256
ccb1c50d89c76f5b243d20fd4cc1642ee7857b8e66a60548739731dc44385f16

SHA512
d7817450de600816d51787feae2c9d0bca866689412d2746bcc7f824533d50eeb77c36d82b71ee9e1ab5c3876ca9ea2ce44926aa108cb17e033abd1f1d21c434

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c54c7b206b0a1ab7817c02e2b15de5d8

SHA1
5d2f63e8f59d5dcf3a0aebd38619ffe94f71c227

SHA256
10f396d781e27959614d8f0fc9b836af1f7c0a25ecc1adca4a749f62965dcc3d

SHA512
b9b76d76f060c2ed0032d5b6214c78ecb4db3e6437a7f0d113af7b9a735a95f1baa68e9ec8405c052a3f621ea1302676ce499e829a9fc275928e90bd76f4cea0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b06be9bb38836eb5daed14abf3cf9427

SHA1
e4791f0a31beca5d9f7c8c4f378b3683f56c56f5

SHA256
1b2468f1ac3a42a6e497037239be1a5ae85666a2fa63c376844817cf14ea791c

SHA512
0b0b67033330edce9e8a03080335f2542298e8fd4a6ea90a6e11f81cec19d015254a95137c50c7e1c47f2964dc38213145ac6f6812755518e495b1340cc17c87

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f3e56e322ec87de082fecae6dcfb1d1a

SHA1
52e6855a1d8e0000e7575f8870842a7b97f9ee8a

SHA256
d401235e67cacfdcc9f17b82f190205e8ac34cef591442c56d4accce7f68af93

SHA512
7bde8468b111b9eed577e450f94a6c5ea34f8b5960156aa9d7b2eee8a30e363ca3984f2a719ee8c0d6202730510d93f5165b48affd8957409cc12fd6849dff6a

Download Submit
memory/396-265-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/396-258-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/396-323-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/396-264-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/1052-568-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1052-332-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/1428-324-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1428-564-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1476-346-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1476-569-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1520-287-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1520-410-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1612-241-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1612-32-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1612-39-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/1612-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2708-1-0x0000000000A90000-0x0000000000AF6000-memory.dmp

Filesize
408KB

Download
memory/2708-0-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2708-8-0x0000000000A90000-0x0000000000AF6000-memory.dmp

Filesize
408KB

Download
memory/2708-57-0x0000000000400000-0x00000000005CE000-memory.dmp

Filesize
1.8MB

Download
memory/2876-16-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2876-240-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/2876-17-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2876-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2968-433-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/2968-313-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3080-82-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3080-75-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3080-76-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3080-243-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3176-432-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3176-310-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3216-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3216-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3216-345-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3228-59-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3228-70-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3228-72-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3228-67-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/3228-65-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3248-317-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3612-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3612-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3624-319-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3624-252-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/3656-562-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3656-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-290-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3948-415-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4204-327-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4204-270-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/4204-271-0x0000000000670000-0x00000000006D6000-memory.dmp

Filesize
408KB

Download
memory/4240-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4240-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4248-242-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4248-52-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4356-235-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4356-12-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4648-331-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4648-280-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download