a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04/04/2024, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
Size

1.8MB
MD5

7ccc5275883128c8a4ff3c5ac24cb39b
SHA1

8a037eb6c052722727e1e55341ace425274c4999
SHA256

a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3
SHA512

1e3c3fda45637afb230863d88ec897f573cc86f7f2067d6f267375bb57d115fe300fb42789fc5b94cc19db7d84f674a7be093867d5100131ac4b21fd11f5e91b
SSDEEP

49152:FKJ0WR7AFPyyiSruXKpk3WFDL9zxnSuctXdujQzfkrh6do:FKlBAFPydSS6W6X9lnFjoW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4480	alg.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
2184	fxssvc.exe
4588	elevation_service.exe
5080	elevation_service.exe
760	maintenanceservice.exe
2144	msdtc.exe
2216	OSE.EXE
3060	PerceptionSimulationService.exe
2528	perfhost.exe
2136	locator.exe
2848	SensorDataService.exe
1492	snmptrap.exe
244	spectrum.exe
2088	ssh-agent.exe
1028	TieringEngineService.exe
5040	AgentService.exe
2044	vds.exe
1460	vssvc.exe
4336	wbengine.exe
3256	WmiApSrv.exe
440	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\System32\vds.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\87061761205991d4.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\locator.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ml.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_hu.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_pl.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ro.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_ta.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_bg.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\psmachine_64.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM37C9.tmp\goopdateres_uk.dll	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003dc7ba86ca86da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012dd3588ca86da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7edc186ca86da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bd78ac86ca86da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000291f9687ca86da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000098a31b88ca86da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe
4436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4296	a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
Token: SeAuditPrivilege	2184	fxssvc.exe
Token: SeRestorePrivilege	1028	TieringEngineService.exe
Token: SeManageVolumePrivilege	1028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5040	AgentService.exe
Token: SeBackupPrivilege	1460	vssvc.exe
Token: SeRestorePrivilege	1460	vssvc.exe
Token: SeAuditPrivilege	1460	vssvc.exe
Token: SeBackupPrivilege	4336	wbengine.exe
Token: SeRestorePrivilege	4336	wbengine.exe
Token: SeSecurityPrivilege	4336	wbengine.exe
Token: 33	440	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	440	SearchIndexer.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4480	alg.exe
Token: SeDebugPrivilege	4436	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 440 wrote to memory of 4696	440	SearchIndexer.exe	118
PID 440 wrote to memory of 4696	440	SearchIndexer.exe	118
PID 440 wrote to memory of 1600	440	SearchIndexer.exe	119
PID 440 wrote to memory of 1600	440	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe
"C:\Users\Admin\AppData\Local\Temp\a4cde2196a084e5b3c16e3d83f9ea9a859942ba2793ca028a7815afafec99cc3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4804

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2184

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5080

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2144

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2216

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3060

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2528

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2848

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:244

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:904

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2044

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3256

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4696
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
849f59caccdc4daf7d3216391cbabce0

SHA1
dc610bcbcfec55d3df454c8f4c2f128e389a2582

SHA256
a61c28a5cd4e49efa3df54914a288786bc3c228b20939b86a574a8fbcff05337

SHA512
b5860e99a665e0c891ea98ffe676e2bc50c1c7c0fd9710881c678169993e2ba264775de83b9c4c04ec3e26f7079765467a24bf8927642c389d377ae37a3c966e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
7b422863b95b8f148342e876162adc2b

SHA1
99fa507f152697e64214aeb49481452d7ee221f8

SHA256
2f9149c8a4224235be58357188dd6d9c904d925c61260022e9938c39f4c6982b

SHA512
228628250c5452217417e1a6bdbad74a499a28480f67c241e550021c976998b48018f29954e59ad93ea2523bbc93daa129b47f284099f2276fb2b079ab449e7f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
4061f650cb18a0245c9ccb4bc99f8931

SHA1
11229d1fff1d4ae47879143dd52ef1426098c933

SHA256
6f83f5ae6995dae87f9ab3d48105eb80a47881948d2e31925f87715a10e2537f

SHA512
2a21142109294ced546f025155cfc36ec2bbead2e6eb3dbd8e56341129adf180fac01c88f329f5b2531fba28ea584177d1bf4fe70437572022f9504f7c789630

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d4ab2fd38991413d7180638913ea9ff8

SHA1
f43c86d913821caf58476cd782e6c8a6cd996b6b

SHA256
9ed6827d8d998180d4a95c35a86ecc438b8ed040860d3c4e51a7ce92656969e4

SHA512
8d186063c9cc213775b11e0dfcacea0f7931ae6d5713a5ea78a360d9d226bcf02054c0ef035193e8baf6e04006c1e72cbf5b60a4cb1e5e0456f676530ca11b94

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c198fd46ce5dc3a2639780c5b8a4c8d9

SHA1
0b982230b0bd67f037d2620be0e7b7b05b83cbb1

SHA256
982bbce121f417a19d4b07e0854b3def75a3695bfff3b232a924b4df7d8ae78f

SHA512
6405bdcbf69ab3112c7c6670b45dd02f9c1a8f6c8c50f14bff6fe7264c6cd6d131f33fd9036e0230b956bfd3021f6e8fbc34b24408bcef3c3cde6e790800c963

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
a568e94eaeb568e2dc9e32e12803bf1b

SHA1
330630c946cd8cd56728e4508b44490799a698a9

SHA256
9aa24b45181b9374fc6c7068ce2c80092d333558db9e7e925b4ba6ad970ff97e

SHA512
3814358a3049344fcacc4ba17afecba0dc03b5b2dd8f1e44530c9b94279ebb23cdd95ef4af195e1abba9def2b60931793e09f37cb93a294a6fe5e82b4d44eafc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
a4f789fafa5f34c9e1384996992b5d02

SHA1
11783ed3a969db016c324e50cfee1b43c5f3248b

SHA256
1510962c4ba10d1d7aeda79ab76433358b6ccf42225ed36df167b4eb992150b8

SHA512
bddc5415543a41c2b00ca9c6638e618b499238ce5d489c2c976ce65861e7eaa20e09b63c809949eb36ba2464db5e4cb5b9ee2678f54e0b5358a30cb58bb47a74

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ea63798eea159dbbdd4c89aed4d2ad7f

SHA1
689735008f64b8a04a690d832f64b5d5fbc82bb6

SHA256
aa0d731c8e8159e7568bb13fa1f63746b2eb3afbbb3ee79ddbde5d95860bc9bc

SHA512
60cf50b6c9a2fe746c0a4dffc3e0f82d18a6fa7ba5c805ccacceaa95a04b9e2ed2c83ca297b5f8e0e220f2206ef53d82a1663ed3022682d02ded73b8dad3b054

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
a0143d7cec75b07b569946c7b26ceca2

SHA1
d848cdffc6482085a056c744d89f7b852601f369

SHA256
5070085007ca0b6fc1aa99c4f623db7505a3d87ccf0cfe2b0a288c80877c0245

SHA512
703abb2393d3a0b959be008e43602be4b666382ccfe75f9423243217354a222113fae0969c6f151550d0e34256b588c5cbe81d572fb4e250e4dd18efd2860eb9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9aff6b21bf84faf5c96c8875a6028a83

SHA1
9c35755ad94eb0327f533ab86b28131d072c8667

SHA256
924d091283913d23bed3e0546342dbae99fc45b5e2fd87e12950c4483704efe3

SHA512
db205254afdcd52cbb82d1ceb2d531f77f0e14bc1c123d369c7e98c522826ec74061023d7f530eeecd2002fb6e45bd486238340a9421761c5e7477800d3566e4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1306b4a8a2d72051f5690bbba698370a

SHA1
fbb51b104924015272df9389b15882951fb309f6

SHA256
1a63316d92430abf227b8d83920d07b6e0e6d0dbff5e2134062e9d219c729bb9

SHA512
6cbc7ae4886f824365edd9aa1fa834cc58ed57750a9c31bbb38f1c7ac1213da215c6f5d6f12174f3c14064478551c20b7f582f5b827c35734aad5866c208a701

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c38366934c1973dfbbaebe1f88f9d9cd

SHA1
7ed4300f75bc114fa0d990d5612757dd979b635a

SHA256
967885ef9c7c3f94fa136c4834d02cfac907013fec7f8227c26482da1475d456

SHA512
82a358644809ab6abda6cb0f00ef0b2808461c62c6fb9a483c5b87f45b46891a9cd6664b3067046f7cb1a92bdfa4173956ea9a8a1466d61019454fe79d0d658d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
1db59d5bca0c14fb3b5ac6bca5824909

SHA1
21509a4c150d957a368584fc2c51eb97ec2bba8c

SHA256
dc875ebf4ece04dadde62ec9d9cb6a42b8cf262bc9ece25a734e3d383f82e898

SHA512
12662feba4178d11ca40b1f9f1bdd15097acb07e89bc7302d8a1ef2db8c42c2e21f4cb1ae94aaa4c0e5b9d3d1148cbfda8823d41ac28a0964ab085fa0f56596a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b948252a6e1800bf4213580bdca564c5

SHA1
7e289aca0505b6dfc250c3f3907df2c83b1b754c

SHA256
6f764a721ce56b7561f3dd0c5ad3b39db7a28ae104cc76325071fa2952775ec6

SHA512
1a4cdf03b598353a91a11244ec492665c9893f38c639fe8f00012aa4fa25bb534fc89d1673b37ccfdfb82fcdbef7bd9e8eddc4310bb11508f77619d81563ec9f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
fdad7f671b3c60150a55e379d4db3c6c

SHA1
bd1123c9159721efab4b18399743e3208dba6737

SHA256
42ecc0782ed774c0839fd488547f3829c3ffc2c5aa031eeb6931fb9ab4a26291

SHA512
c275d4f79561447939d91b098a35f475063ad3725ff940df5c13a2ae1c3f51464697f28d4061bc9aa5f74f200c88f470277343c753723f6ba1c057f23b9bb693

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
2644ea971cbf3f0b5555907a0feef243

SHA1
b94f98d0b4b6a61cac548d10b189269b4874a472

SHA256
eab74d00cb5aa286fb822ee2ab8bba85350588c8daffed27e7bed032eb7b304a

SHA512
df08e17b8fa1817308dce0067b86497f8c840a82f2ab91c178bef58522547462ae860dc073e96b434af1f17d54bcf63ab5a565d9388f348efda46c496cda8a4c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
2630dbbb22b5d2604a739dbba22acf5c

SHA1
cd54bfb614aac6df5c535bc5f886438d6fd1038c

SHA256
1d3b9dff6353f501deb873c1b8b51099cb670a3ab87f764b4239649e176609e0

SHA512
990d5fe7a239b6454583fe3988c6a5e393e1765c1144218ab4ca99c593c5c3e9d2c5daa54c695731980cca55ba27f6a99d884c9fe6006b8dcf59dd66cab87091

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b0feeacfa12d0b4015451c36d8537aab

SHA1
08ed34056adeab90d08a91d487280c16eacaf7ab

SHA256
7ad2d7a8441775fa693abdcaa15522e58ec46a382ff191c4ff0b0fa99a8737d4

SHA512
89d8563e87eb824991894b29e531a03b43d0ddca6d3cec619519dfccbcebe38fd81c3346af8172fa10c0c5a53943fd75b5cd4b2a5dcb8bb4cb7251b9a9249337

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
b4713912fb348958a91bf40addf78ec6

SHA1
544f54bc5de6b067c53de683a763736a03628891

SHA256
38d66f29bf64190f788886fd6549a73525fbb14d4d72e04fb6120b7bf0f39a4f

SHA512
007e3381ad40edacd631f41e5b8c89824b5db220999edd716ef13362af1e6077cdf9e14c0e84ec65c60e01d5890bdd60c672eac8053e2897ae4212033c7a3a7b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
cef2e04f31f671bd2810ff4f44b27391

SHA1
b3cf658034d0729adcb386dfb2632c4aef04715f

SHA256
e01f1bfe337bb327996124b9c6bece01ca1800b8dba433df376c072b359c0dbc

SHA512
2de808a8ec2f22faa49eda8b4211c2986f349617b72671cc0d37ccb7671ede00ce094ef12a1e136ad4eb38ef54c72a038e4858a2d3e8efdd4a1f49c15a582f99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
1e6a56bee487398ffb832ee41d703d13

SHA1
70f6af078a881d5d0fd1314026b031751968e5df

SHA256
5504971f5644169eb1f3ec345a35208b9a598fef03811f276242ff164f24e6f0

SHA512
372fe368bd6ff6baa85b1d561fb56901ea96bddfaddbee3ff54d314a802f9fa8f21936c0775cd549a0be697d7d399ae2b74d5fdf19b4d5cf30dbb68395bc9a4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
71bc354eb72dd857a05685d1b0e19a10

SHA1
e60ecc23d2b08e291784e8bc6f5176b725ee58d9

SHA256
6c80d7d6f17ad234bafdcf445f534da70f443e8af038547992aceff23825e130

SHA512
48f1d36a9de4a7f3d57dd97d13542ecb110638cb3223fc93f5000a37712e4a1c802678d59bb13ccbbebc832f5bd2cfebf196facaa4ca978d39a3aebfb3186ef6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
dfa50bf4eea89ecfc6f2387f209c1002

SHA1
ad01e0b730d5d4e4e09db4aaf5d63f11e93c4ab0

SHA256
b6f8008b85407144771b26754ce08dd1addd941ac0e812ba42510dd60766bdca

SHA512
98ad18d004d5bea823fbda2fc01509c2211d3ac81776257fc31d51247c08b623a234ea771499f84d488b1d14fbbd4d7a0cf30c4ee811d1994d1d5f7787e29dc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
94417c5370e9b106e4dc85fe1ce38e33

SHA1
632eb2b31c13728cc7b039b6dea4e56fc6d9cf4d

SHA256
d3328e1b0177551dff305c1dad023ba08526ac0dc4172813b5e3a0a071556925

SHA512
f7d777ca18305270da4fcf6b3d5d4ba68831a7af3e44c9b8684dbb8073aa53e0b15cfa6205735287b579ee8e1e9bc4ed9a527c72bab859a36771fd5192c1a40d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
90ade89f0665240e98474efc0b5b5bc1

SHA1
c1600a91f201b30585e8c608a439d7c4b1d8c90c

SHA256
22d7c8c2ea0fcd2853095db9d3f8331b178227ef565c3b514da1116753113de1

SHA512
adf2b008bd6c51ca38283cf09fa15d2d8b7d3765e3aacd4f7238b7aa5729401a94068771e88d2a8f753a910df144f271c9135a12d22713952c0a8ea2604ff83c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
37f671c37de717c77e63177810848cea

SHA1
3ed6b419beabb8af6bdb27b27380cfbe9027e92f

SHA256
d841cc7f721e23535b82368378ba9934812ce18b23a520dbf565c9d51e0d4863

SHA512
5d679f1a4d14c7c266b8fee70590d0e1cbc52bc3b8971f37a7e2f48b9f5b8701a67f8dd01b64db325b2b58b219cd3eb067c4df860c849bbb0fb086e57af9d0b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a582fed33126534ff2eb30f67e9d1058

SHA1
8affd1712474ea093ad0b3fe770c9ada108a53e8

SHA256
bcc0f40862c16b4bc048eaa75832dedbb6c51126926a4c56258fa0f861100c90

SHA512
8877becc738ae60b365c59705a0d8db05da1bf4dfe8dc3e1fc9a59ed48b1e9ac0e73e1e56710d8c8371f70366709b1801fc27091a6ea3646c3cb1b89e7172676

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
1868255de9f4bc3f3a8248450bddb7d5

SHA1
a84ca5d358321ad75e9fb3c69bce1b443a37451b

SHA256
1e869434ba84b29fd74461f2bb3840dc2637e82bfe12180166bb82ff0da6f729

SHA512
75016f9ffa804a2b383842987bf4cddcb24eda65bda19849567cc4131cbe92b6e52b67933da02bf3f4d978aedeb3a5e22b0193f2baf9358f8e3086c9b7cf1086

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
4e604aed8d1a57a9e45ffee7b6d3d6b0

SHA1
e5413ca8cb65f9c22017274156af93b3505b774c

SHA256
3c1644916687a2418e08e06adf65b3781c723331e0b5a71a5690166ca6cd5046

SHA512
60c6d9336a998299818465073c6a95d13e7c96842d41eb031e855777cbfc76c3666b1b4dac46cb4fb3b33c44f6832a9ca23cad6205265c277ee0cfdbac2f0023

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
3cb8495680f855e9c8296acd586d2b27

SHA1
15cc27a8d1e9b088f7a20e5c7923638d4f543c8b

SHA256
b044e1457217a3b2185ead4ddc057baf041b7596a83b7e314719b7ec173533fc

SHA512
abb9c2be23ce4492c65db361d343e3ed56f3009122bbca86003331d7370dd6dbdc213e66d5721591b63c1c796c4ff1393673468fd97bacb37a402fec371e7650

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
aefaba75b4ced14e9160e0006f3ce2bd

SHA1
d23a0f1343e31e2131c48205aab25585fb093223

SHA256
fd1fad0a0752ee3b5540b19d5a2871cd226080b03fb6e79313154f9083ab2fa8

SHA512
ffef9c1a41be7cb202679a6c2b31f0271ef35dc65d30d2832b47269308ae90cf242c36d600645a86a01baf5c0df3e37ddaa2815e98a757ba70642187252ac71b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
a6f20ae64695f4ca1c29c12a7cfc221a

SHA1
a3a59340021f8de9b9e930c145e75c6ec82cae2c

SHA256
c76a1b6a1ba6925693ca4ae8987d2b299f8736d8ad4159d7e707775a136475ad

SHA512
c7547afaf74435f8f9f89c27bbd13419dc4fbd892e16b385101d7c47bafdf30f8784b68da77e1b7b0f08c25478c6f6b074188fcc8b013e5e75ad4497f07a91e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
43a1143d8402a16f9ecea77c92ed2713

SHA1
1ff33afa48b604bc56a5c23999491ba118dfc463

SHA256
c40105fba457dd8c2d4e0024128f2109926bde2cbd0897d9c564d341c7a048da

SHA512
27edb81176265cb136b6b6bafbbbd9b058a5b44d1da2dd353c96b5d010852cf1eddb6d4296c1fbac75cf3ea64feefeb17c1768180037581f94f9c4c9704737b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
8fef5d8cf5e8643b5de34601653db72b

SHA1
571a30f2ef20c8383e931ea38610370923a215a0

SHA256
cc9886acb818d322825b0af3b314f350f66b111f0bca5a79364f31cc3eb0c502

SHA512
3ec2f053bf3bc10a694a7fee8177d7d4d4d0b8db8b7141a95a1574612bf28f490e530cc0ad13e530e5b713bd0cc1b7f5e833beef2825f63224927a838c356805

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
33fa7bbc8e4ba9de50a849b7e4371b92

SHA1
13f583bd13f1a2fb6bf6dff39f526dfc68396bef

SHA256
62200d89284c5781a6c0408291d9e7034cf672ef8e29b2b5bf3cb9d8e85cadbf

SHA512
89fb17dbf9ea7fec673e9ed71b46f394b7090b297edbecdc0d983cac0221b22a06e610dda951bda1d09f612de3e66ab9436624feeb8c7dfc14188bc3339178b6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
36cd3590fce98293da18cc3349e92f04

SHA1
d1170c0b522fbe1f2dd3751aa2262d39577d5e69

SHA256
5bf5b8d3d107345ce657ec8cb9bf1e1406d7b89bb9edf9c880cb8ed5b46e9abe

SHA512
2275efb48f3937c2854929d78f3651fa0c5d8d40b8563fedcff85aed6a1b88bc7d27328e0ef02b1fbaef1bb704523e1988a4c4cf2b0c4dc8bbc20abf87e3821a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
b2ad41725a5731f7a8d32532e608678b

SHA1
0e5de410a2dd8d8d3fde88e880c95a886fa3a3da

SHA256
d892bb8ba5c8e6286a47770bd1bd50c0baa1171f5d9a3ee85529be63517af75a

SHA512
bbe80e86ea6dba34c80033e654abc1611e32a238e707d3ef4142d6a47ba6cb3568143a1c8eda03ddf1946891a42d69388fc8d886a20df65a5a34011963e3cfd9

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
af0b831266be1d536195c5df7c264238

SHA1
3774ece1d36c18dd2857e439d566440b51eba458

SHA256
5b3fbf528336b5dfe36cf9fd5f9a0d66d9a35725c1dd9173a8e566213ec0de96

SHA512
14df7c2634a7667f9cda39a84f692db14e04f06f0534466528a7ce36ca478c647653a4335bc0437476107161726de5bca075115125318b7f5224df94aeae26c0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
cec8c3ee814a6e2ce031e34f4efc492f

SHA1
ce2e4a27dd79d65b26e4a7e588e3547a8ea4005d

SHA256
e141f9e38089bc3168db7053c986dce3798d51ee82c40d8ebb5efdaa3702a595

SHA512
f5470ce077e2d75e0a836ed7318a3259b81bdf7dad4eabea0a9050592a5869d324928432b1bf24e2e7b904ceb826796a48f2fd12ab1ad16e2baafc5712a90cc8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
07424f08b92e79b70c96a504d2618e35

SHA1
dbdc0ee210343a6532ce6f15c2ade8f900d350a9

SHA256
890e907d53bafc5e700a4043877ef70ff9e4f6bd0247418eefe34eda5dc947e8

SHA512
8e3440ec67b6b7f89938561cb6c6e80ab3f778030ee16f43bcced4decaa027a5f2bab0649a1aeeaf894b7d3aa63068032c7bd57694213cd83ec26e5dd76616c5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9a5e58474fa457b6d9623ef3a0cd32cb

SHA1
78450a4db31b0b9088e6d1c9cca11111fc55aad4

SHA256
c11c25458df807c0301aed17cc8afdd49b3cb0353261fffeace2cc49f3e79365

SHA512
3f38eb5348314a5bc647629ef16134d73bf8986b3ff1dc8d7a19b86357239703dc79bb3ca28f32cbebc3c9add3fc008103f2aa0f1240d7d564a79ff0dca8be6a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f270dd918b3456021e20469d55c86e0f

SHA1
d3c0e9ebbd3036862186ce09797da53c991f7ce4

SHA256
0ccf75adcfc9e2e16234d135197bf5762dd6d4ca434322e985558cb52c19fbae

SHA512
1aee2f1f86f8df1ca4185038e058b396be9a60b967fb97dc77b3c1be83877bcc7fdb303620b91121987ec7926a116cc3af51c1c66b671d3feb5206b4ac245d00

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
8986abe1ea52094c555b074d9fab18cf

SHA1
5fae71184271b5a783a5af56bf5ad36d2e492949

SHA256
3dbc11dbc54952e41898871ca4fe813f369797b372bd95ee1e351734bef3a951

SHA512
22260860d2f23624703f1ecff112a98de80b0842d8eea67bf3ba0f84b0703685769447d71a0a3ec09f52d88335debf6fd38a4b0734a10a38d771bd37e5d08129

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
6726030e69d88f50098ee82ec92ff6c0

SHA1
0badf107036546e41369dcf18ba800daeafe7984

SHA256
de1f6978f45432dfe628a9b31f82b3f89d6008ff439a0a75d810c37fbf603614

SHA512
8ed29b1e1ba551940f2d7107a78edceb559055a1a37b54ea6c486b54e09b252b603f215b2a45f15c475520d6f01e84059db8cf2947ad6f59c0da15c01ed07610

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
177eaa5c92f832e97c9d2cca0e689ec3

SHA1
adce3083a2dc62b8c5f46ac981835c7832e55a36

SHA256
772e079389f36b1fca777ecee96d23a9da52f3356b1ced139fb006779a2dbbef

SHA512
676e4cce6408caf9702bc855c6bf0065d5ac9cd1694881c91e9ec4114fa25fbd14730421fb33345f77cfce1915db4d01f96298a2eaf108320a6f3e1dd32e5c47

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
927b8f30befcec62c1884636dd7f5e5e

SHA1
2b4fa1eaa1900fc814cd8f49de24f53d4dd0adb9

SHA256
0dbe33efe2af8fab27d4ae804e89ff4a2bd9da8bf7cce97a4e66d648d9eced1f

SHA512
ec2918f5aa4138f7b98ff9d91932fc09ad1e8d60f85279a0a9ed7c28ab8aaffdc3c574af75c44918eaaaa0c503a4ee8873e6df4f6c28c24a7ffcc72ded0d6a2f

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c7ac5855c1c2801be607ef7a6fcb24de

SHA1
4f6a215f6f0c3dde4a6e836ad5dfb222b4bffb45

SHA256
c3808cccad80722b717f443d6e18ae3e71761e06c2463b34b83940cfdd7d9d38

SHA512
e6cba6fb10368a5759b13265d0e339644b2a04bed3ec89a46c4e0730d97c6993dd5c4628c3c09f2da675c7a0b082e6a6b55f56717f4b21bf927fa56a153227b5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
c715e747bdaf200a792865db67d228cc

SHA1
224e63b343fc5159185696baf7653f3882d65707

SHA256
612baf121a70995cb8c955d7f23df5bb60160f7c4f5be949b5d6fc6076dba595

SHA512
637bac4b147bcc8f62a42c3470f1f828bbcbbea07a5ca5d7651fbd7aef5ae7bae268a151617bad8cb301418998e67e638517f91502635c4797a0c8702fa8368b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
07ef017c4cb9570f5279351460d4c89e

SHA1
25be223d578212cc2abaa2ca2f128457b34a4cf8

SHA256
7109c5015021fa1070fd54c9814a6aaa12073065ed840817fa0a1ed8191a47a4

SHA512
6078bd581df4cd98df6162627a46c8756bffea6ca5f2f5ac0e20f1977b74f7aaf2752248b27e70e1c6a3b4124c9d2a0eee95fd6bdf95a3d2ac8aeeeea0a61b34

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
4a61d7ed552202a9ccf29e88ec0ede98

SHA1
c6555917b4735eda217f9e24da69956315990194

SHA256
815057ae0b71c57023c9e06199838b9868220cc6a104d6606d56dbfda2a71a16

SHA512
64093b8e3994f3c5edd22965bb7c91a8a4d8b0bc609a55b4d09ab48386f0f17c887ab30a52e1b7f1eaa14e30eea25224c92ca7d6e6d279d67244de6502a0a058

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
310502ee5afb16a0c72ce7a86a3c4b48

SHA1
d23fa27cdc757109a97e844a710a3b36b64edc27

SHA256
2b3eb8f4c8695d536c5d6539d027f3a3a0eea097bd5be70b0942c38c6b3b61e8

SHA512
ba6f0b88871564dba0e8db7f232329f3f52dfe865cd2591d84e30bc755f9cea4b92720ec8bdfc490259771c4bd2e1acf169bae21ad647ded2c8da89728dfef97

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
df3c3b8886dcbca7a27f49552d1b6a90

SHA1
0424738a66199892f502697c642323811cbbc7e5

SHA256
eb5850f956baa96eb7b0f811b35e5eda208bb727bf840e734c6b61a7835b3c35

SHA512
1967404fb9c8c8e492f06690eec14af522becde90409fa0e73e13bb6c1f0909b822466f2b5096cc75700f3991f1c2f1cd01651d97116436e39324d8c4222d3b6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6d32b26e38a3a824288a34406bc2d27f

SHA1
62e73edbbff25ff45356338595713f5581aa9cec

SHA256
3533abd4cbea917633468496f5d484ed1d7dc4fae5cda4ce89147f7de1aee6f5

SHA512
c19ba5e68c8682bf84e152c8b0c00e268e20cff8cd2dbd2b04a8fbcdc86696b82b50dc35db590ec5ca7bc71de4069bb44ac8348dae923f53f4d73768e1f47c7d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b38c91d22c7e19b523766213cb24e77b

SHA1
1dcf2a28d4d58fa32435ad83c07b945d57bfe1e7

SHA256
e97a109cc9f15fc1bcbb98d44b9047a412cb62a9dadbc4341e6f3b47c582ffa6

SHA512
be720ce563a38285988988defaf014a4337344d2acedc84c0110bda3f75e6c5a5683b65d5ff79dcf62ccbc8306fc97fec9df1d0258d7d597c0bdc991e48d7b62

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a2a132d2f1846c8bb8f78041e19027f6

SHA1
679a8470e99d81a8664997299ead7afefeddcd89

SHA256
67a6c113735c1498e49458fde71875583838f191b4a7ee764f3549dff42c470f

SHA512
7218c5cbe5bac4c5b427e4fb60d2a75066568d6a40505d8ef05bb3b86f6c04ccbd7138d0e1d91a3847ec8223d17e53de18abecd82b69b7e7506e9c8baa34d12b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
0dd343e42ab82b827168844779fadee6

SHA1
fdc5151497ecfab74ec1e590415242a7777d9e42

SHA256
c81e0ee1de40077719b7b4eaadb67d51883c0ee5620f7480dd14edd0e2810f7e

SHA512
7303fd4dc72781164901bc79dfd4662ad98d923c855f1b9da906e43a22fc6d650a26d46dc3079ed63d38e3753181be2564748efab44f866fd38fe5774a7f40ae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5857b9030c925be563034893a8b311e3

SHA1
66299c0994434c17f3dac114088e848952febeca

SHA256
1d674f2174c6efbd8c97fe6e987b04652c3c0b4d67a4a74a009b375777617b26

SHA512
8b2d9fe4fccf0d85cbb11937000e578cb346cd617290eb8ae779d05995d678fc143b439a877a873f14a8f10ef580e7ff1ac3be83a0f7a4dfae90c3f5bd46c653

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
ae1ff44179c3503bd38d614cce4b3239

SHA1
00be300e758ecc67cf4738334353e8889011f7eb

SHA256
b7f3dca36ba2d51194fbe45ecbe00849f3f504bb845d91aa395a472258b1f8ab

SHA512
e7b3dabe61c396673c97bf46c92bf5493e1aad6ea59e031d66f06ff5c7aa2b55cad034480c46fe68394a90ab3749818acc91a8e3e05aa2a95bc67579ca176342

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
37e8b4722ce76b841a724add484182b2

SHA1
361b089a4d175e20e07c086aca1d2355f5756a5f

SHA256
db535263dd030471859c49312de046412811aa540e873dcf2a1120120eda0565

SHA512
1726046c50fc5a495f365ed6bcef9eab72923d4147a206a64b24761a6a7af0034c9b99817e6f2fec34030bb40e01fec1490ac348314d6f8c75e7180f279198ec

Download Submit
memory/244-325-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/244-257-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/244-264-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/440-448-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/760-156-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/760-147-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/760-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/760-159-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/760-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/760-152-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1028-284-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1028-291-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1028-352-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/1460-335-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1460-326-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1492-244-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1492-312-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/1492-251-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2044-315-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2044-322-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/2088-271-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2088-278-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2088-338-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/2136-223-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2136-281-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2136-215-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/2144-171-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2144-162-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2144-227-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/2184-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-106-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2184-113-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2184-124-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2184-107-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2216-186-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2216-241-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2216-176-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/2528-211-0x0000000000920000-0x0000000000986000-memory.dmp

Filesize
408KB

Download
memory/2528-205-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2528-268-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2848-230-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2848-303-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2848-235-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2848-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3060-193-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3060-254-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3060-200-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3256-361-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3256-354-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/4296-132-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4296-1-0x0000000000A60000-0x0000000000AC6000-memory.dmp

Filesize
408KB

Download
memory/4296-7-0x0000000000A60000-0x0000000000AC6000-memory.dmp

Filesize
408KB

Download
memory/4296-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4296-441-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4336-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4336-347-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4436-102-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4436-161-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4436-95-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4436-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4480-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4480-18-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4480-145-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/4480-88-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4480-87-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4588-126-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4588-117-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4588-118-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4588-191-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/5040-305-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5040-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-309-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5040-310-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5080-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5080-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5080-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5080-140-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download