21d548d9f50b5c023693d11e9ff3efb3fbaac86ed4206ac4f87d79900cdee74c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 22:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37746d977765e3a791f924a9cbee13c1.exe
Size

712KB
MD5

37746d977765e3a791f924a9cbee13c1
SHA1

ebd9ecb47c6e323d552234e2bcbc16fab7ff9de4
SHA256

21d548d9f50b5c023693d11e9ff3efb3fbaac86ed4206ac4f87d79900cdee74c
SHA512

951c14bb8f3518b46d8322eea1c2639fa608b4d5ba8eec653591f46c886ff279b993b3a1056823b43aa24c8b5f615b2967b4cd7d8d17ba6057e70075d5db6519
SSDEEP

12288:ZtOw6BaEi1sXYuHa53u4wU0VZAsztwy9IU6FpbOI+Xsk:r6BrksIuHa53YUS9wLDFRW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3796	alg.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3572	fxssvc.exe
3704	elevation_service.exe
680	elevation_service.exe
1068	maintenanceservice.exe
1656	msdtc.exe
3136	OSE.EXE
4368	PerceptionSimulationService.exe
3148	perfhost.exe
4768	locator.exe
4992	SensorDataService.exe
1588	snmptrap.exe
2968	spectrum.exe
3428	ssh-agent.exe
4204	TieringEngineService.exe
4628	AgentService.exe
4948	vds.exe
3532	vssvc.exe
1444	wbengine.exe
4380	WmiApSrv.exe
620	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\TieringEngineService.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\locator.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\alg.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\fc19004312d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\System32\vds.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	37746d977765e3a791f924a9cbee13c1.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	37746d977765e3a791f924a9cbee13c1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f286b06cb8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8acbe06cb8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078896d06cb8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006684ca06cb8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029d5b9feca8ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004006406cb8ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000229880feca8ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe
2952	37746d977765e3a791f924a9cbee13c1.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeAuditPrivilege	3572	fxssvc.exe
Token: SeRestorePrivilege	4204	TieringEngineService.exe
Token: SeManageVolumePrivilege	4204	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4628	AgentService.exe
Token: SeBackupPrivilege	3532	vssvc.exe
Token: SeRestorePrivilege	3532	vssvc.exe
Token: SeAuditPrivilege	3532	vssvc.exe
Token: SeBackupPrivilege	1444	wbengine.exe
Token: SeRestorePrivilege	1444	wbengine.exe
Token: SeSecurityPrivilege	1444	wbengine.exe
Token: 33	620	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	620	SearchIndexer.exe
Token: SeDebugPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	2952	37746d977765e3a791f924a9cbee13c1.exe
Token: SeDebugPrivilege	3796	alg.exe
Token: SeDebugPrivilege	3796	alg.exe
Token: SeDebugPrivilege	3796	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 448	620	SearchIndexer.exe	117
PID 620 wrote to memory of 448	620	SearchIndexer.exe	117
PID 620 wrote to memory of 2040	620	SearchIndexer.exe	118
PID 620 wrote to memory of 2040	620	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\37746d977765e3a791f924a9cbee13c1.exe
"C:\Users\Admin\AppData\Local\Temp\37746d977765e3a791f924a9cbee13c1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3796

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2184

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3572

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3704

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:680

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1068

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3136

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4992

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1588

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2968

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1760

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1444

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:448
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1318e6525cc6a82a683c722f7b264ec2

SHA1
9ac7a2d2b665e0c64a7d7a857468a55363cf473e

SHA256
8990a53d0ab6ce077917f247cbd85c2bc0046cafaf3d86f96eb952b09a59bc2f

SHA512
9fbc185588ccdfdd4204212e9bf053ccdcd58a766e6a646ae0fda5fd41fec6a684881bbc79796b7967b27a5aae980a121881020e356c27e2ff7308a1f4a4eeab

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
f791ad06ddd5dbe38e9ea3a568c51bce

SHA1
4b7ec56399d697d8488f1a3dc1305055e30eb085

SHA256
b0aefc90668c6e3ae0239d23dbc7c6dc7be7cd1fb6526103ff764a1c1b7d7911

SHA512
1c5fe3c8fb0845050e94b89582098709f5a46baeeecd74c28111fcb80fcd0eabf95742294a9de25d35c30a17ba2d4ef1dddceae843ba6eadc2a5d69bb19b8845

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
3805a546ea977deab6a1820f30665ee7

SHA1
2ac160ba8081dbabd148c46449a865563a4f9bc0

SHA256
50d4c9576f27c5709f5de1686bdfcf7b722f2de978c30aa70a513ded0a477cdd

SHA512
87fc249f07fe1e36709448aef6960d98cb5dcc63b500be57efb8ca66c67464cfda79735c84abd1adcceca1e6589d1aeff2f7c14a3db08971d1ca664f14f116e4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c3fe45179240523ade5533f183dff87f

SHA1
e8d3bccee3046819e750783921048124fd196e6b

SHA256
8a1fdcb37a25d16b85aa0a678349458ca597960226ad1b97cf989b3fc608264b

SHA512
ab6707e8c12fe8bded5dfa524166e17f82a3f4ea58e2dfa9d4a3e1ac1f0b4f90238b817dfd345a616db5a105ea20fc7c75b5bb863ddf48a5731d16e3b5b2e4fc

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7a2a395e1b9831c4e9a374c11eadab9f

SHA1
bb2278351589f29113032ba62f48284b3f0adaec

SHA256
d7d4e49ae5b172d6fc95b01b18e5dc863b1e8020f7b9192643f670b2fbb0d6ec

SHA512
36a9d2bc0175d4e687848735e0c4bffae34a8c9f961db7d5bb9a472affe59dc9732f2659697503da5b4aad216a7a4632345ce026c86cd33d5203f3795053d7c0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
355573b080b9bfb2fb6d96feb0181d1e

SHA1
29fa62f80ffadb97701f91d56505d4a281f4aee2

SHA256
98ef7054d475d3df9aef8f1dcb7e37fb448b0f6d069ec27e88425859a7e7d777

SHA512
6b3c0a3691379883bbaafbc40dd3daa1ef301cdda081e09664e03e031ba4296311e62b0ba59b9666ffaadf5fbb68921c71c46de52445da4683d53238dfac8a31

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
63743ee816f21a990a507f94a4bcb391

SHA1
3bc6dee3afdf9c96eaf8b950fff734a9f9bf509d

SHA256
8860bdadb15a792605c1ae487b784d97b560713c70789f387b93741e256c48ca

SHA512
37d5deb60cea5db892f620a79821ac0cea1a59418c1d8c8f4e6e1fb90199c2a20d33db185b0e6f2ea9c018f1ba02a90589dd43f6623b0abee979623f5a22d744

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
89ebf0e083aa2de47aee12b154f51043

SHA1
699f15558485cfa06493e4578cfd9aeab7376479

SHA256
4e7d7541ffcce139c70ec207625af335c0ca064ffab9239e65a1e17413d8aa26

SHA512
5f338e45809aad02b1a8009cdc1b57a85aece4e29bad70262066e47496b40749725ba8f50b62fe4c4a0dc65bd7f2c3db09233e57745a68b0c484d0edaa8dc167

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
03e936654464c86a488558b52f51c746

SHA1
36a0ad4b1f3ec606e6c07ba3fd10a366b6464bb5

SHA256
92657bdc249e913aa35561d004d63f1b83a3850ffdea564286266ece7d4c7f77

SHA512
38b86ba80765b6897dda4c2533db8f9916e222db013c01405adf1e5057f4011c6e75d21edb34419ad50ed0ca6c535d29e5ceadc124ee916a8a3c2bfd270a2732

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5f55eb1950a440a36e43ed01e66e46b4

SHA1
b42cc1cefaa41c7639682516044791afebda3ea3

SHA256
7acc323a25d824de535d368203279bc4ed0aaea986373491d06dfdadff5fe31f

SHA512
f31f5347762b12ed436ce6867e2e5486b331f94cc57e5e07fda0e0eb727987e0f7e05735d1b6211beeec4cf15d91ef59f127b1548625ef161613e811e31bbfa7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
a788da9010802a81a36efb11c4317947

SHA1
9a71fa09e8676fb086f76c375b328a2762c34d4b

SHA256
ec8d1e00b5e69e2d5e230ef9343e7a7ff0096deca371daceefbc0d5d8fa70955

SHA512
d9436e28bec3955cc24e8be3444dca885338a31460d28746ab83822909bd66c75cbfa895ece1951993a419442335ce8e584629949e42f67eb5d830bacc5f69f2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
551a6628d760d33e0c88591a3836cfc2

SHA1
b946cbca6d32edebd0062897eec45501d884d7a6

SHA256
556cddd7a43dc856c9ac41d13a2c1cd818089fb205ea403c7d1768a86647ef84

SHA512
9f3bbfa7ceb312e35135850852c0381e9baa3ef88df6ed443b386afb94451efc1e40b03451dafc46a9c837247880217cbeaced945ef9c3dc6570d60958860420

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
55cf19f865abfb7c6435a9d5ef95b2b9

SHA1
8292563fb129b82b352dd555d81aa860d3a221ca

SHA256
04809715c32e7ca37d69e395af4fc516b81ef46421de0934147fd933cc6a7627

SHA512
d981f2c4423ff70de2ee08cf609cd0ef07410b62d78d809ad0e6a359a54b34e30b993428eba6f38b779dafcf8bab6edec0264ab071454c9ceeefa43ab9324d5e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c3ce7c085690d769ad4cededf5c6274a

SHA1
d291ed1d01d9ada6b30aa84f6c53ca10ac612b1e

SHA256
b68e1ebd74e76387eeec52773a294d02884e2a1e9ba340a206914462f2b59270

SHA512
047f52db8bce483809b3eb6e609b6463bb60e152245e863e5838b751dacd3226287367d151e9c048351133f99559016682061d7dc88dd05bb4d5e5f7c87a1671

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
1265ff7345bcffbe0531c5c79bd52a38

SHA1
8c6040946e461ff1027d2ca407a7cf11037db7e0

SHA256
bb48cae873e16d17aaf5960fac90d276e19be1117fe2c887933e4bb00fb36d4d

SHA512
07537b0a5927f5dc523abefae084c8ab21454c350a25274915bb15101fbe9dfcea8cd9b9b3ad81b7642ab49a850773793f6bc5071d70cf809a5b5579363b5e86

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
887e10894772c78edec87e98df46832d

SHA1
20f5917b41454e670c7618d816b12ff9bf56222e

SHA256
41dd99e3b809ec50152d7e98235b9e6730d0b13b3f96f826a7957a3786718a3f

SHA512
19f1d6c5e56284674cb06d5575748d45c07f92025d17ef4604db7a7360e2c03b10535387516c56ad269e2f3d976a10715a43526052def4636af9484bbb947866

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8e98fa901d366febb9e46e7af2d8b3d1

SHA1
1861364ecb92bcc9f258ec9d97246f16e05de552

SHA256
f35b680d62f3c345e74421ece9769340400fcb8c8005d1adb4c41f88ac82b380

SHA512
ae862f4f5f4fcdb251d308a52308514e672fc7f42c5c754e54ddb2f59ff6dbe8c5ff4472fadf2349803f31558d45184bc3b84357594d780861c1004f1b084de7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
4a4d956be7f6f7c8e97805588aab2e65

SHA1
f234945a9d971354df384e1d1299f4f4282ce541

SHA256
637b4f0bb73e321efd787a3393b3925c6744b02e81fbae0b09a378078ee009a5

SHA512
c830af5d6c01fa1d5b107847400bcbcd32f048824ce9dd5314a31be8d4252e53cff8a27ed5b52bec500f4e49eed6c8e7b2570ac3c6c5fe0b3f963fc1399c9562

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
458aaa0eb187967955527f1f31e0d004

SHA1
527b8879fde4ab4288041f9eac16f7b102e5477f

SHA256
7c157177667867f26a42806da36634e7c169a693b0214f8681712f9f13a4d92e

SHA512
95bf536285148f3a8b4e9300bcef6da51c83ab25d09a97d4572f472b3afa029702a01019442b6bed5b13659dcece72dd10b192108dbfd30df5bdcbadb23e871f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
38434c6fbd822c573d98e02221ac496a

SHA1
2485468118d5b3c675675e89dfb330465e21c9a1

SHA256
99bfb8d78433139faf695cf8d80c761d98db66e52dda9f6a5ddee2444eab68ea

SHA512
30c40fa8865d927114e1c5a560021d3911a00917b1a0d47d80e28ebd1b29904b82ddb2a1acc96e9f5ac3e41ecf0e0490b6e55ed7344d1076702d319d8988adfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
3979da53ffe424ece991f4f368ee46e5

SHA1
bd7b3cb79175b59a9f80a3f660b3ed47f6c1d633

SHA256
d957f30363edbbb3771bf75410bfaa54e3dc1d89354b567e3f936326407e1971

SHA512
4e2153ff9d724b192347c66a3e5263c197bbd1ab91dec1b8ec2732a7b8549a8223ba55d2c57fbe7754e20346652464898895624f38b97b8b55a81c57499b4c5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
a35deb4190c6645fe6d546e82269302a

SHA1
b4f4158849aed6b826b32d4a7ba1dc31381df8aa

SHA256
a1aece632bb9865f6550f0301aa101ef7a55bbfb99aaf7252e5573d796764265

SHA512
daa9ab39bded2b689272be56aa5d5ffc7b6d50c2133e9931a6382efbc7fd6a00b7f76f35aae8cbd59f6a1e7ef7be203c618d01cf5f8a11dc1c48e16960cdd42c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ea6721f5097a79610a7ecba36439a8ac

SHA1
69807e548671ae8f9e11a08000d36d4622574727

SHA256
e2bd2804c2224328ebe8750820ed042bd747b7da8c873398c65f37d272f487df

SHA512
05b8afa2c49209dfbd98e758237ee5c5ad78b6063d05e6beae90b78621e9533b01c2ae957c7f00b279acfee405f7f675bc5d354f0d641bc5351f285256e922a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
513d349b0f63106e95c3c985632a7e9d

SHA1
7b09ba998f2ef3aaaaf420856e1ee3e58366285a

SHA256
77302f15e9a7004f7d4e806580ba88402ab5660b05576f736602764254d9ec64

SHA512
a3acb33f09c5819bafd5e953a985317097aa92369b60288dab7362bb5be6d6ec47a07d75a02e075fa87ff3ff6ceaf16487148118ffb45a29b457a851a3f1e6bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2c66b8dfd22ec02f509745725d62d9a0

SHA1
e5b80f62a6041431456f25bde175d9a39e1b46d2

SHA256
3a4675e4fa6797e1faf570a43258f9db2702f596fa5fbc745eeef7d23a9fe70d

SHA512
6446a504c58919f54363164134c7cd924049d592cdd3a155858bacbcb8173ffa4a108cf86f63aeff2487f2c4052fb98d74695c846b7344902c143b25c42cac1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a8f8740053d7303acdbe9844a6accea2

SHA1
cc8300b8cb3b7b3814eb685dc6df01e7be6e8b8c

SHA256
7ad10b8cbd816ca6d98153f0f682319724e466ed9d7da478397ebe52afd3bb59

SHA512
4b6c1f547d235957fd36d9339df4c96346705b33d95c0433ac8930a6678c7f459ceaa4348047e4b7afe9091ff044f0506ce8e951dc0cfed0f2bd33e59111b700

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
3fec130a79264783b3d11cbb56dd1de4

SHA1
af5b4210d54449544b71948acb8aa273ce0b76ae

SHA256
f6e46d41af3f114add42c4049044932ef6b6a39c61d4114e1fa900d69d317d77

SHA512
4d55cc7f4991dfdd394d1793ca340820590fb9eb2e8b1a7fe56f4b158975011866555fb0743d7e89422a36112f8dbb5940f81e2a35b5ec5febd2479932522d94

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0657232ea516c468ba75ef1b722f17d5

SHA1
eaf82368de8489027567cbe01c45677d98425e19

SHA256
19430b10ab337a0983c6f2f5d117a22410d3a833e008b844d9423be03564243b

SHA512
cfe7d96f5313c2c02bde5b420b9e595aa9e9ec6fea20d7caa5f5aad3be375e90dc7e64632c4fbf0c9fd6553058f76193a748a80d979403c98f900f7ba47f5d9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1914b926f8e4aa1dbeaec36071915dce

SHA1
f58fa1e98843cceaecfc368be153362d060ff8f0

SHA256
8e1dd4bfefe59c957cac05a6b6f9428258da61623eaaca416613c610abf0d7e4

SHA512
e605843f4a4c9f78962b78e40d5fe47f00624dba6a4d1b9bf52bc00c43d296b6fd7c98edda8e24d94580a1a6195bae38bb62b5a93cb614a09d620b2d8a185b0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1506e27cf50183e4e6c15f914ab562fc

SHA1
a6cb0bcd347c4d4df4fd4603a1530b340a18ae67

SHA256
5659bc166f746e8bc1e2eaf29529b69a2b1cfcbdde428de37f6232601eeb2be8

SHA512
2aef9afe04a8d6c208c716650de361210ea9ad8345e0b3bf6c8ef42a526a4dcd632070aa295856b1c55054f4a73e4a6cd1e42d30a0a91fde7564bd0ed98930ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
e21a5bfe314083d7cda6fc86f6ffcd4b

SHA1
3d4e999c4a6b61e1b9a0da526980d2d5a3d8f5b4

SHA256
ede1c5bad6b3f9afbba5012ffc79caf531469f17024f4b29eb121f7fba0f0de4

SHA512
d9c370fbc3b1883d298d053e97c7487b76359c01a9791eaa1420e3ea9470c11c3af7cca1508583ac36fc3b1c5e86845e1043f1cded6cb6860d2b715ee3ce79aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
0d679c370942400eedcf0f0935635df1

SHA1
9307b43d9c4b29f6b299d8332b25c8b4f9f4ffd5

SHA256
9741ddc4b6a5b50561bab4c70118c0e9c99c2d939699ac65353dd4de7c67e3e3

SHA512
fb74d1d45276a2ec5e20361d1178f65f6b6a519782e803c0351965a8d3941923e9044c08c10e4501c9eb6e50c10ad8fa1bc9abe750372b794cac5090be0c27b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
3f47a0d343b27045cb1922660518ebbf

SHA1
66201845ddbb2a347fcba8d3225f65a1bf67291d

SHA256
2a4a0b13e5dc4c5311d25008700b650b91a235d84bd5272fc68e03d8186f4035

SHA512
a4c0eaba2724d8cb0c3386e59f12f497749b2eb5ec33a4c08ef21a54ab51e3e9adc09fca2f2b179d5f16ecd1ce1feada9377f1356bbbf9308fed5403cdd6d375

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9fd2f8dd97fb182b2f53ffd6e3631566

SHA1
a4b84c5f663fb851c763b4318c277b62026b297f

SHA256
1ae541b8f27e229b2ee956cd4ee45120c2f816204770d62d4c57150f1cdeb5f7

SHA512
7d3e8d8fc48c667fdcd8ce6a4f1b7af8d9576a02c366c6d9cff6c5f294176dc15b248cfbb85df98150192e5f2326600625e0ff50d011599871595eb9445ac281

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c493db3fbc1c443367c9f33031656b19

SHA1
80db31ebe724b4c730db47abf673f1672caedc9c

SHA256
2eefe57d8d9038a8882b7d88601c57baaa80959bd15f628708225b4da35e2448

SHA512
3343d0c49c523d31f355054cdc2e09f38945483d2943fe3175f632a59033cf93d446fe9c768fdd609f30a406fa0c6ab8e02a14cf080ae839dc0a68bf1b49915c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7296763b781eb492dd5bec3cf1077df6

SHA1
a707760293e4b2765fb9ecc0c53f14bce17342ed

SHA256
7abed4e9acd0b38f11f068010a0faf321e35f981b73d3d6be92269f13a168b37

SHA512
2e5c0d55b6bc89261bc243ab36189e574961c1f14895bc6ec03fd7a428ed3ff099ef4387441ccb853cbbb78f519aa3e2a650cb1422e011441f61b1ccf8b9f083

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
03adfbcd69f6412e36d0ccd8ddbb9f0b

SHA1
8147de63b5a33e48f223ce8de0bfebba63011ca6

SHA256
bf8cdb268795771d019da19c632b64d9d9c2fa8df95ebc900bebd9e8d4651a81

SHA512
27bb56ccff8b578c944491c0e1b5c5902162b880512a44d5495ffc3123ba0c2913e258d5b5ab98a9af1335934f1fccaaa74109654209b2db71292d00c0bd8d0b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
be7d5d2a6b99e04ab3bdd013eef6d384

SHA1
c148de9658815e8cbd5022f0ba3ed6d89f64c3be

SHA256
cf17b9bbbe790b5dacdd4fe08a016b3b52a6ac4d438f604346ec1db5ca28714f

SHA512
dd41635d9930752690400540c74c8e6c14a568ee414f80f04cb70ad85eecc15f259189e09b9bdc3a7c552c35b1669a89057554775202cc1eb8d4629da4065b85

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6f70c4d20ddffacf9d6f8d99ef3f495a

SHA1
243f68d501e488fb745d340f3981a5494d3a9b02

SHA256
81bdc79df2629e4f3dc90dde9818b4386a58be7b27d2ab1c733ac9e6abb8c5a8

SHA512
8cbaf47a7b4373d60449202c86aa39dfa1843d85efab57e45071b6160fe06386c9cde1d5ae6660f6803ba14020fc51007d8eeb96fbf4a6cceac931d4575730f9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
e182556c07e694472f46056233572ed6

SHA1
353faf7a241aa686084460209809662b270cb188

SHA256
a52124c79317e44923a0a642f0af12830cecd14ed4caa3e6a9a49dd6b477e247

SHA512
7260679c193f5e7d6f6ed4ba970ac268b49df7d3b73a35bf68184361393723c66701737a6f294ed72a1403f16ccbb4b810cb529fe56fbf4f04d76990832cdc20

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
0cf5a2ff8729cd481b512aa7091afe59

SHA1
b94f27563783944b7a97a27cf2e844c7f4df57ec

SHA256
c1b35e5f5ca15de35615b2b00bd11633a39dbbfce62707e385c87589e5123f33

SHA512
979729f93de3c61181aeac0965b18d45fdb451d9af17d054916a0031c5ddecac1d521c979f15f5ab437f0cce3bfde8e10b9bdee928d93103de755f5290b204db

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
dbad6dba28ba18a5958ceaf9e9c02cb3

SHA1
f0ce7b6ee67f76a595a38fad0b317daa3985deea

SHA256
67adfd1ff6acdc503daab6eeb090bbae9a8dfd588aa7829789a73da0bccff3f7

SHA512
5bc24ee556e87b4614e48ebd05507a7e0db62cb660788d47392f485010ced94864e2513cd7a07255841bdf5802839bc9db73bb9d63251033c54ba672434173f3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a4923053ac97df8c3cd5212e6bf71082

SHA1
ac6acb180c17a05cd094d4d25af8273be4420280

SHA256
dc166864f5f661dc5a8fd4bc198fa3cd53953f375ce57ee9346ade74505f682c

SHA512
ac6ff008113ca61fc8412e910f252e890c4bcddfa864bf19acb9518d3625b47ce9d3277d2dd984ac9c27366e7eb6d439dbe7de3203c4305670f6974fba3a962d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
75325529be7c70df97926b7064ec9556

SHA1
82e1eec3ebd6b971f2c80e158df983e0eabf2506

SHA256
be7953154ffc4ca5643a90b40c3e968d182422f1318cd585cb8899f555ca3119

SHA512
2db2bf610b10a3a926257b4a669dea27480b9ac4965dede289f293263a367820373cfd36b6ed5b992d9abc6a907fd9361bf13bebb18013bb75ee88172aae41ae

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
eec4e66aa593074dee79dd195db9082f

SHA1
991faca1df95d1f791a532b94f0ec0429ae0dd97

SHA256
e3ca3ba1165fd02ddc086110f485e54843d1fa099d799a6c4ba7f6405e910ff7

SHA512
3beebb95472d211b4784143322774238c0860fb4121b74f2ac07134d52720d7bef3048e02350717227ec8a1c22986e852fad43e151c613d1f6f1813abb07b796

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
7426f489ca615caf71425673bedd308e

SHA1
bd1364ef65d8342edd582e6a8879d96e25c69d27

SHA256
02a79ccc972b2dc463722be8bd1ff5362c9ef21b667df70b1429823f6f299144

SHA512
855a289ac6609f4f7d848dda275e1daaa0d20598a451b936d54bc97bb6ba6e82ac5f9e6130c062fbb1f75924138d6a2dcdfb0cd4810b22f83736232004830d73

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4ff719d8c6d988502beec8338a94ec7b

SHA1
0df4d25b37d16b86350f1e60e533e4bfa78a7747

SHA256
554553976ae32fa965886fa05faac8475506a7de460a614314d108e1616c1df9

SHA512
bef97790406bbff72e575e764335afdb70f0d1204b672cc675c1eee3262485285354ac332c4029bffc8c3101b797a82390f379e70cb10981be8fb24664ed30d2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
993856f6cf74cdeea8785aa099b46e0a

SHA1
f5d98f40486e1a403fd9ad7105b8ba569e13e260

SHA256
59702448df4acb187d98f5c0a2e26d95856ee9ff8a642d0911ecfa888ed36f08

SHA512
3d8fa73446e78c75a016bb28040844ede096c4ded75d08f63aacfeec5cffd609a31ba31b601ce026c41c8022f760bcbf7d4407b25336141c94f48ba83c27db60

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
381e2bccd94a479eae291310d0661672

SHA1
7710c2e70ae070689ed7394986a3821d53e19949

SHA256
0f586a10767a08e4b0267f1aac8cc16de0b3ecbd385bf6e7dc55cc176a8e8b30

SHA512
28dc09fc6c5d31390f3b34c36f5d205e9d4ac236d64ee79948f80094137732065e6f21c3ecf161faa316b4261c26f27959646b8b53c3f4b2f1b0af66b7bbc79e

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
ca7509273dfb8b5fc1c6356ac49297e5

SHA1
3c3c2738ef5eaea739bacf3dfc5eded6b8c4226f

SHA256
3c3cf34257bf4726806991df048d123d33295c6eedbd766918e787709e859b75

SHA512
622501b04bf393fd1414e22a692551943c169caa2db07d6775df7d94dfda10a21a12a75435f653dbf2a4f34f274b66c3eb89b8be4e7ac1eac00618d8b195b44f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9879917f24b8c8e49bb61e222bde06cb

SHA1
59cd55904d1ff7ddbddce063d1590c0319cb55d8

SHA256
44f362812e4ac084b9e2303efd696d748f2b097703258ae834d34d6d4bc5af0f

SHA512
5f9d0bc89f885a0264040bae305ca62543619d0d1e91624e2178c67accf5e59de93b49c1bf586f399a6de7b0dbb9f7b8669f10ea3bd31332c76bacf0d9314c7a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0234dab4bbee51499696bb6419749266

SHA1
e428562e7a8cc3699a7c3be253fc324a237367b0

SHA256
176597ccb895595ee5db7a1b2a8ff925ac07fa1803de82e22c30ef5e17729dca

SHA512
833b96fa6b56efc82e235fa9de660acd5c5e0df23a8240c6952052047f076a1f7b186429e47884caeb7e2652e909c72ebeb762b1faa3af85d8346e9b965e29a4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8cfbcc8c9453d8d96830cbdea8990892

SHA1
02269ef37133768ed79fcb58dd6acc0ccc9efad0

SHA256
291d7f37584aa16d773547dd95b90ea22bf745bd216403fb4803bff96bcf86ee

SHA512
288739e077b55eea18254ddae8dd1ac7bd383be229d0c746462b78a74ce5fde2e89f0dab2fc7dc036847518c3e00c5666397cd5f19cbae2e6b65b24c56413d41

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5c095621c7255ae245aa6b23b02b81dd

SHA1
44d920929206bc74c010a7a7e7e05db0d45254c3

SHA256
e71ead7a2515756cf91d2255dc2949f831de4237177a8b7ff7342a2df00ce089

SHA512
4c851d7cad7e68cb540e6147bbf57bae77ad653d991d645bbe60290b59021a70e810849c310b2eeb7c8758c9b008ba60992507c048c7e089c21f7f8f01911102

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a9b6525c04757ac86e1d1528e53733a2

SHA1
39724ed37b319172aa07f39d7a5e1eec5ded7954

SHA256
cc137f94bc63a306900027dfdfdf87d80f5e7b5331c13841b36769b437091f1d

SHA512
eefccb2df4d8831144c14aa2c67bdd196a3b39d4809d9039cd2f323a78b4e24f5f6ebd16c27e4ae44d480c9f2a785aa158db0e52f9a5b9a7e891072937ff6c1d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
28d12e773e2021ff990004a6dc0152f4

SHA1
6dc9d892444dac1fa8e21dbf69bdf42194854cc5

SHA256
f1784a9f3748edc08daabab06f312a1dc6801ee2e10e7d47b312f049ef1d2d9d

SHA512
81bda156ce42003eadf3c1f475dd6307deeecccbd760cd62a07b3680597ee22555e271fdf6ede2a7e00bcc766e0dc32b5912d4081e88e41bd72b09350c5df429

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
83394efca0c40f749230fa3b5fc2bebc

SHA1
2b0990fa25f7b92a30c320a72e74106786403435

SHA256
a6ffdfb1153a89a248a2888f2ddd9be24c5ebff059c89d7b324fb57b121ea881

SHA512
e8b95e09a51f47d6ff89027363abdcccbecf3d86af2a1b441b4c927ba9d962d01aefe9fa996526827b051390e261e5e7506d9a5e36b870c521240751d8b4cd52

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
234877b8f5809f9df96a476dc55ab3a1

SHA1
5dec06f232a90ddeb16d8164100234cf5f2058dd

SHA256
9622768d10231ee5643ec8a785b2e83f4c678207a022199400018cf08db89064

SHA512
2ba4ebf6323d93a2fad0ef547b8a47d4799ea363be69bee07ddabe2d2f6022d503d1f6a8fb5119dbaae0aace1b1b6e5c258210f56f6c61ce3d84a352f6006675

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
65954b129435ffea7f0d8d034e5012ca

SHA1
298c26352982aea0c267d7ec57b4e1f8d4249c53

SHA256
9ee1f71f69e35171de6a4c2246ea9e439de7e6c0881f0448deff04ec840b347d

SHA512
0a7d5aaaef6443195852e2206c10cffc503d1a7183848ba88f68cebb773d1d32d17d4085c1ad39377383a344d545d781b477091a2acc5c70a67e5ea0c4fc1df4

Download Submit
memory/620-293-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/620-301-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/680-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/680-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/680-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/680-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1068-88-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1068-73-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1068-76-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1068-82-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1068-81-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1068-85-0x0000000001A60000-0x0000000001AC0000-memory.dmp

Filesize
384KB

Download
memory/1444-267-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1444-275-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1588-174-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1588-179-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1588-240-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1656-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1656-92-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1656-100-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1656-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2040-497-0x0000028B17410000-0x0000028B17420000-memory.dmp

Filesize
64KB

Download
memory/2040-494-0x0000028B17410000-0x0000028B17420000-memory.dmp

Filesize
64KB

Download
memory/2952-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2952-60-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/2952-6-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/2952-1-0x0000000002440000-0x00000000024A7000-memory.dmp

Filesize
412KB

Download
memory/2968-253-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2968-192-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2968-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3136-172-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3136-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3136-116-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/3148-141-0x0000000000720000-0x0000000000787000-memory.dmp

Filesize
412KB

Download
memory/3148-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3148-135-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3428-206-0x0000000000ED0000-0x0000000000F30000-memory.dmp

Filesize
384KB

Download
memory/3428-266-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3428-199-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3464-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3464-90-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3464-25-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3532-255-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3532-495-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3532-263-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/3572-35-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3572-50-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3572-54-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3572-42-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3572-36-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/3704-119-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3704-46-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3704-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3704-47-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/3796-11-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3796-74-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3796-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3796-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4204-220-0x0000000000790000-0x00000000007F0000-memory.dmp

Filesize
384KB

Download
memory/4204-212-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4204-281-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4368-121-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4368-183-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4368-129-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4380-282-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4380-288-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4628-239-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4628-226-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4628-233-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/4628-237-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4768-210-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4768-144-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4768-153-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4948-241-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-459-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-250-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/4992-223-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4992-158-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4992-165-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download