8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
Size

1.8MB
MD5

b20241e25bcb4a283625bfe4a94f86d0
SHA1

6f0540a799fd334db7c42aa463edcfdc8f78d800
SHA256

8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22
SHA512

d388085833b8c094a88c4bf7ec4888d7ef653e5af0bfaaf49dfe024f0298ac1397770741ec2ca2a21825dd20ba456a45599d1f0fc522f92213586d7c6db8b329
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSUrfPOkhqvq:MKlBAFPydSS6W6X9ln3Okf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1968	alg.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
3676	fxssvc.exe
2932	elevation_service.exe
4024	elevation_service.exe
5108	maintenanceservice.exe
1784	msdtc.exe
2196	OSE.EXE
3668	PerceptionSimulationService.exe
1204	perfhost.exe
3720	locator.exe
3184	SensorDataService.exe
2160	snmptrap.exe
5020	spectrum.exe
3648	ssh-agent.exe
3168	TieringEngineService.exe
2280	AgentService.exe
880	vds.exe
2812	vssvc.exe
4072	wbengine.exe
4596	WmiApSrv.exe
3244	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\System32\msdtc.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\wbengine.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\msiexec.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\vssvc.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5c1b19a0102ae222.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\AgentService.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\locator.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_tr.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_am.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_ms.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_id.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_uk.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_gu.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_hi.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_hu.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\goopdateres_ja.dll	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3095.tmp\GoogleUpdateSetup.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a15359f20a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000552b71f20a95da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003860e8f20a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022e9a8f90a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c5378f20a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000078b331f90a95da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f3ae1f20a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c5310f90a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b9fadaf90a95da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe
1964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3924	8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
Token: SeAuditPrivilege	3676	fxssvc.exe
Token: SeRestorePrivilege	3168	TieringEngineService.exe
Token: SeManageVolumePrivilege	3168	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2280	AgentService.exe
Token: SeBackupPrivilege	2812	vssvc.exe
Token: SeRestorePrivilege	2812	vssvc.exe
Token: SeAuditPrivilege	2812	vssvc.exe
Token: SeBackupPrivilege	4072	wbengine.exe
Token: SeRestorePrivilege	4072	wbengine.exe
Token: SeSecurityPrivilege	4072	wbengine.exe
Token: 33	3244	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3244	SearchIndexer.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeDebugPrivilege	1968	alg.exe
Token: SeDebugPrivilege	1964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 6124	3244	SearchIndexer.exe	119
PID 3244 wrote to memory of 6124	3244	SearchIndexer.exe	119
PID 3244 wrote to memory of 3608	3244	SearchIndexer.exe	120
PID 3244 wrote to memory of 3608	3244	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe
"C:\Users\Admin\AppData\Local\Temp\8aea2033e681b19865ee21450d889072d4d3f3a2b356a858201d0674a94bad22.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3924

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3368

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4024

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1784

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2196

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1204

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3184

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5020

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4092

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3168

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6124
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bba1932e9b2b9555f168fb53d07536fd

SHA1
f0d040fd4b019aaaba836ef9930da45f2b48f76f

SHA256
fe6c8c31865059c839b58c32abf3bd3d41eeb222b0f379c4bfbb5e190ad5f330

SHA512
52975b3fcc4d1855d99fd267e125272c2b4855465e539501d427681bf1a82dc3242f3c28561a6ed50dd169cdc93906bb283183c4c4096007254b8064d8917e88

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
1b5c2e9b2dcf02bba8d80210318defb5

SHA1
cf757f7db5cd03b93b02c97f27b4295c24795581

SHA256
6a06c7990fc784b1d5557c1b860123f7b0b4e1685b1faa163d27af7acbbb0c9f

SHA512
7c7f1cb980e81dec309c6f651a750399cea585365cbc918d1ef5e9262f80f75ae63eaa87fac619656572a0699ff2da6d5d4c454ac39bc7f0a1f5d6eb7cf2de0a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
57ae7eb26d2976d457b3d820922ecfc8

SHA1
4f664f1f9750c53af9ed8d6e1ccc220082fc22d7

SHA256
c0e068c2f76b3a3b4d300b1515d9fbac970a5a08c472258f348fbddeed0607ca

SHA512
6c05d865bc22c37fd2186609c579a39d7f37b8f3090e2fe0068eb6db3a25ba863694a687e361636a4b786cc5263394bba97d0e926127d0d13883831e83e46375

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
97db41eac81589c89a3a7df8041d5173

SHA1
71919ab3f2f7c0642a1245905af56a3941254ef7

SHA256
5efd5522474223be22a18110c7bd655f457d7f57652d5de8c9f3dcf6e5c4afc4

SHA512
54f2f12cc071898954035bd8baa1d7b85097d990a90a7408ae8f2a9a4b1a336b3f417458826453de2b8742662824bfc5c6e1d0e4bd1f44bcb73a46a79c6dfbfa

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
719a7cb720d4e899220b60e53f960a58

SHA1
605cbf855202c30c724273af38bd481687e8acb4

SHA256
c42ace454bcbaae96c8d1746f0acd5b6bd7e910ed86d81b8608f150a064374d5

SHA512
173ba1843a18c24367a043a8defe28011a7084ff83996654808db087ea057fa43b7c86c09bb32ca8f16c3f19104f08bd5c6c5de7a222347b3d97fd9eccc0022c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
723376077dcf1fa5e9bdbb6f47edd269

SHA1
58aa28ba712a540a4b5d172808db372157185fb7

SHA256
b3b79acdcadd14b8fb1a0280ad18556b91f36263fc21e38a9f816f569b29f62b

SHA512
923ef73c58c460ec7184d87cc29e243f5b4758dac87c3b80dd3759e527af6b30b964394d4df1d3546b887a6ed70953e9519624c105339c628e4a7e60055cf227

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6b4ea2700fe0b38d08e91629899cb19a

SHA1
984cb73f78d6cb39482183c28b51dd5a83ff630f

SHA256
1ac4c90851f848904a53a1cd20322d2316f004cf4c2fe3b845af1c371f72d5fa

SHA512
3eb7a94c25efd5c2d703c749cf734f0e1c2721f2571ce91cec455cc0563c777e42e532234020e88e88896bb31ee207b5ebd9bc259a24bc1bf34ee221d3551d06

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
95538e17f442b7fd20923945948a7bbc

SHA1
1f0212e5a87cbf0976b9f11b7aeb1c95e0e1030b

SHA256
77d5bdd9faf8fbaa13c835dd06e4c8f856887aaca5c9c87f0793355b8aa9caab

SHA512
d166a2745d9b6212bd093426198d44f6046da67848512f17e4b28541594a051932782c024ef3287fc0ff10546fb03876047aa7b1f6359f6cd6759862e129ca07

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9dae3b677a8309fef90474a4ff9dc78f

SHA1
13d2827fa7a33a2503387f392e99dfe35952c309

SHA256
1cd4e170ebc59f672285fdc11adb4d9b1ed20b988b72b976b42ebc50bfced367

SHA512
c86d8470d1ae3e237155c1ff59ee387563b841d205cf17b3b2398531170f4d0d713bc51d879fe63ae3fc50ade1e82bb8a5aff7b4f75b1788a45380a055d27126

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9b043ccb8e1cea2e3a4f53f4ae432cb3

SHA1
8609f083525b776d993af6d5a6b39a9d35a0c102

SHA256
902e31019e87e08e700455ecfe734c8f2b78b44b8ae7df4e4669bd4ba99d3e6b

SHA512
28e64923901c94e93336bdded2d2a074c0d724b69e7837e780b97aa307ac33a920b2790ca2f7a9759a29700d3ea23d61ee51eb9d0338ccbff7ce875ca3d1d0de

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5f6f81c83aa5f059af5b03717d848e7d

SHA1
fe48b14aae6dcab002ca22f67e85675ff5fdcee7

SHA256
0fdaec3ecfd20d0dbc9bc96b2861e85f21cbb5bcae82df0fff8c3bce7c905a67

SHA512
8133177454f4e0518770e9e9b27772e75ad791d6858da74c8e4531cb604e894a50e9df3b1ae680f2449a4306fd83abed3724896b3461ced3b51ecf85c4d817b2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aee663856ab463c7c001cbeec0365764

SHA1
c160f6b3b0d1be2a938157489b4445e4d33175cd

SHA256
a5707bab8d025f06fdc7a2702b076a6b87938ba2c4104bbd57a37f27f9912874

SHA512
ec075408ad1419d538440bf34ac98c7bf1c7111ee1985c91fc23a764cfe0b9087468830431a9b7b91a1dcfcc29c2a9ea128bf189a2eee9178a16e20114f0a241

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
887d247baf78c0950a532d63d108bf06

SHA1
5b9ca856ac46da11863117117dc3e6e254b6e5e0

SHA256
a800b9236f61b39bd97335fbe64513141779516c307ca17270030376a4300825

SHA512
fa981187004bb2ddcf95234399188dc8254464ea50d247b1bd3f2ff2e008ff27efd58e9b817f0c3686086cf856e4a637f7152f4a1b003a1e230b0ac9446b85ed

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a90f424afb5eaf496f8b09f3ea78c39d

SHA1
fa5609428921aab2bcfc34c3bc3ec30f9015de44

SHA256
bb58a0137f4db88829ece8e4cc34641d050443c3818523a2df69a86cc2b303eb

SHA512
d9ce5c3fb9d03e3bb8181f79999051db2bd7498fe058f717365a02e6c531702d0a439eac216d5b6c8a54b9f33486ad2bb1c75e1db20e266099c3e7f9842e1888

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
30821a85e90c171b759b5a6fba707b09

SHA1
640185eee6c0cccf1b7ae803a102d18c590676fd

SHA256
c95487a01e53aa6a8787e986f8d8ca6671a30a77e0ef7fc036a7f5a503e1ad24

SHA512
843aa19b4e681dbc0200fa22023dde86eb57f180dec1e34039db9798dc7c24cad5a494bbfa6783d59de4510972ad93fd387ae1e7b3e233f8b4e91a4329fbe674

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
06c5a470274a60f1bbc47f5edfa494e5

SHA1
867715232e120567c5363c5eb544fa621fe8c6b3

SHA256
dfe2897cb644073b11ca505c2a5c387fcd1549b8e02df5bce48bc58c5a6b7a08

SHA512
51a5ba564409c07f067ba99bc8db7131a0fe9adcf8327dc28c558c0499151d45fb714fe8bc8fceab13b10bfc08ca9ab94b06fdfef903cc34671f21bfe71d3907

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
2e78857cceafc0fda502640a1315e0d6

SHA1
5e4810154ae8eaa82efcac29fe72b0406ed46d8c

SHA256
e52f53e049ae31079b647dbce22c3a8608711d192f3281e58efdf36952be298a

SHA512
c674c10e5bd5de16089189fdf24f77f85cc734dad24c0727af40dc6d152b2da09199d1be201ea26780004a66aef1736f2098efa276f85e40d2a20ce42f91378e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
81bfe5b62a52e168904d1f85a65515f7

SHA1
9770756bc43047a5d7349fdd2689b5f4d2bd0eee

SHA256
c718e0e907cfd5435b24a535db951ff7ab6f771aa02d27c4973fbbdce954e80c

SHA512
ede73391811dfaa742612669d6e892c5449b8342a2e33523f1a0e56e8eb698e029d1d398e09e2e47d12f41e4cc5e1086328a4a15953c12cef2d485942635ba01

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5e480647f29911c800e2c866dfc75d4a

SHA1
f26859919f687d63d6d81a5efbb035239df9a6f6

SHA256
60bc8bcc690f068b49ebfa6f1967271aa30621ce27ab5b37263aea73595d3497

SHA512
eb6733879afded44da97f0a9bbf9d73c49621a4e5dd672568d41d637bd750e86b7f04528cd832c8272096301a823a0b4b769619b3b82687bcee3ed22f4e1f42a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bdae498ecfc3552170fd37231748e666

SHA1
2fc2580dfdd33e69fb717e14e5eb95f9210c350f

SHA256
87879e1d841458e957571519670390bfa7117854fbd05fc48eb9e66def841167

SHA512
6ab8523b71fdc24bbfa3cc91fc09ef1aa85d40b9c354014ff2a885c464a827111ee7c09a719164d2d4420169440bfb6d663af59972f3ad3e9090fc42150f2a8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ad149f8b8392475255791c567cd0efde

SHA1
5724df7ac95da280157876c32dfd3f1e76275536

SHA256
1e870954106a65c76729acb80b09636d23c0e522e63a2cd792c53d987aa3f8e9

SHA512
a2ff690fa4c1f97cca5609e2985bb449664a60cdb97f45d6e68e48fa8f4035b20e452847e44e630884100bad5bcf6f24d62b112d66256b915e885ed351cf04de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e73f4d00c8c14ef7e29df99b61ca8d4e

SHA1
33848d9c5bd043d15a890287e70bc189fc9974fc

SHA256
48008f5205910076d702a9b1336dee6a634f96cdcf873d64e40715b971426d38

SHA512
c314a44c27af478cb7972b42af0b4fe574e888d12c5929221d672039697fcdace431dacde4847918a4784f36e7af6aee0fa5ed2c838b04d5830567c3a2c1c7cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
bf284bfb2904293d51cbc92ea3e23577

SHA1
75e9e5284682880742048331d173429d2b1befec

SHA256
117057551a673cd2d359ac04cb8588a4f5f03f1d5f9b443fe1185164840cc4cb

SHA512
131bd9bc2f1f4a676e1e98c2c001ccce72f5126e1e3842b8168e5a0014910eb69d1ab442e473b3283b490d26d030016b6f31d1e4baa086c02702d6b163e4adb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
5267c48056734904818ea949d29c588e

SHA1
a1af3f978b94e40fe794566f2a58c04811442aa0

SHA256
ee1894267dfca931f57375ee3ea96944a5dbf4fd58d30f063a99df42c36b4c6d

SHA512
5e48d14128d944392d25e0f9d651398933576f2d43323acfe36d4c92edd27b3f624b3f44d38c5293975416eec90008f107d479f1682c2381bd69d4178f1cee19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
1f8bba020642df217743da3b9f09c03a

SHA1
9161cb6cab3b8e576c66f88bde31680ce575a0b3

SHA256
85591edf71a5e195fcb6c8ee848de20239923bcce7b0b8a0bc8ab9123ef10626

SHA512
b51aa1e49fd488002427afd48e802e4dc5d9098308d67cbab687a35bae96c741850bf1315d77e232260b01f60789787bab7cbea917b8bda2b8aa68f0e16c6b95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
bced510c6fdda4519fb7cbf8b3aee64f

SHA1
7697174113f3f55df2c1c0249018b5bcc24d1e9d

SHA256
216adee54d463066311935c14e9f842af1d0850b217d3ba600b2916448a090a3

SHA512
7db28188f8e489f7f27d6119314e467dbf7cc932865a79da4eeb02916a8c709f773d8f01f66d39366bf64af4c365431a17f55aff4d832948e142adc12e8e74dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
532b48ba3344ffc55844c44f52f27c1f

SHA1
f0baf716ac26eccf94713ee44b16cd4b172db85d

SHA256
ca4500d9525d3260774f53b4bdd3bc4d6c5d972fc8bad12fd1a0053443fdaf38

SHA512
b20f259f14e8e63396f2d4373589819f3a6d7e8d37dd4886aaa5bdda0599fb58b8bd613f48dee3ba46c06ebe84f7161327f8e285d173fe74e2ddce5f070dd617

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
016c0db406d4b43d10284f695fa8c882

SHA1
d53e1d48d5b69b2a50a966cb852f0bbbe3081d13

SHA256
28f4d12c5466ed61eab54ad5ce1b95322169224e0b96b0d684848972f0fdabec

SHA512
9a76e9d3658a2925913e7c56159cd36f7801bba80d74844f6c3527b1872a8849cd7f977543d5c14d58a8b0df5e89c86f171fb4dbec92457ed3cfb368f77a2f8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
77d21887503fdf5ccf5df69bdee8df1f

SHA1
ade0d79c40ca7806b564b6f73750626a8f4b05a2

SHA256
eea37ca6ef93439defd9ad79a32c3c3d2a6c43c5af668c85db1f59d862a427d8

SHA512
337cd7019137b48f1f15e8aecd7b80822ce57a70881b31ed855ea4200ec4aaf2713f83a30865d2ab0f6d54c0b919d1140362cba4ab91ab877c69662bba5640a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f5f3082d01bd01feccfeb1fa322bf177

SHA1
dbc2dbc89b29cd0af11fa8d8c862a720d2e5f4f1

SHA256
6c82cc612cfda27969be777ec7b78038ffe045d9f85c153dd139bf2c5a8a2d37

SHA512
79fe9cf45d69fe73431fa5d9aebb077c3599e52d86e6efaa20cb6617b83cfea2a511a19dd593c6139046b6ab8944c3442ec12e2992f58cdf1142e72e4e025080

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
4e710883fd82e3d78aa1be71ce02a1ac

SHA1
a3a67d8ea4b904d12b7ccfd667c3dd2212135fa0

SHA256
c264eb92d223c5b017e2bd5f3c42bb46e716967f5405551f3b0a42bc23f1f5a7

SHA512
374e9e2529e0599d3798d11f0764959d8aa12a75c37dcea016b8369365f2b239a53aba7f27eed465cc96f979ee302edb32eed3934d981ecd2a7a408b6bb62a4a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dde0d0c5a4d0b72cb28a8917b164b5b6

SHA1
2cffe92530668b34609f89e30ac247192b38816d

SHA256
89da0e13fcaca5ed17fef990cc69014724e635884c6863cd857480da29d83c79

SHA512
e721dff7a889b9321b1b0849dfa7e2ab0d971a1f01dd904b012aacfa43bede2fbaef82fcbb9d7c387a8502437d8563720c65abea8695e69fb460d004513b05f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
9a46f8f9c1b2646ad24c66a355effd3c

SHA1
347922c6f3d9ecbdfbc76e4aaff7b0d4dcc29ed9

SHA256
3d2ed3d02661afb3696ebb325155f8d9ba437bd7c17bbbc56ac114bb0ff1e96a

SHA512
efca0f550225caf0f3325dd6cd3dad641453ba5f6eda64e5a93588e9ae68a17b5a514a80d14e7e94eb2e81c2f609e486a291350cd61c0c850adc0cd337e7474d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
2b931ca1010559543fc018f46a346bb5

SHA1
fe72a4f694e1cf70bf08e8535534062c1805ac39

SHA256
853d3b25ced0528553d4bd68c4fd1f2e60cbcc0bc205a9aa371481148d260ed5

SHA512
904b4581cdf0a2225fbfdd1439933c066dd8eac04138f4b33f785974ed3486cc2a36116592f53e51ef56834a2295d941fb0199c0f0d16d46112ae91838c54456

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
90b8d6de192e3473eb6143b237322d3c

SHA1
20534c826413a717559ec46e8049b058d140cd09

SHA256
08705e362cf1dc3336c08914eea38acb646f87bf131cd157dff4ba8435cc6b28

SHA512
76eaf0f672ff8c12d5af0ecedf1544c4e2ec3f0c3abe64bc13391249d8a9f823287b1272e1fa8b7cfe4bdefce698013dfd69bf6247ccbe0730ac5579128c298c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a6c905fb962db2a9321d21ca5b152621

SHA1
8e29d642a31f2d9f77f22efe8a057cc964b2d69e

SHA256
fe77dd02f9658e5cc47c1a9f4d55a202bc7018672b5c158e1977433457b15ac2

SHA512
8d0538257e59915623f0afac61e5a4b5922ef1d982ca0981b2a059cdbe48a2a5ff9ad0b6924dc66d6665f88bd2a07a0ad95c63e49c8909ef004d334b919fe23f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
983ad2b06bff763cc79ad05d59fa47be

SHA1
d5b09e131048663adcc941dd30247c7cd9804cdb

SHA256
97dc9bfbc2ce0a27914065a9e1d5597b39203fbef9bff19e8f2e6ecf68922e3c

SHA512
e34c811cf672ea8459f72eb67cfe2e473ce1de2c798a4f110bf66141f08dfe9f2029085d2b69441cf8460e7ef690dfba3294ca3b9b7185188cf7d56a48a1d30c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
ae4f0be499af994c5d660255a076d51e

SHA1
97c65d82d49c62c65d036a07b086faea41b6a804

SHA256
44b2224e6f3b9a74a1b7d8ca190d8687ae6ca5fa7b570ae8c621adc1c85bbdf9

SHA512
cd9884a18af448161adc35c227ee27aed8d7b4043cd6e955d05e2d20c795408417c9d4fc5ec920e3cdae8994503cbe714f07a64d73714f176ed7e7fd980ecb37

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6db1c8fa38fff7cdb2fe0aefc405e24f

SHA1
4d5ea4f28904269e7201131da86f73897f526027

SHA256
bb136472d9eb5158ae2ee1430c4c6b6e2f2ff4ee80beb37f7a583a782dec6727

SHA512
b14a56a35b9a159adbce8116fc19c00c63b4e576730c6b58138ac84d66285c5c24aa516649ebcb6c603784e6e4a8b022bebb4c5bb621f37803486b702ccb8a9d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f97d202bad9c6472d4972cee575ca507

SHA1
822745c1c85e08483d5208a94ef72e8edd48dc66

SHA256
fbae054fbaa9d8eff65ee4dff643e55276241afaf866261f7c3dfe47bbfdc7b3

SHA512
e5912aa738d3c1ef8b1e789812ffcb00d7410926f08474dfb61dd96e1cf552f9f9407ec1064b4657124d996d6c6945632feef81d8192be3422af1a077cfe7aa8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
c1179f40a9233a271f2eae44dbb1bf9b

SHA1
4db74f05c73eeeef263cce7f405268498ab4c4b3

SHA256
59cea07efb2a10649890d97ff7711d779e5ec8d10af942e85a14442e8bf99cad

SHA512
51e14c2aa5e18693c39a344f210f96f06b45ea8be83b4e7328d181912d95d5df95a5064ac40dbd99a561f2467542423bc5ea169de6a4a213fe8c70f7fc301821

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
90ecbfdf2e8ff1bb161ca6b986e54fcc

SHA1
a1ee3b4258f539b24a73577a1a99c9f13e168fe4

SHA256
5635ac0f3c8f0cfad29b84a81f9b2d4e3e493a05aa43b6b8a1f3e8c6641c5c47

SHA512
7f1559d27efdce130698cc71d7655ecd1baf852a6f6845511f72934f1dbc531e5b482d34896a46288cb5ea4c206f2132e8fcf6f06933ca9d57dde23329fd8554

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
859c8a21a899a7448601592794725c03

SHA1
f21e17fbcf992125db9fc33e8c4c65f612ae6bce

SHA256
433e6ef83b1dfd92ee4bfb4f9f4ce31571bb03f8bc3537463a81cf5b22d03639

SHA512
600799cb4bd6538aca36d88747d32924864878402d76eb46bee9f7051ef268dd509f1dc3ea79eb898e6e0470c57ac1e8fcc17eae041f1c4cf54d176936534d15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
09676aeca6083619758d42bc958703f0

SHA1
f1f31b5ae4f888e5450fa24c40e57e174a5835d3

SHA256
0e4afae88a4868fcbb6b01c555205a58b307c4cc1a575b687da2537efaaebf0f

SHA512
749d6eeba5d443cbc5284b64a80972fcbc8509fcfb90b111b615bcff3b3f4d71c6ae79e6f5126b00cc351b1865b08883da12de7bd0d45a315737e8bf88d1c2db

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1e1b9d81268ff9860efbab737d5ec9a9

SHA1
08bbd8fb5aa2a7397cc59b33e440a480ff693277

SHA256
bfe62a6529942dfdc69cb58cd930a2bc4044aa8607b7179406fa50ca6ff5cbbe

SHA512
f0e54412073fa802716c7c00edfab0413c78d605a5efb00e8a76ce6b876b24b0ca38a54afc6380b15ce28f3ece0f9d5f2dea72ef493b3bd34a5b5151aa3e56d9

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
37847c3e6c1180a483033415b800ed26

SHA1
547b59203ec0efc091680acd51062062f472f4a2

SHA256
7e94378060b4c7a7d4238933b61f2d370b5130bc850815756667be102d8eb840

SHA512
2e332c4c63e96b4524334c375eaac83ffe5cdb3a59e795c6cc9c7c80df34878128f483afe06dd06e67b3678bd9d169acbb587ceeb237294faad7a7d9d457bdbe

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9efec8fafb6f7ba0f76fc88fa76c2f82

SHA1
0ebbd9f0c7c8be95fbc860b5c1809419a2676ac4

SHA256
0f4005b94f97ec85007613b4972c8928f5a8a3012552483c267e72aca51ad7d6

SHA512
fd540b5367f04b47cc3ce50e7e8410662ad6d21d0edca23114da051d7bf61956bddcbf271d9c92a04f2c647e84c16b9449b4e32203f915ddd211b2012fedde23

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
3d40ea9e8c2bdc849088f234c689be10

SHA1
97af4017c3748999ebee1f0462822deca550564f

SHA256
046b142f4ff44af242cc0e64abbae4b983c10e75343c1e638ccded63fe854b80

SHA512
398ab2522873352fe7d83c138e0cbe633d9b8fac8c4cda68953a46775162f5ec77dfc0f9d4f65641583600f9df3edb64682b066accc422e7f7b963c2175865f6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e3f850d7ee2e01c062ce2f79a00439e0

SHA1
6d062f59c34a3035fe379574a0305c8c2470fda9

SHA256
2551f9795659c34541211fb3ab9eaf52a23f2238693a649d4a42f666d74bd99a

SHA512
e61814a260b3ea9803dab9fe35733aaf4484f7995dc6fbeb952a800d0c11e39b4eeda7091224d2011d078bd72534be831566a6dec2879f9bb11c9e51cc1b76d3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8578a12a975acde622c2ea4f7a7adc43

SHA1
bbd35f927ed4c34faf4f05d603a7d11f1036b5e3

SHA256
5eeb00a11c1762a9a1a253c5d7d53723353a267aff138f94cfe132829a0d2e74

SHA512
4ff87ab3c7c65da22b8932d33d52e777edca320347ee1cdd06b712769b843343cd2676c80fed168c759b7d88c7384906944193a2ef0c280bcbca4d96204701e2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
6202114a1bf4fcec2d6c4409fa468d4b

SHA1
443e459e12b62d57143a75317d615cacbd7e967d

SHA256
ef0aa8ee59170c26c88a38834b2a024ae23193104313a9c4194cc9b06fdfee22

SHA512
ab34ae0d61161e236d0c3344858005ee56a02676323d267983d57f856e99392f55931bebef61b19a61541771bf0186fb8aa07c3cd0df74789d5024213ad5505f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
63675234354e6b10882dc77689bbd9dd

SHA1
f9ef296e86578d9db3fe902de7235c49a5063b03

SHA256
7b603109dd4eac51a3e878a71c0d9c91118b80b737b980337c4cd8721186424a

SHA512
ff6d012f11ebffc314600b6602bf55c848c129bed51aed7ef42eb9379a7ed55216b03b151287d4ed540a07d35c2e78c7fbbc35f6e9a1ea97f60f971baccc8a69

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c3816cc64023e2880e553b8771384e80

SHA1
3d0d2982baf9d54bcc5e79f037a4ac48945bd3fc

SHA256
2398e6874de992cc6262c223118c222cb5084dfbee62e61862488d605231f7c7

SHA512
e59d29198e0ee6ab313090f854e1792ddb3a5a6a8416a30f14fe4d4940420870f046902e2f89e6f97747716e479b0ef4bef5af45a66b795efd6f9f152e421fe5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6dcdc92debd7d260871b024570f927ac

SHA1
4676fc369ab2d844b0c175f1ecb24870cdd426f3

SHA256
c44eba34835432f87518f9dd7caaf6dd3762d94ec925708143fcae1db39b2c3b

SHA512
d5ebe02be4dd82db65400e1a43fcd3f9f5da93fc51e3db95eae1df59a26702d3fdb899c9a3975b27a0f77934a4820d0efa86d1428960615512cdd566ac7daf2d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
29254a5fee395dec38ee83dfa6b35106

SHA1
54c4ce9fb44c2b2a814c25acba0aa2a6eda9d4c4

SHA256
8f87442680c78fa1f876ac18c257b24b129b356c588fc0725064b0ce5a37b80d

SHA512
8cc09506d498dcab04dcfeb12e634dfe86523e363345c426b91d114e33dd51fdeebaf6041a456d9e093cedc8edb771c69ecf08ff13db18a576ab32967db76a7b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
df2c8b463fbd0eea47e58c056ff5205a

SHA1
eea848ec2f167d883e2c342c4393a4e8c5cbf908

SHA256
7902e69a9d4776b3cbdae91db0a37e1b1ef2415db86115ddd295561f1d518556

SHA512
70c6ac095decf2c57e7cb744b82aad5183e0d3350c7b657457178d8a54a2873528403a93b04a795877aae83e23925d22291d25c3551b2962086162acf4807f57

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b298c8d5531fa3b8211ac3f578845c1f

SHA1
ced89e587c68e18844b7b4eadd40cd074726bbfc

SHA256
92fefd58574c3f1e13d0a45c6958ad0984787780e424a8c5d01dcb9afc527881

SHA512
b2e6d489d248207ccdeb5ead1a93d8bb985a28deb623b01fb49a759bef9e3d397ca0d67cc615cacafb12054426c597d0a97e33060221fbc69308d5913c227af9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f67c98cf17f239c4dc0c3ee200a4aea0

SHA1
c4702e7d7e49cf0b78632fa1fa99e5e528dd232d

SHA256
354572e74882c6a32008c22e6fbde60a714bc3567d305ccde614e65220f0362d

SHA512
aa1f1605f3111af19f6fa4a9337dac0a01db5cef50fa696c605ef1e1a2c0f3d1c3e9d7248906631e783127cba529663052d4eaf1492b354797b1bb278abdc8d5

Download Submit
memory/880-321-0x0000000000AF0000-0x0000000000B50000-memory.dmp

Filesize
384KB

Download
memory/880-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1204-268-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1204-211-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/1204-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1784-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1784-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1784-162-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1784-170-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1964-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1964-95-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1964-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/1964-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1968-87-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1968-88-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1968-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1968-12-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/1968-143-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2160-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2160-311-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2160-251-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2196-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2196-241-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2196-185-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2196-249-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/2280-304-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2280-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2280-309-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2280-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2812-334-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/2812-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2932-126-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2932-118-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/2932-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2932-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3168-290-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/3168-350-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3168-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3184-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3184-235-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3244-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3244-373-0x0000000000850000-0x00000000008B0000-memory.dmp

Filesize
384KB

Download
memory/3648-337-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3648-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3648-278-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3668-190-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3668-254-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3668-199-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/3676-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3676-106-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3676-112-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3676-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3676-116-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3720-281-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3720-222-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3720-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3924-131-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3924-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3924-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3924-7-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3924-6-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/3924-478-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/4024-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4024-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4024-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4072-348-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4596-359-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4596-353-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5020-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5020-264-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/5020-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5108-158-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5108-144-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5108-155-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5108-152-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/5108-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download