9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 00:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
Size

1.9MB
MD5

c6ce48b9625c51c1bb8411122cbcdb0c
SHA1

497b23b8a0a15241d65079a6629852d8f7331f6f
SHA256

9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca
SHA512

9ccab0657e2036f3fbae2df2250cf35d92d14543e709e349e2416b76ef8bf504d3f1c7209454cb5be33b8645415fe5a934cab3be85feaf4bc91f3072cfe1d259
SSDEEP

49152:Pl2hEvC4fTflgDUYmvFur31yAipQCtXxc0H:PSERb0U7dG1yfpVBlH

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3952	alg.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
1500	fxssvc.exe
2088	elevation_service.exe
2996	elevation_service.exe
4320	maintenanceservice.exe
4384	msdtc.exe
4660	OSE.EXE
560	PerceptionSimulationService.exe
4784	perfhost.exe
5044	locator.exe
1472	SensorDataService.exe
4596	snmptrap.exe
4168	spectrum.exe
4292	ssh-agent.exe
1740	TieringEngineService.exe
2740	AgentService.exe
3960	vds.exe
1020	vssvc.exe
3100	wbengine.exe
2208	WmiApSrv.exe
1468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11f7e311ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\locator.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
File opened for modification	C:\Windows\System32\vds.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f5fefbb72a2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0e817bc72a2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000045366fb572a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2396fbd72a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e5be2fbc72a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000744bfbbb72a2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe
3352	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1168	9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
Token: SeAuditPrivilege	1500	fxssvc.exe
Token: SeRestorePrivilege	1740	TieringEngineService.exe
Token: SeManageVolumePrivilege	1740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2740	AgentService.exe
Token: SeBackupPrivilege	1020	vssvc.exe
Token: SeRestorePrivilege	1020	vssvc.exe
Token: SeAuditPrivilege	1020	vssvc.exe
Token: SeBackupPrivilege	3100	wbengine.exe
Token: SeRestorePrivilege	3100	wbengine.exe
Token: SeSecurityPrivilege	3100	wbengine.exe
Token: 33	1468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1468	SearchIndexer.exe
Token: SeDebugPrivilege	3952	alg.exe
Token: SeDebugPrivilege	3952	alg.exe
Token: SeDebugPrivilege	3952	alg.exe
Token: SeDebugPrivilege	3352	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 4036	1468	SearchIndexer.exe	113
PID 1468 wrote to memory of 4036	1468	SearchIndexer.exe	113
PID 1468 wrote to memory of 4264	1468	SearchIndexer.exe	114
PID 1468 wrote to memory of 4264	1468	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe
"C:\Users\Admin\AppData\Local\Temp\9a357f0fcda41ea5ba7ecc30f935d904ffa9f74d609d374e375bf0fa2abecbca.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2996

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4320

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4384

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4660

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:560

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5044

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1472

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1692

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3100

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2208

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4036
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a8ea972832fd552167f636448e495a21

SHA1
050ae8af1cd06eef06524eff03c41363ffe1de6f

SHA256
b6a0bb3ababc37b053eae27c339ca44bc46b798a3ad8b65ffa1c067dbc852311

SHA512
7ef637129464b69e236261e5f7b0cd10cf70a1e390dac713de3492f3fc4b18dcbaf64af86faa3e33d865d343de3467a8357412be32af5ece4bcbc5373b08e1c2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
ab73c79dc0d3b0458cbc52cba6d8e347

SHA1
8177bc689b682f79b697497a6915aad47dc789ae

SHA256
fc902303c5ce11a18a62dca0a1b20177c8366da9e09002d0227780a57c348491

SHA512
2859cebcf78344853cb771125f8dd1f81523179a3bc89a56e86f17caca59d855560f4b65ed43c79c610b22668c71c9b712c5a8cdb77ebc84c46eba2e427c5fc9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
ab4704ad860c3067e0f0c8d99db11fc3

SHA1
15b6bbcbb61c9310b926b9582a2cacff652be127

SHA256
752d53af931fda1ff0b97c9866e8bae608917f5381007e5235f0ebf053563191

SHA512
2666e4b20f3d9129d3f2670e0422526f15a62e122c474a559231800f69d7e39649d215ea1b52bd4b8b25432731e351489f4b564e12944ec1cfabe161bffc8ffc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b37257ecbfba52027e3da05409e5d011

SHA1
80b2d75de8270cc531abb04dc168ad6bf9f13cdb

SHA256
024d35135560087754bcc4f11709cb7aa502d068fc92ae1c501c8fdf9b8b9584

SHA512
6ea22a522c09ee38cc2c0b1f0996cb4130fc71df111e6128b9033244ead9363520f6cf562383c45bc3cf67c351c1c5a9202e90fdd009fbb0b37ab840823f35f7

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e488b84b72bdfb449ed0668a46b9ad12

SHA1
18a8fbac1a53856ed2d8efb8dafdb5de1f45ddc0

SHA256
dc849de876e5a059de07f2cd77fda235b65c066f2b9773822564a37cc4773880

SHA512
6b50bc2ad42224b49a0f08ef2b637fc340a9e3f05f319624802b7f3531457cfdcf37a35b5e1b1aceffbbf894db1b54e646cb4f9c60c3848839bd8bb24fe89dfc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
27835291d51d8382d9c00bb14adb5090

SHA1
5eb57f88b0f0b7421b94498bfed0703111234379

SHA256
9e5ebafbb7e12131920b241afce5f8b3cafbfd27be567fd1b0fe712be4b43f58

SHA512
66b4a0396a3f8be3d6979ad12b6da85bb75a7b2effd7bc5972cad84d34df2b81b170b3beb875830fb29e79cbd66547ebd4acc50ff197991fd48fcd650d7fabdd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
e3df38ce0df614b067f7481597a7c828

SHA1
960392ea5b707f5fe082ac94dd3b10e27d4b3c8b

SHA256
57406712a610ee724d2f31f05e6d19717ebf171c4e11f4938989a68034c46d27

SHA512
582c363420cf5e83b47ba71d602354315b59bcc8dd5795f178e050c4f0e41c819b600b7a7a93f9298439037cf1ee15f8b5c10ac37befee3a5c5658438157afec

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c758bb066bdf707a41f2346bcf5bdc89

SHA1
23f6638900de46ff45b2ec3a132e927d16672552

SHA256
4d58919d992fc6d8ab704d59a7d1dcc1a89c5ffec4ea7ba7450046dbef98408d

SHA512
ba4cde67921dafc87c230cc6712c351e698ef341c11dc0c228af9e58411f3ddc8f12555a6e4b2c7decb44db965b76fe2560be15e0b6a085469334b53f7a6a303

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
04ad4fa25d1eb69c37f7a39aae337dae

SHA1
37244f0f2eb171c653e76724f74fd7f54b89d807

SHA256
4dd7b3420d21c308c0fe73bda49a03b4aa9f935fc7bdc81548f5ace2dbcec389

SHA512
11513d8c50f430e5c564d025ae4cb0575e5e788ea4c5920278f162ef393c00959987b3d6ca7f23c1d1bb18c4d13eb47f1234112e4240458528bce7b499e51dad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2855389ce6e314eccd3071f3be555e18

SHA1
88c949c38ddf4d8f72b8d49257caabd0f2bf1d88

SHA256
03057bac540ef1674134caf20f960d7d34797dc06258e98485f0399df215a86d

SHA512
ff91c7ffd5615d7711b07b8f66ac5fab8e857f881d4114d3c5fa3bf88d5ad917a14ac09066cf89565eb4c86c0b2ddb3d4d49b49231ae772c1cc3f198ed580e4d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0ec552314605bf3b10de722b8c98b4e3

SHA1
2168d23418fdd9925412b638b74704d5067ec7d4

SHA256
d05e40cf211e4ced9930d642fbab86e5fea6580b93d95f32c3e89f94371afc4d

SHA512
a109ac34b2648364fbb1a13d0b963c27ac414bfe988ed7f2011b84bfcdab405eb98c2baa19a53eb3d25a86c8b720597df4a954647eb3da534ed03d0cbcaca995

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ce77a6e9913c73f4a4eac5d0c6a2197e

SHA1
52ae24882451bd3871765ab03e668f0b6c0fa5a6

SHA256
7d13d8bb94a8a9929775bb37f2d856f80cb340ed1c7729646881eea00b762a29

SHA512
ef0d5fc458bb72431098a4340a274310a9f59cb008860b3f4b0e5ee457f67c7f2f5d6c6acfef7b28186e5f2613276a8664e519373fcaab9b6fd48037a27be60a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
3ba47726ebcdfd3c92a85b9d3a4a4da8

SHA1
0553bb7e93dc04cb844477df8eaa7276fd559a85

SHA256
c8aa1217c9f3607c9b2f4a1624eeffb589aea2622adcfc3fa195520a1d88b6d9

SHA512
8009279e906cf9ba89733304c200accf10ee07d259e6a5076aa1a25f80fc7846137c680b6aa7a262126a42c34ffb9564e435d4a330872f18c49f406fc41ee873

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
4adbe28e37f7911e6f3e4b2fe96e16fa

SHA1
f066c76a12441f2bf4c4b72bed3122c0d6005cdc

SHA256
1c44d8413ea724366466cc877cb55be2f98dc1db38b1b90d64a6be7a30c26aa0

SHA512
4641b920d7adf5616bf7f889c12056be99d779040c2e231121475e69c5fb5ab53709b6cb4e43eee0cc6ba4e690852ed7b7afd43cd4947c4e7c6ec28b0fab5115

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c76e9f15347e64a295b3f4094b5eeff2

SHA1
c6fd293425fc64858253269e549540a26491d44d

SHA256
60711e216d8d6197de4d53e336be1c0f1d727779d7a577fe30c2e29353be783a

SHA512
da24ddfa8c5dcaaef699625bec51cab32d46f0be25065115adc5637c6d097c5f86035e85a625a52bf2339dbb8898b4f5aac33ec81782bed96418a7904fed4bb2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
89d118408cdeb8878f238f135a253448

SHA1
11240e7d29563fbdd178496117093884b9668195

SHA256
15de8ecf20c75a6c0a352bac076ec144f758f9474477e1331a1e2c6fd17b79da

SHA512
a80321d74fdb83797e41720a3b642d63ba9425272b7f4a5b969ff245197760ae3da039eb68f7da5a0c386cc2bb03bd8ab8d1e3e56212472a254c06c8bef4db07

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ba66062f855c81f80210c4989e9c94e0

SHA1
51c05ba795e792bf2bd5ef9a9ddcfe2386e4550c

SHA256
84dd01d21568fdbb468a296ed23a530cfdcaebcfed4bea931fe5fd9d67da257f

SHA512
41684d6df4f838774075e735d34d5782f2eb0aa265f13607509f5b4cd30a0750c07637b1088bf7c5788a17b7acfc5aadd6381708ddef0f401f55d67eec52e909

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4686ad49debdb7161d04fe5cc5a63c50

SHA1
3a552b701cb336bba2be7a1c34880118aeabc75a

SHA256
ec7ad650c5550dd1e9a02dd1d2d8b96a9daaaf08e25e618a6961387d5bf815bd

SHA512
8086d33470a6dc64bf376a363ff4eafbf2929bdffc4b0d760a8cb22ae95c34e506a039d9268338f54e61835ffe94eba21c6460ed85c1931bf993035bae32c29a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
dac6dccba08beb7146617f71691c50ca

SHA1
e5177bc64ffe043aefc1ef5b04e8914bdd86aa2e

SHA256
33644f59b4226e0d7c24dd7975fe6676c8e1025303086192671b60dab1d0cb8c

SHA512
8b2cb494fddfb9826949bfb37ba4545a843019700905a0aa46fdddf2e1f9cb6c5b8210aebfdbe4ee1d05874f73274116906085318bfc28c409307ba94bcd9ef0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
42e2e8802a1738bf6aefa5dd57399cbe

SHA1
f8adfd703f8cd59e995bb99f88e614205a03fa3f

SHA256
28be2ceab79c8b9dd4f6619772051dd9ceef09b9fa477c20bdecb81f4190a6fc

SHA512
a44d00f4d5476bbafba60f78ab4a1e8f789d3728d0473060b41268d2ec95e4aa9a6d9c0f4996996baf7fd06574f1a3683e8d8b0d7a699c2b28b16d4401056516

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
9535c67ab70822ae4f7988cead84fa52

SHA1
f3824bc474929860dbf4433a032dfb8c314bbe77

SHA256
4bc5aa7012c4f3898b650fba07549682716c3e8303c2c461a57de3a39bf00af1

SHA512
93d90e77f05ae4be36de52b48a4a1f9538367718beb634c60ded94343725fe71b47be78db42a9ef1362f307b7e8ea2f14e00471ecae7ea7a6cdf23070bc2bbc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
1be52d7a6d0e339327954aefacdbf75f

SHA1
3f1f8633d68a228abe0ac52f5ae20ae1c05540a0

SHA256
d23c043c3a5e34a518a26e6a1d58f8d6a7ad73a082c51b1e1b4dbe0a65954f7b

SHA512
923890f2c666f6da32b35da8929404731c24f0c9e852954db9a3bfb2af8da2e123add846e5364a864d3555f8fd9c0edee164c309ab98e7332e5cb0120e60eff4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
decc541c537b00e664a59de18fda5e70

SHA1
f9830a224de22d98ef6a1809fe2d504b9c23deab

SHA256
52de432cda74abdd079f50156b1bfe999cfb4e1c4ee33e8d11ed73847e685ac3

SHA512
a7e0ddc5be232c62f948b506a3f813c283c17b3399527fd3cea841b92acca2e1d3c2448f486395c7aff5f05ab8af998373e621a4154dbef6d5af68b2f6f3a001

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
9b9014dfbc45c68211aa9564ca064c2b

SHA1
d1d92d086a2c8b76c744faea5278e669e568cc76

SHA256
83184066408c1c9aed761e9d97fcd0e94fd59b020513e34ead732fa4b634191c

SHA512
8bc09b7064baf7b0210fd8a1e314b2dc885d0d323a7add9ad64aaf1833011e5b5a97e3ab3454ac6656f74b2a4cafa01741d3c0efd776069d8169a8b8a4a99dda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
10935a396064630d5858ba04e5217907

SHA1
224854859bd417b75ee1716a1e0c7a88ec1404b4

SHA256
3067fd7ab5071e4f6bff13ec5d8a9f7e985b133f10045d0cb8814248a8b87c48

SHA512
18a693bc7cf007cff38829a1c55ff57d7bb69a7fd7ac0d717e860413aafb2c90e8600ba1c0b5daae2b3872dee62f7f89d4bbf669c4fb31355b59fb739c5dfbd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
c22139f1c34879fc4e42dd791f270534

SHA1
5373fc8a9fe4457e9b14dbd24c7fcd818aae50ed

SHA256
6580f2f2ebc39ecc1ca2b3b8eed7943bf4f1a7be28997ac6648bf98427bc35ca

SHA512
213146d2ee1f1ea773935a4a7e133ea36a44249c4edf7a0510c2b0fb1eb9010c90604d7f0e90fe2b1a326bfb396a827ddbe8b9bb396246a03e424daa331990c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
96359472986197be24e224b745db33d2

SHA1
9e1d737ea7268148a2fa3bc3835f1b278889e478

SHA256
04548eaf16495758930186de827d7f0a44c2921fb1615856cb3897f1a6814dfb

SHA512
de029bed97200f6edfb7e2b091c8e308002652655b5fb81a95d45a18589cb986b449379d7dd30c8d13d58198afc516bbe267fdf0960595d8b76b49b3a21b4ee3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
99de52d6fe6a95b83e30df1136b68b34

SHA1
ba0cc19852ac8a3b20fa9dc19754766afc8a13e0

SHA256
45efcd85e32166e054a41a548ce6998fba4cc4cfa4bfc19611f5aa17ed324a8e

SHA512
a6c2de80cf922fa8438885e14fe13f777ffa2215fd2e583786c92d70c5c29c056904294dd37981e18ad54466a9dae8ddf2c30229b4f0416c0f588d202831231d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
26f974a290fa17ffbefa4bcb01cd942e

SHA1
c8cef18d167224d7a660bedc0bcd5dd2340ffdb3

SHA256
da9a3fb8f1b0ee23e353d558ab07c09ba0807e26bb662f5f5f662484e5eda331

SHA512
598bb1bf4c278f203a7fe2d817f8027057439e6df0766d88d3c236c9f60698273e821950c214fe5aa5c9ee7e0060e323d842147ee10ad408688421fd5cf0da92

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
a018eac9a95ad0b3341550de8c51c979

SHA1
ed6709db7d4e7ba2a2eb39d02ced7d0bd6794000

SHA256
34c94661cdeadc1a3468d6af0430e5658dcec4690b2bbebcdfa44fe1ee9990f1

SHA512
ad675f0e7cf2c3e86076be5a8bd437e2816fe607a06608c8a5a687b1b7cc49c5a0329635a2228622f88098a634de2012d8412a11fa0efac834f811bd1f3e4ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
7630967f055ae00203d8d4e658b98530

SHA1
0e8fc393db07c1c7f8f42f386694d5a8d6bdfe8f

SHA256
c1278dbb4ae5e6f984773ed2bbb922247f640c88db9242811debbad0c3eb9bbe

SHA512
4da6d7917b9fbe0040eca131b00c61a397cf979c1c62e7dab55f59b5c60a8eb83fbfacdc385309043f87a755d97028b4f62930efc39deed5ededfc2d3cd184f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f9cfc58ad13b0dd8ba3f524f58dc9a99

SHA1
77fc7cb8186598d4d4fc670cd5010c35e9dd81b2

SHA256
6e36f772287fb3b7fa6d307f3f0002df0c6665a1aaa4ab7586dfa0bf81e3c55e

SHA512
cec5fe9103c11829aa6a562b178b5f529df8452b767f44d1c3cfe2e2efbee9a569afcadddd316a3b7b8361bbdd2f630e573572260226cde1928b37b67a043835

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
27d74b016974416e038556fb6a97519e

SHA1
15c07046e6f2b1ebfdcb2d76715073715c79be4d

SHA256
ebedfb09b859aa62123416e98997ea41f26270413f0c6b7c5ba9180bb44988bc

SHA512
b4dfd55fb1176361d8742cf5736a2aa98b35d2b50bb08a27799faf16818399fdff8cb96aa641b2ff9256cd25c8353bcbc2e9c295db985bed5ad2d4fc55da7a42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
9ad771aa69dcf32e49a88255af1d3ae9

SHA1
4aca6254b429da03843ed22278f55123682e0d6e

SHA256
288f5b2dfd5f764029da5c6a71cc40661185da7553e54bbd07e2349c5eda10fb

SHA512
5112b9f7ea6fece510a68a814d98b7d2d9543a05d01b70747dfd025fdd5fcb3712733034ca5082bd66506a44a3566bc7861519d012e6c73a437470ad50171dee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
8399f0b37f3a0e60aa576d2455de3b46

SHA1
fc3f5b7c8a5cb90dcbedf08c8c76ec5abaf6f9dc

SHA256
2132a632be27f059f069a79701215f2fcba8226db065ca14c960f4ad76393044

SHA512
9fb12ea93eebfe9613d2ee860e48b52e7d1fa570d0bc7ffc0531993d684a6da666e9c67b021971886bb36f4600c891848cb3cb1c8b7926e8260be6a55c687360

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7ce1c6815e198b8cbc0e884730c332fb

SHA1
4bd73e0f315c5d8f5f7b309a6f446a61b9c986b1

SHA256
9baf9bbac98d07d559f40aeaaa9d06992eeb52289d9e04b396f84d9302ce8749

SHA512
df9b4de0439fefd1aae50ee7e167f0cdd2a22d5f0e546c0740b674f453d738cddb5888a950097901e7a3497ed414c83f9849de082f04b63ca3c55dddfe4e4354

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
df5befcf4d372198283960425e790856

SHA1
f17be3e3f2032192d13a25f833022b068471de44

SHA256
dc4f95dc3ba970720ee88ea3bc599b2c2fcff9b7c3b9daf92ec87ffad26b45f6

SHA512
8c9053f71ddc9af1a9edb47f9bd9d78a2e153f9c25bccec0a8b4922affd6206cfb22e5388d9a49bd383171aa7d521302ffe34f3ddeba94bf34cb95192d534409

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
4b8b6feedfc3ae8714e54c251ae663aa

SHA1
542112b0a8f9b49222e5e4b93ea5b52da68989e6

SHA256
36c289d03e0b2097f131129dd9badc58bce01761891b10c39cf98e9d58689112

SHA512
08569150a73a234e62dce1b3e78019d99cdda8266805553e4cd3892caf96ec99ed64e806dc4dad2c6220408c9c3bdaad44d1f6ac14a91304fbb27baade118579

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7b32d033a40e53d6f45d7c5de8e9ae1b

SHA1
f7f2cabf50316d7420421d4f459d9c1efa4ec6da

SHA256
98adb1c43de10335398b8c9e7fb72d60587efe3b93f31cbf9afc054099e2051e

SHA512
3580249dc6c22e1f923d79f30579e01de19587b4b3e9047f771521837458fe58bf940b01daf0247b30738182da591b041ea7d3569d920e72b3769af4919b01a7

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f95e819a46572e936b16861969655a0f

SHA1
162cea7e520c1c1fc3fca36d7c1fb9f25412cb8d

SHA256
e3174aaf09a8945fe25e52d5266f1b083c285621acd544f4fc07c382bb3cd86b

SHA512
3c42f6b69a103e31502c3eee34daef8c8fe8d3c53d5d6a63c31b682a24b67a1cbfcdbfcea409c2aca465da88bd6e8c5baba6a50c50a0c55c9d6f898ec2b23eb9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e8675dbfef5c243d27ef8055769e1370

SHA1
6c6605ecd7e1b6d3e1979fad3b3a3aa9eaebd528

SHA256
18a93abafdd8b7d4baa21aba403423a9a2bb84e66ab6e23122f9a9d46a3d0805

SHA512
7e4fa93d2dd91de15a8b77b45b50bc6a048d7fbf85effe6514736393fdb802625f54d3e0919180f654c32dd5e5774413d12999976984d29a1f2e98080cbb89ac

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
071db33487baa5da389fff6b7f662f73

SHA1
544b2d38c094798b6c85705d1cb88101071db751

SHA256
fc6b22d96c4c43943bb85c35f8998064c7d9f4cc6e31828ae288731d1571354d

SHA512
73d8705cb525586e37c792c267300b54e58ddc1049ebdad80a8fce1c54f63bdc17b636a39421bd464802b0bf09ff740f53157ad383932d1581752ac8385a8a47

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
113f78b7c569a48bace26acbbb6bd0e5

SHA1
c7927d1a934df5a3c5d5826dc2dd177900572861

SHA256
860ab854a75c571c3086b07cda1a7c374a8807adffe7e7081608de4ad84004c3

SHA512
46675d10d8fef82368cf0db2f2682e1793a9dfadc8fc5a8f942d660b127f1a118dc27fd03dd97b7fed10e62ec21e7adda8909d2b3cefc796225df268054a326d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
d10054638ae20f6ca709fd13d0aa4f8b

SHA1
307078937420b36bfa619e1a531ded6f5233f027

SHA256
50780f470de222102304d6efa4727ba4fcd0a44d2e7f10d6249227e7f09e481f

SHA512
61206945518f91221f0e23621926790fe2b73f4085d9c3da78f1e8b1d69189d1262d6efa7179e1f7a581871064c09599802730bdd0fd7e62722bfb467c5e5373

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
efe974b1648ba801bf1cc46a1a4e814f

SHA1
1d376f640f23fd6df073c0a0b93d525e55276c71

SHA256
b2b728531dbad0c4c52ffa99fbcec971877dfe596c8ccc8a0d23333e838635af

SHA512
e1c7acb33252d8dda4849c5af072624ca871457a0970c1c6b03536329b6d7e275ec6edb6fff880fbee6f6344b727312828bd39db1ed6083de0d2c28c4fa8c430

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3d53b17349e3cc06509a687ea6e5d4da

SHA1
c1974f68e37d0fa92d0993de245a9b966d9cf54e

SHA256
3208bdb0b2fe49921d948bc7d93a940575aca237bf0433bee08a6a92d44c3507

SHA512
852fb788d239b04dfe7fa68af7dce9937d53c5b2728e9d40036d4b9d1729c7b5f32c4ada4c56d4729515b1d19c855e0cfeb1424272ca7f538a30c5033b3ec469

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
4f52e8e91a497b812af03a7b9900fe72

SHA1
f09c0a1f1b156081f7804e5000860e06c2e7a868

SHA256
a11b1ba8d13a67edc4d3fd01ebe6bd0013ea82a56c2261674af9e945b60d735e

SHA512
5be4e11b872a9c4fa35911ebcc4c04c4038978738895074e8ee6e7ed2d5a1b8dbf2ec4cc0bb06c0e6bd0b0ca6b0c1ae5ef30bd5e3e86612a0f0e279d8a222f83

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
112b68ad7f8fd947ef6735ee8a42be5d

SHA1
1abfd4afc4d58e395639a2da02be1298066fab75

SHA256
8fb26823946a98853078a9854350a5efedf4fb7f26ff35a03232033dcdf61dd1

SHA512
e96bd3b05bf1fc27ffa2a588e695a954ec28c407f555882f22ef92fe4a22603aba1b81e6b82045a2614cc88618e54e71afd6f84d8199405bf14d4c2095dcc9a8

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
7ff85c9f3e1d4521c5f10434e52970b4

SHA1
d998770f7a716a8f0b4d837b36d8700aeeeb1e2b

SHA256
a2c5fa27107ff072c3089a9369231e15677a01219d97e6047e4aa3f082cde08e

SHA512
dd18cb0359426a13887ad03c9356082266efd40f8f0e9b9d3711f3e3c80e74b8ade8e0455276afb8caf0ba26f4db70658717b0985375fb082aedc343e633763f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5109a027d18674ca2d40dfa4542e53ad

SHA1
b5dff402d4fef8226eebbeac22f1fe8e572547f4

SHA256
c341254a459ab1062c6ef9efdd0dc3817f1155e433ca813f7ca5155f0e0ce985

SHA512
36e9ede5543a345133daf7b7a17771b19339e61f2979a096bbbc8d573389b2a55c725e8949fdd3c2a046ef414afe34efb0089262e730dd6a8ad124bed64585fd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
2ef8c3a7dede22ff03f62cec76259db6

SHA1
167cd5e6f2f57acdabf415ce480c084fde98fc66

SHA256
eb0c7b2cc7403b11436151c08b0556ec5b83a573ec6155aceaa9d9520391af5d

SHA512
bb204a43f7bb4e99fe9029675f565b96e98cfec06ccc187ba20b3628d26ba6f7cdf942c12068008b015888824dfc8dcfeef333cae920c56d066fa875dee92b95

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
34d68af29c0c8a1da0f2531273df71ae

SHA1
b1cb1278bbf021410fd4caaa21adb083a2767666

SHA256
df675ce75dc6696ba68f4cec9c6217310998af635040e6df5982c2435585846c

SHA512
369ee22dc10700466bf3b6b021500164f8a3767f41737bc69204ead7fd42bc9a0dbadd873e56dcc79d4402c193c15f34260e72497d91ccca4b080cd5670d2489

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a5bb8114ef832db349525a6fba825d3c

SHA1
ef6f89ec045404ec4455d822442157eb064270eb

SHA256
69b74cae4a93e16f260180689ca64f6501758c792555806eaf731e6a31f7e866

SHA512
a7d0ae254acc50a5b7eb8affb97afe99d14fc5f9058ce6d14b2ca9c527fa6c62b9e4bf328559f74219bb0793124fe259119e5b839fa9638b11325fd73b06494d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9ee7d40560cd53953f81213e1c3224b5

SHA1
bb5aabc61f358c4a27a65d93ee2f93fec2929e56

SHA256
97a4069e23a34bfaa3d821a3dd0e85fb92bc2877f966a5f1e49ed224984b97b8

SHA512
aaa44cf88f9674fbbf6fbf2207a3c5630d7ab147b8d85fdbb62030fb1b7dc2dc6b0811eb39910e76f677da1b9083965280f640af2c1dc316c2dd9ae06471ef48

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a4700b05b80a4eab364fe2421ce99d00

SHA1
eff933721a76c930193f513d8be19388f9e2d88e

SHA256
2ed4a95c1dfaf052b4defaf2ad8206509e1109cc75240dc7bbb604cc76e606c7

SHA512
8d09985acf59f873685c0085cea9f5d8e2357b0d9d78adc56ec93b043c3b87b386601a57e5a98c8d6bf349b3513c1ae8b69c022d45a93d3131a5fa11692971db

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c822bd84bd39bea6e8ba0dc5e2f1fce6

SHA1
bbc739082593f3766cad416bb57ece160956daad

SHA256
3a8d5af7945a4061668b72f5d2d16f7136b3cd443ca754af7bfae6c1a45234a9

SHA512
8981f33bdfea5f06b0f34fd291a83a872f4c2233118f1c9e75da5150683e42108a08f57ca6434ef5c7d907db470827e22003893050af6cf307ae5703bf5b5073

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5aa791bbbd3f6ff48cfffd6e148392b3

SHA1
ebf63bc33b8ae5b32907aba83a99888c57ecdfe3

SHA256
66f48c3b61faadf6fb9860ba0a35f1bcf63044b863a884810e9e780a5d74fe7d

SHA512
84c07a17dbe66d9d690fe841d67e41e7b0006dddf168ac1247f13b108ba0ceda650538794f9dc18ef55e3e13cd28e375ab6554fc2f40d4c46f19d3800464e62c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f94d2a09d18f57da53bbd88361a074c2

SHA1
7eaf664406cca4a17b722e1843187c80691813d2

SHA256
53ac4f77acc25709125737615133fd076bf6162b2454d9654777973d509d956b

SHA512
c5410ab14c4af1dc1689314d5686156e685b3744303c1353879b5b0b85452db278856f52c23b93060d868eaa9a2598298c02682f8e93c24d793093d72d6022bc

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
d8c9f8578565ab0ebc09f4d8e5d06933

SHA1
709b8da2911225390f31b07578db5ab25c22b941

SHA256
f2787da520a09053dd58911d7071cff6f4f22aff140abe6cc234bcd3246de04b

SHA512
1fe813a6ee3f8752465d0d4e60ea79bf4214b92bb8427f7ea53b5cc02bd41349b2b7c1042e610706b89112111d4c7dcb99b79dce86c2918c05f42fd4780b40e0

Download Submit
memory/560-234-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/560-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1020-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1020-543-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1168-74-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1168-6-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1168-0-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1168-329-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/1168-1-0x0000000000750000-0x00000000007B7000-memory.dmp

Filesize
412KB

Download
memory/1468-551-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1468-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1472-490-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1472-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1472-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1500-59-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1500-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1500-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1500-46-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1500-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1740-207-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1740-509-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2088-49-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2088-55-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/2088-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2088-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-259-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2208-550-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2740-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2740-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2996-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2996-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2996-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3100-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3100-549-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3352-117-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3352-34-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3352-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3352-31-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3952-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3952-20-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3952-11-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3952-110-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3960-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3960-510-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4168-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4168-486-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4292-508-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4292-187-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4320-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4320-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4320-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4320-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4320-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4384-99-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4384-90-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4596-162-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4596-463-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4660-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4784-246-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4784-134-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/5044-139-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/5044-258-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download