ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26-05-2024 04:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
Size

1.2MB
MD5

2cd8e07e68fceb800870b657cd87a4e2
SHA1

00d02a8df67dd1bc2901d8de559f8db8ada8ae77
SHA256

ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9
SHA512

3b84dfb671b60c5566a6eed582ff57461d7a2b873f0fbbc0e38154599be4184168fef9301b2b49e135ff171327cff6b2f7d7004eb410238caea39b461e3f4a12
SSDEEP

12288:+o3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:PV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2056	alg.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
3084	fxssvc.exe
2520	elevation_service.exe
5112	elevation_service.exe
3580	maintenanceservice.exe
2696	msdtc.exe
3272	OSE.EXE
4680	PerceptionSimulationService.exe
3732	perfhost.exe
2652	locator.exe
4904	SensorDataService.exe
1464	snmptrap.exe
3612	spectrum.exe
2388	ssh-agent.exe
2816	TieringEngineService.exe
5072	AgentService.exe
1040	vds.exe
2088	vssvc.exe
3028	wbengine.exe
5000	WmiApSrv.exe
412	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\locator.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\System32\vds.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1c9e8a3bc3136770.bin	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\TraceSkip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000064e855bb24afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000074fb68bb24afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ef803c424afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e00cf8c324afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b57340bb24afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000921ecdbb24afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fd01bc424afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe
2524	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1108	ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
Token: SeAuditPrivilege	3084	fxssvc.exe
Token: SeRestorePrivilege	2816	TieringEngineService.exe
Token: SeManageVolumePrivilege	2816	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5072	AgentService.exe
Token: SeBackupPrivilege	2088	vssvc.exe
Token: SeRestorePrivilege	2088	vssvc.exe
Token: SeAuditPrivilege	2088	vssvc.exe
Token: SeBackupPrivilege	3028	wbengine.exe
Token: SeRestorePrivilege	3028	wbengine.exe
Token: SeSecurityPrivilege	3028	wbengine.exe
Token: 33	412	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	412	SearchIndexer.exe
Token: SeDebugPrivilege	2056	alg.exe
Token: SeDebugPrivilege	2056	alg.exe
Token: SeDebugPrivilege	2056	alg.exe
Token: SeDebugPrivilege	2524	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4172	412	SearchIndexer.exe	114
PID 412 wrote to memory of 4172	412	SearchIndexer.exe	114
PID 412 wrote to memory of 1896	412	SearchIndexer.exe	115
PID 412 wrote to memory of 1896	412	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe
"C:\Users\Admin\AppData\Local\Temp\ebd78ae1b142fc38a5216e0cb3024ddf4992b56bd17194dcb9a3c85a89000ba9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4500

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3084

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2520

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5112

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2696

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2016

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5000

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:412
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
4b64fbf0aba06743f0412463e5661b2e

SHA1
5f473b10a4050b1fdb27ba5f598cb65a9b09506e

SHA256
9586ca1896b3caa12f499b6443809e992a672e77776912063cd79c0678dba410

SHA512
378c26f8ab6515328527288670cecfc92e1940e7a7f2863cb687aa8c22426d5eab0bb919f4e4abf272e096e34b6ada6b46df40d9347605270ddc099664dbb72e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
86be11208714c1287a5454ebd4b4663e

SHA1
7df9d426def66cd64dabdaba4ae09ec07030e261

SHA256
95d59ba05fd5141b333847411b84945d04dc7f8821dae47a221f7b0f8cebcb25

SHA512
fdaae484415c94986d821adb8e1e8f881e9fd750ee5c384b8a1b134cb4ccf9bbffc235e10d56a12dbcb9b2979dbfff87168257786bef3c566f7f228f831dc9db

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
e2a7d06c2aed320d86671d5f1c4cf03f

SHA1
9a9dfd6b2ae0bc175059833954ba09bfe152d73b

SHA256
6fdd6a080b7de8ac4bd4de1628b6feee04fbefdac5e6990fbca49d7587c76f3c

SHA512
62560497fb9eae7d00f4ce174060a85963d267b7663e67c4d77fd8a7f01c4bd2e7307b6e7887d269404b006314f9a3906b5526d8576308c2452de2b7f50adf19

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
63bfb09b94b6ce75d6d06f67237a4262

SHA1
485a87c5b208eca0b62add58c03fad5a2494f4c6

SHA256
960056b3757166f95bd830373de5e3b944a86bcc738053c1543becc8fb01f3d2

SHA512
5da5278509d752aa9f2c420ecebbf68b5565051a7e3ad29b6c294cf497f3cb0d216c414370300e9509b42a3d1eb568285ec5f32ba091aacfdb4b2268fb2808e6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
01cb521d9fafc7e88030e1eea582781c

SHA1
3e9726be68836ae930591252f1d8bf5c4f0a0097

SHA256
ba1aaeace1ebbcbb26372d101b1fb56e07f8e55c8526b5a98865b5e371aa686a

SHA512
e5ef2b652ec95912819bfb13c9673b804c0bb5e11e1d8ff3c485adb82ba09e5c6b0b5dfdca1f9ca383fd2f3918c6a2db6228d7d1f6a6ca1084db1e131cd78223

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
ccf231c1b80cbcbab0913652b4180c22

SHA1
bc3ba20917bcfcb1beb302a94f323589f02d7c51

SHA256
35b1a55e4f1346f39213510828859c80f95a9c084fbeacc48a41435458deec2b

SHA512
e3b40cc5999e67b6374a0b38c557bffb0b345247100ed2f9b699d0a7b7f9c18d953468b6c0e1b8d093bb7ec8ef4554433e4321acd4716b5b6ec521854b0f1a8e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
dce0ffe1a15f809536d30e6ca9c61851

SHA1
fbabdf0396b2534c517b637afeac2b833023181d

SHA256
8f2a91cb55aa2f1785ab8d21f13644f5258e26abab00468b5862c4918b2ebd5a

SHA512
52b3bf660040d0ebfa14930380a05871cd185e9c29bbb388abc2537590ad3f12e046efc9e5ab1edb010e68af70c52c35c55ebcfccf2a1eddf386322620ea43ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a6b03af78d1bcc97acc80464a1f7427a

SHA1
ae3311279cd18c44a36f8e3f5b347116fae91f06

SHA256
dbc64daa12a205a4f2716cd372a5b4b22090ddfad77eb86b18dde96b72ebbfa4

SHA512
4831a344dd6a6db7f0c9dc14049a99ecd549b60184b953f932c5855dc478cdd5ebe73bb6823b73a345a18c85cba94cdeae9b2b43cc4341765cd3bd8c601263d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
94f804a4902968589087d1b25069fe0a

SHA1
ff333a61ef03d4679a1f2bb0e7cf4f88227a59ff

SHA256
5d125c3dfcfc9d26fb625bb2065e56a6f93ae019139fcb38d643d8c97d85d76e

SHA512
2a8153948706b03f777d14f69fa41145c68b1c521d6cbd7636067b5a6d6af8d505b15b33d2824e3144b1e3f82b6e683053bf3383931255640be52fa7e9144667

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1e89f0575045493d2daed705a96c2198

SHA1
a4ed227f5651310e6c908dec3fcfbf4aa7fd93e5

SHA256
d371b98e93a80c6a4b0aef609cacdd8110de653fb11c442b7cce31c317a75822

SHA512
7ba1d4b2194aeff151465097af67268231ac8c4be9930f74b0cd576c0be44efa09995db376304c9bdbcc74f971241099e4d3c5cbac625c1f32b055ce69d1291b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1554463d9432d8a8921426236b71ac49

SHA1
102aa2622b2889a8c3e5d97379c5d636cf59a669

SHA256
7687aa54726a319961d6367304f55b2e7d3785144810297e6d1a87af86529f78

SHA512
7e087c7eea780cbfa8a95f15d6046909b1948b663e8f38e5078c0a5cf22695c581e2fd9ddccb26493b7c289c7655a18b44c77609ca6f465323abd054ecc29565

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
b576bce4f18eca28b45eb4036cf41e00

SHA1
4ba6ae6bb893d7b8db3aa4714971efc6ad1aef78

SHA256
b7553958c731d3d2ccac458d4df81c1910453824ef022723ddfaf17d5212c478

SHA512
21bb40af669fe7419f6d1a3ab136a5a3641c21f223ab487c7d8eeb65a337d3d2114b6a8e448217917d7091849152bfeee9f2afc8fcde17ebc855b15c72104fda

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
02d4f727d328f0f2406523d34bf587f9

SHA1
979bbae1644a7d6b01903fc0035c6bc22237f949

SHA256
95d3e52bc52fb47b47fa6bcd5883c007e8ac6aa798823346ca8c9948eb4f66b3

SHA512
ada63b79258ead7ed575974e5d69d5f2258c5ca3a03bfea8cf2b33bbb2855afbb68d849688fe695ce77e09370701be1ca50ee61662e3767aa95428d586d4db3a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
f56ece106a93271f38cf26c68c05d2d8

SHA1
8e5a7e35e63517151de1eec6712c5fa34f4348b5

SHA256
00a687feafcff608370d297b924ff79ba9c2900c2d24ec6aa7bf8416c4a3448a

SHA512
f7fc2e0df55f965f099fea6147cbd5cf84002d8e7c66ab614b155d743ab69e38e7e371eb209adaea2a9a1b988be43c10136388b834ce811f81aff8252316c8ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
99e10935cbf8958325c3008bac5eeedf

SHA1
78d4fe952147746c4b0a7213c6ccbc1bd945bfe3

SHA256
feed56b9ac3a1b5c7732494da53f72ba9d4a4280111277fff1bfa14b4b56cff3

SHA512
0cd74ac29768e20542e6334cf6a1524e10831c537e8e3e8aa7a34a7094ffc85def680d786d7d5f0c63af3d96744705480ed63af1d85f0f123e10dca3f1b9a358

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
71cd5109f8806eb8ca962cf7413735ac

SHA1
87bcd87f5e85dadcd337925cc50945a7c116b779

SHA256
11a4e2b4190292567628f51a8b4c8ff6ffba85063b4a36aed482cdbce93d2d0c

SHA512
8da4493a6585b7ba1cdf56ebae00238ef1b433b9d1fd42b04a250d908d3ac5ee81d7289e49080617630909b683b3268a2cee18dc9a3e2182f3728f4d606e08c0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
127303ac3d23e7e337c58092a77fb071

SHA1
e6b42b772bdfd89d3bc5158091eb6b95d339c93e

SHA256
1594c994b43bf6c18b225e1c94a7bf9aa6ad70dde474fb86c857e3b7af2042c8

SHA512
7d68b83492ce6a777fb9f4840469b4adca0147e743d4ae975c9424458c988244ff4b6ae8a09007a9d25f0820210b8f75198e1394e67000ade76890bfa2c7040e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4a753d09d3538b3c5f8bd33dbe08199b

SHA1
3ae16ee8028bc0fce822c1f0a1f622ed44d43e97

SHA256
b5e9b0d523e817fafb001e4eabcb257a7b4c8e36e963a664c4f61d7e4f27f99b

SHA512
e36a40bb953a92d16e30014f4ed78495818d75d96f078a2eadc759f47f60f060e64aadc5204f8d3e3188528625b3525b4b9022f24f5bd4c16f4510d6ff87cc41

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
80a287421736644691a2a9ac4a4416d6

SHA1
94067d026eb371136f78262780eeca02bb3a1a63

SHA256
52673f17e981fd76c2bcb646da26dbb7af9b03a92716ddbd3315c90328d009c6

SHA512
472ce9727510e275cbc3c65deeaa61816024d4e02811de2c6abf251c27273775934ab86a6f2a7995844e903177a882411ae1dcec51ba5ce88847742fd8839f41

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
3c808d52674e92e1453977b606734d2c

SHA1
0722d05da8f79ea084cdd21465f72dbc0c56032e

SHA256
f353641e6fd5bc675d341324f56e76add9cb429e0b6f4a594fe9420f66ac6bd6

SHA512
2d603345f098509227d53269ce8c33629bf97b69ae2b65575253881024055efee104957311972a28d7bc3f7f1b8c256b13c00ee713c345765562eae6aadab3fe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
dedefd01683861747984bb00b7eae926

SHA1
2b08e63d90bbe6656c20dbbd4c0f4a00a752841f

SHA256
c87635c5295cf497bc2926fd9df7d514720998e79153a54c1e09567ef4310b20

SHA512
1221f0be8ef3f1bb2dff49eb8f09b4c2ba27fce0af3ab2bba3b3059b80b30f4441bc3733cc964feacd747df6fbc6b577ab16ecf98fcff53c7ad99e0e5978ea88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
edd023a64a1b171f062a7c186029aa91

SHA1
2eb722cbe0668bea78f60b6cc865a0c61af88d44

SHA256
5181352b42c6baf2bcc986f60b11db07f32b573a0d5f87e11111be7867815859

SHA512
8740ffdc7f390ef6772be651be8183555acc50c4fca52f1bd79fc2435bdcfa5ae207c87402ee5398c144594bd9160531bbb81bf691511f4e4a92f59672f1e996

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7c58d8d735eda3c65073c6d751eacf51

SHA1
ee43d25b234a91291a1d23f1e0e9473e1926aeb1

SHA256
23016680ee3a60f3ae69cdecaf3c8b03654993f555f59041aeb9bc146719de47

SHA512
91cca9d7337d2e0cc1dd2e0057ee1787cb90bb6d2f8b57b953647190721f668a95111d78afdf2687920a4c56200975696f5bcc6a69bec6b105f7b2204656f4d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
4e70f6d11b2c9cc13df1cb70d5dfe354

SHA1
c8a6becc51a7fdc4a1c5798becef1d06e0c56bd2

SHA256
4c3633a7a4d635cccd8b74c727086b26b683c36db06e5ba7cdf52e79c6af488c

SHA512
16c368ad3d28e8f412b1ba914c5f8707a52797ae7552d4b1284403f6a8e0d761ba8ad2284fb011075214e1cd30229784e2d1786a6c17a32c84973506e7e9d8a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
56a7f6ac355be073065bc0005d6399e0

SHA1
8f034773b125b54f36503545be6ee0190412847b

SHA256
fb629a86ce9d88f9b948179d8f888fd0dd3963497a9ffb1f60c0142bff06b242

SHA512
89ff2f76c38c3fdb549cfaa5d00f316f5bcb3726bffeede7baa28457a280bd00d713f47eed2062411d102250c7effc10fcc91de40a60d96c1416f84c9fd1d511

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
256a8693b70f5e258b32ea6a31874d49

SHA1
67eb06a1c3471f3de329146567def6520fb38ad2

SHA256
b8f7af6c5ffa3f1072c7136d339226a1811cf92000024e7a9a1e9c8a18955d97

SHA512
e5d8b80e99f3f77a48aa325141b4b3b92d86cae39524c7218b4e71d99a889754713a76e7b0e8d7630bdac83a9dc1d206dcae121730416ff85815595c374bc2ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
095b96c65ad254b256d61b6750dcd87b

SHA1
9de4d2d37c2cdbf30cdadb9aeaceebac790639a9

SHA256
a29d4684506e6e0941707867f003d4d7650b6a86f9edddd6e1ab342ad4e7464e

SHA512
5a09e6f49d33b3c7ecfbe619a9b5c1311b6687add5e88d3df250e6c877d0d887c42a2e28b144fe226b4943be2a83e9e8f8360bcd81452b8a27b25e32d51bd1ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
28f0c71612b624cfbf77ade2838edc59

SHA1
2e97bf9dc4c6f7ba03d174f616e740d4c79b574c

SHA256
55c4d6aee551d08f23d4639758eb95dca564878850ae28b25ddf0b0faad83cc7

SHA512
ca93b53a885791490d4b21dd15590e324ffddddb87d63ea4f15c2244cc416c1224d8ad70e65d910ba8c04151b9db39935010bca18e4ed2f2dedecd9d7ff9966f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
0d3c165ed210fdd0268ccb9cefb090e0

SHA1
19248a0e2b13d5a0cf2c4e7523cf35f28510ac18

SHA256
843e3cd587eb469ad78d9d60c49755b326043f35e7d842ff5ba8d72b66a2babc

SHA512
74526b4beece5bda923a07d8b0f15e5396b8d0cd592ecc337ce5dacb267d41887cf16d6a9dd6b13b9ade91473230f2a29e8349cbef10847ee33c05e0bf0120e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b844957f4944868d8d53511ef12d1323

SHA1
61f0f513937472ef3683ec2acf483a87aca7e9eb

SHA256
506dd5bd9417067b7fb510e61bd002f29f3a461734fd99dd6d1ba87dab985f71

SHA512
b2db370f0198f981d00733f82c8c9a8c6762af48b04bf01d9e7577611caed0685a9c9f8a4e0bed3c8b4b599176ed5388c2069822fc8ac0564278fcc6dfef5fd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
d9d293f089a1170e92e46549a65a43a2

SHA1
e80c4060d26ad4cd98750ece0e87bd15630ae26a

SHA256
459bd89f8d552319ef8a2c1fe02ba12f2c4da3833e642cadfe4c3ea10a3176ce

SHA512
114cc049a5baed36ba2ee2daa692d8feb6981802d2659f43fde349f4eac21589e1e75ebbe7aca421749492b9588e972cb8ab3b7442dc6e54704fb422fb4d4924

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
598c432fdcf528d2ea19abd5a4f4a407

SHA1
a79bfe866843831ccb372a28b505f931484e3b7e

SHA256
abe47fcdc1e096b15f26f847c36221bc2b6e76a87115f31be4a86886a253ad2e

SHA512
7a16bed672b0964825d64489abce09216b1fb22aef96ed54275b54710027a90e27c50992c8055c062b43932409cc7d9c12cf0d9d950585342d60c371d8c1b010

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a6a012e4958354b0a2886dc2c53704a8

SHA1
c38a5b73de09aa8bbdcd594fe423ce056e094019

SHA256
c15ea897b4236a8566abc3f12faece28b6c0a4ecbfe8549d25a62b1e83c5a230

SHA512
9c450cc221327c53064be7a8a49b71292743707101a2343beac06539769d37ab639f99fe31a738548cbf9af6e19e07edb59b2270dcdeed4ed5cde60dbedc5501

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
cb1839f7f082bf5ba6cd65bec6df1444

SHA1
80c7139876d6dd18d3177206080edae068467425

SHA256
7aeb7c3a8940bcf956da6fe9a1c50fa6c8485e0cea7773d8c22f3d478fc1175c

SHA512
1cd7522efc08fbaedfc6a1a5b1a2e1c55877ae3b35c4ad85d99667ef923f0399c37565b4c72f148f0662cf518f2a853c518de2484665f0fdae2a9804393c5458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
fd3d8dce8bd291da572f731a0124048b

SHA1
70864fef5673572bee2e79c17026acdcc2bc43e3

SHA256
ffe3ab82dd59a748fde5c16cfa0186690192808e7a4ec1a970ba49057b1da79d

SHA512
958d77ca0af50b42d028f7c8cf6394c8ac11dbd2937c5125090d7ebe06fd849969a3c542b3a1067e40019ed497d92ecbacda326fea995ed29ccaedd77ba8d9d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9746652393f4b4b1b98f09f96d17bc6b

SHA1
5f60d301b2f861ac251b4b558ce2fd4a3800e99f

SHA256
b9239602a223222bfb3393b698bea7d78dd35f413c102505e3ad813fb0937c6e

SHA512
cc607de7b8da27d1e5dc28cf68096d0b6793af83a1e08f7af076f29a0779fdca0b7e89ddc36a813e655a55ae60df9f1ec6c462a1c6ef48ec45332c92929b3da6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1e46f5c01bf2eaf5a08c847c870eaed4

SHA1
f7c77178d2ef30003dc46c828500a1cc75df5ca3

SHA256
8ef97cd50b9b23f1c1c351656f2a9805246f098bc456706681ecfc3197ea3749

SHA512
85fd5c15b62515bc3691d3cb806443a09c384bab2cac9c563db3e012dbd9c811d39aa4d5b96e58fb9d88171c39c911c34b08d39da69e883dcffc9bd6f98a7708

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
44824090df410cb9b047268fde9fb581

SHA1
8db2827825269d35fdee165c64aaccc7b7d97c7f

SHA256
65bd91fe17ef940de9c10cdb425ea89e4d791e8590e6e0b6381c709e459440a4

SHA512
16f4342e9c0219757d9c6420c02688da2d60f21e904ad4c5be4f86700b6fdbeed87564d54f901904f08898bd8174b1b916e1d0aa0529f47638615ae58899d3ee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
c0c5be959a19954ce0aacff382e3b8da

SHA1
bf49eb1e57fe452d07c6739f73e92802e598bc57

SHA256
1748fa2e860cef25c7ee3c6edbe44d7760682c601f7ae075c92e40b55a8da8ad

SHA512
6a9ec72ee9d977312cf8fbce1acb4f8b908f2a626740a41b317c4fb6be454449be188c485bf3d1f53ee35851c6511e82cd3efbe46ad54c049de4f2b62e67aaff

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
2a1ff7f21150a39a2238036878ab44df

SHA1
bd495bc19b6f23b677d8fff71025a17b91f89743

SHA256
4c975cf08dec5240e4d050dadd225d85be08c3cb7e2d9f36a0dc3a0eeff543eb

SHA512
6383ac722e6faa44f6da36c91bd5897c700b24abc56fb6696055d6b8a1f4d0eca7c6769d180598615d24809ff4916ef0a593b7195ebb935931f492684706839d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
80fe0097009c05228f14d5a2217ad7a8

SHA1
1ae0bc79d3c247be9d9d0c53986d3910ccde7f8b

SHA256
bacfca446755926c221bbca3c4f182102b5f0db7c04165d629402792884dc73a

SHA512
4cd2b0c0bfb8daa12e53f94609a0e8dab6ca82da53ade39c47bdd78b0d61d63022ae0c6217f803f406dd7945149afe9bdc680216ba3585478838ecc6fc2d4d10

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
40e809292b620da4ed1df01a1da3a040

SHA1
bd1cb59f39f861edaf7fd616c85416f25de3194d

SHA256
7079f721e4c7a270c1ac54750fb1c9c60cf569de2b5f392828de124d51b60ed5

SHA512
69193cdd6efd34ab5d7f7f53b91a2167d4e10cb8e781634c90e6aa210c08397ce956eb070bfc72ecce968945ed277f445fff47a119b2064c8828e626647ca937

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
73e9f9a2f93620b1135fd5ab5dbf1aaa

SHA1
0b0a0e3b41c4ddec70ee17e036ff5fd151852e73

SHA256
374d279f7d0fd4b73b73e0b02822a4a190372ad23fbd9fa0beb62ba091d4f106

SHA512
66b2fdd38184e5e5f5747ba9cdab1b324c91dc04cb848c7f8e07a939915e4b2514e1bd42b8bc773d8e6744af6f7cd4a3255214d49d4e961aff1e18da04b23817

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
1b384b44f4788ab71f11e473b145bcab

SHA1
af103fadcceb593eca57882cf2b2bf692fd3ab6c

SHA256
b4d8b80fac306f61cd8dc8df68c19d7eb81b6acf5ac37aa006c896effca8890f

SHA512
0b6bea14c672fd84d6edf494e49589ba0094037d43c85ba5b797e641a9c363c01f63368fefc1d447e6e918f635a6e71a2e45a870026e171f28a970d203556793

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0b005a9ec463cf2cfef8d2ba61bbd947

SHA1
c9e008bbc9408932dfb0de1c3de3936edde27977

SHA256
d8da51e300e98f13d5ab717996620bbbb4b05cf6cf68102014cf21abeb0515f3

SHA512
98c760aac5c54142236b319fd59e130eead3ba09c28634a23a11024862662437a0319eb5edcf21361adc7a5bf6da007ba671c13a39afe1362e53bdb4abf76f98

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6f910aa5fa53d5c15422d1b01a60ab65

SHA1
6f47fc000efac44007f76498f7b9473bcb3f40a9

SHA256
8d1303732224edefeb28aee24d455f2ffa6435bff78b3468835a37e34fa88073

SHA512
2365586a6d77ea0e913fc26cb81be39adcd1649b7a27861c6683f87115b5f29318ff987f2b5aad4db3f5a18dbb0c8446f189ba9003ae31b394519df0522e7510

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
43c2976980c2485de2919daa6683b469

SHA1
eeeb4e8a4efbc2274652161b6cf24ef8000645ce

SHA256
c7439ea4df603cdc56352fe70b3327dd4047db4ba7c2489904c92f36bf63ed74

SHA512
2b7b6e9ada93c37da3f5e5e6b1c5c0541550ad84d9b0f746fafe2ed538854349ff15c17f520cc692e61eb547e0af95d2b1a78b8bd5432f900a5f02308b938b7d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d33e10964d1cf0a371d57f053f485d35

SHA1
da9196b29c70d04a02ff84cd946deb8fa55f4273

SHA256
b59ce6b11e8807e5a2d15f1f8c2b53fe60a4c4d36244795e3dfd66148358bf7e

SHA512
913ac0a6af185d45045a8ced8115bc49745ae1bf65f88803f411501129d19c98620f564f308dd92a214810a5a7709ce0c4c57eb2d0ac7a2d3b393f3af78213f7

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a7e57d58640acbc052ac648e00056462

SHA1
9fe2517a01744a718a84ca4f1bbfc8fc26b6c13f

SHA256
8b7888978fe35969dd7127b27a50a8cb8199067591c2cff633a08d817489460e

SHA512
a0e36f7ad2738535cbd463e261b8a18f9ed101a86c96f2d6abffdfa83edc0083394fa1ab712191932e4e7329b72cdb11943261745d314c228bb47ecef92f9ec0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
03863230b56965d176c841d2dc3447dc

SHA1
4185497d36ee9ddcc9f9b16c44adb6677a06b7aa

SHA256
a171607aa1332ee7197e51c254dab417e94fd4abb52547085377c17f908b3797

SHA512
cfe52f8bd8ce45e2bfe7321b49c94c0d41277808c3ce2483150173a472664a3228975ebc12c8d18df6367ead2a5b27bde65e0cf1c1ee439e919d0ddbdee9bdf1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
b417233366d1e9fd27a41b3f619d2a0d

SHA1
fcce527974c4c4eca2995e45ddffc5fda9b906ac

SHA256
2459aced3f020bcd0ebc7fa7d99fa52ea226767a23dd423ef63b0959001b2091

SHA512
de30b0a1ef7d3eaca6a389bebe5ee56c51a1a33bb86150f9a6e432cdaba43b26b3e2bbce2aa0db791ff5c97a80291694a546c91c7b9df996d1352a5d47a0df4e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
904cd405cb68198c4e94b2de15a24708

SHA1
5d43eafe0251f407cc2ff51c6c739793a9eb17e2

SHA256
dff8e4ccfbbe7317d921853587a59dfeb8cf447cfe9bd62f80a1597411207798

SHA512
bab37ad24e6310a59fd9a118463cb3403f70ef5432dfa5435dcc8a3bf57eec93ff679c6ea46667f5f75f1b5713de578c7322447605c9a1953f91d495c07ef7b7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
98a398eeed11a688a8e55a525ac81ea8

SHA1
a2726a29c92aff8a4092870acae74ef01389f6c2

SHA256
4fe7e201e43d3b9e7460f105efd52c7869eeabe3e222f237aee388723b4d5f9e

SHA512
f2f326b46bb92a89533ec4c0de9c0f7f9f9aedf88a511073124f2dd2846f25d033c02509978c438e93394e4295af459394c600500b9fb69ee84b61ba1d935996

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
9939244c1b160acf001b20ac9f361182

SHA1
d0f8b3795c5eaa2ebf31ddc817c64cee42a53463

SHA256
0a08766b02e2b3ba9bf1c21e338426b30074bf9e44641b016979f601c254f10d

SHA512
16b00258e59c4b2fab1bb3cac305bd09dcd47ec20ff1b24d4c36fb8f71680a3dcc8c6a2acd5f52c5a4c75c020dbdbbae11c2ff83fbb87811ea2086f68af29b45

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4745033cded7d12548221dfcc177a69b

SHA1
30153497dafc6fa1f48b1ba32e69b660828d7d15

SHA256
de430b29fe58731bc8b5cf01aaece20dd594d4976a82c94ac328c70005d3e54b

SHA512
5183997412a57e1b746ed413ace9bc5f179d087e8c710597bc3f411c4f87edd270987fdf35320df20dd4aa4ba2041c516d32ef04d0c1a62bea432dab58733324

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f4fc66f21587e00f05e44abf5f3f3d1b

SHA1
37f0c7ca8aa89b9b995f9c02ab43c374221928d7

SHA256
1de00970d28bea970da2929bcd338a38f6bcee04a2ddac21c76fda32ada4f790

SHA512
ecbefefcf190400a8d5e42f9831e4bda715bbe9d73c6126372d864da2c56d72646cf4c941425137ec085eab6810cb6c69661756813d4547c5bae3e050f861f7b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
abd3526148c0c22e2e9c016670cb5dea

SHA1
aae91acafcfca5906335c2942dec0e8a1d1e39dc

SHA256
f940272f0543337da189133d546370bd5cab788077dedf36d79cc546f62bb270

SHA512
4a4429afccac056fc5401fd3dff6b42a9d93b33f12dcc143c5c7bfd6b8b4806ccbf49db60341e15719d57dcf59ff216618810bf28c0a7e260ec607c93bda4acc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
31877b7bb9adebe057810b9f37bca097

SHA1
8b926ade99055b99ffdd4c299926f1446b93d650

SHA256
6de1c0c9cb7acb5b22363aaca85ce4136b1480bcff43a18ec5b1d5d28adb4a1a

SHA512
c04f17c65d2ba9856ba018ad3e6f760dde75d822c323d9824e38bc04bed74726bdb924d8bf59ce8b848e185205fb95a2840dfc5edb940880272855b1b754c79a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
51fe6f070e1075121333015b0cc97d32

SHA1
13832447b5817c774fa77ac3f131d294bdadbcb6

SHA256
50690bb2bc74ec376bb043551c3b8927e59ec447e1d639f1dd994bcab478107f

SHA512
b70897432c608e8b22953d55246f43ea54f2c3685e59cc149d3f70feaea7f1300b11376ae42d89c2e668424d8ece8e9b2744e8bb1398959834097ef1b099d076

Download Submit
memory/412-572-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/412-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1040-500-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1040-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1108-0-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1108-1-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1108-8-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1108-6-0x0000000002300000-0x0000000002367000-memory.dmp

Filesize
412KB

Download
memory/1108-74-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/1464-162-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/1464-423-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/2056-12-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2056-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2056-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2056-113-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/2088-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2088-501-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2388-187-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2388-498-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/2520-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-49-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2520-50-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2520-56-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2524-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2524-25-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2524-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2524-27-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2524-133-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/2652-147-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2652-260-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2696-91-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2696-209-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2696-90-0x0000000140000000-0x0000000140159000-memory.dmp

Filesize
1.3MB

Download
memory/2816-198-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/2816-499-0x0000000140000000-0x0000000140182000-memory.dmp

Filesize
1.5MB

Download
memory/3028-504-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3028-257-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3084-46-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3084-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3084-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3084-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3084-38-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3272-114-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3272-224-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3580-76-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3580-86-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3580-75-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3580-82-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/3580-87-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/3612-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3612-492-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3732-136-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/3732-248-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/4680-117-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4680-236-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/4904-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5000-505-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5000-269-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/5072-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5112-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5112-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5112-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5112-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download