834014ee580ec086a4d12f0c13ab3a4a580e27bcde1336d5ab161e3af22dc6ed

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db4ef7ff63a94a7c3e11972e25e63add.exe
Size

1.8MB
MD5

db4ef7ff63a94a7c3e11972e25e63add
SHA1

3e8504f1358a28adf2746f7f1878c5b37c555f0d
SHA256

834014ee580ec086a4d12f0c13ab3a4a580e27bcde1336d5ab161e3af22dc6ed
SHA512

c15c5b6c383f947d31e1d9239bd0419a090731ef27db386de0173075c1ed32dd4e69ca0a1db6ff559baecdbba1146ab5e413c13741d79691b8548fdef3101320
SSDEEP

49152:OE19+ApwXk1QE1RzsEQPaxHNf/i3da1YS6ozB:z93wXmoKH/iyB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
232	alg.exe
1660	DiagnosticsHub.StandardCollector.Service.exe
2400	fxssvc.exe
2208	elevation_service.exe
3768	elevation_service.exe
4672	maintenanceservice.exe
4036	msdtc.exe
4176	OSE.EXE
1048	PerceptionSimulationService.exe
4720	perfhost.exe
4304	locator.exe
3048	SensorDataService.exe
1544	snmptrap.exe
1812	spectrum.exe
4164	ssh-agent.exe
1832	TieringEngineService.exe
976	AgentService.exe
1060	vds.exe
4240	vssvc.exe
3552	wbengine.exe
3004	WmiApSrv.exe
1376	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\spectrum.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\AgentService.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\vds.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\dllhost.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e79cd112c3136770.bin	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\locator.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\vssvc.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_104468\javaws.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	db4ef7ff63a94a7c3e11972e25e63add.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	db4ef7ff63a94a7c3e11972e25e63add.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	db4ef7ff63a94a7c3e11972e25e63add.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009114b158d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000962cb051d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002f698c51d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1068a51d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000029541150d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e3e1d50d4b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b49c4152d4b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe
3352	db4ef7ff63a94a7c3e11972e25e63add.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeAuditPrivilege	2400	fxssvc.exe
Token: SeRestorePrivilege	1832	TieringEngineService.exe
Token: SeManageVolumePrivilege	1832	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	976	AgentService.exe
Token: SeBackupPrivilege	4240	vssvc.exe
Token: SeRestorePrivilege	4240	vssvc.exe
Token: SeAuditPrivilege	4240	vssvc.exe
Token: SeBackupPrivilege	3552	wbengine.exe
Token: SeRestorePrivilege	3552	wbengine.exe
Token: SeSecurityPrivilege	3552	wbengine.exe
Token: 33	1376	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1376	SearchIndexer.exe
Token: SeDebugPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	3352	db4ef7ff63a94a7c3e11972e25e63add.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe
Token: SeDebugPrivilege	232	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1228	1376	SearchIndexer.exe	116
PID 1376 wrote to memory of 1228	1376	SearchIndexer.exe	116
PID 1376 wrote to memory of 3236	1376	SearchIndexer.exe	117
PID 1376 wrote to memory of 3236	1376	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\db4ef7ff63a94a7c3e11972e25e63add.exe
"C:\Users\Admin\AppData\Local\Temp\db4ef7ff63a94a7c3e11972e25e63add.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3352

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:232

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2208

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3768

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4672

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4036

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4164

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3552

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3004

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1228
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7a728dc5dd56650513c30f7fa174137c

SHA1
02b444bf96a4ab4aaca97987ec355870b8f9b0fc

SHA256
f27c3beee3b7e2115af6a0c95a7e7ded8d329473184d97f63e8279727cd1314a

SHA512
5adc98f9901dfd0362388c821d72b8613f5c43e54ee24c752f402d16df117445164a79cc2c6b78d673117bf59970f194ac7aeef74506fa4be8fdc5e78a9c2db5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
578adad075c767b496c9ae5083d59ece

SHA1
6d70f339a2eff544cfb9f7611fb571d7f49f7f00

SHA256
7f2f6f72468e54bab99c1d05e42d9919ef04160a4a5082428ff972b332ee863a

SHA512
b730706a20c4d02f2e18e8e55275a4cf12cc59dbb7e51e9d54aed8a0719156ea4075ece3a0d6591539a61a9c89b6cd46dbb5afe01cad647b266e0ca5f1d6db4e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
dc740b87440b8fc4d3d2082ba4a56302

SHA1
202110e4e9ec712c89e28fb1be1a7e83ae1a7613

SHA256
697cb745375feaf83758ae674e982fab4f7d6de695d7c8392dd41b85a61996fd

SHA512
bf92d6c65dfcdf4c5f7602904f91f4cdd1b150e4488046d5d59fa8ade7c53e866122d8aa3635a76a4252a59cadd9480b1cba1226b54da5540694b21e3c065267

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
940ea254fbe52a4446bdd92a99912f96

SHA1
d36a5d10d09ce89fb2abc735c52906cf5e0ccdaf

SHA256
c3bc1124fab4fbf904be909c0c2f6d2aba86df3906b59dd5cdbe0d1acb15806f

SHA512
3c812305aac223378f0048aad28b318334eb1ebde6d0fae95dbebfaeca2e162122357d8895d21661ac00df850c62c5d4c980b0dbf8253489cda33cc23c566af0

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1a417cde4f80de9654312c71979d0cc2

SHA1
61edb1a7840ade6d91e57a5be18f8365af758a0b

SHA256
dccb7f79c4ec5c10956a703af8021e89d0456c89098b5a9e9832977ea361856d

SHA512
0869dc4cb83271b93e1189c08cb605de74c7d9997df28898cb6395afdd35083785af5ea3fd0027018b268a1436cece4ffe93c0fa58ab8e6013aeca731a862e26

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
6866765b898908f671c9c0508634d88b

SHA1
aa520ddb6332e866162416feeeca6d507012b7b7

SHA256
1d6fddb829d56d21711a10642c89739cda75f0db729d9b8a5debb82caa9ff764

SHA512
6916b7e4ed7bfe050f58220b924bb3f5b3f638bcbae5d9cc10b87c59948e1ef6626be2f35f2830ef7f01422453f9e490fc8303f9a3a311122561e394c593eb8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
a764ead7062c15910caf43a41ccc897a

SHA1
5f3b72187568201f6979d69a48bc872047316c6d

SHA256
6f8f53e1deb63f6f28c162bd25e00be9a5bd5733973d48fbb0255166f346952e

SHA512
87733fb89d0078882b1e0169298e7df539e6404777de6c92a5b842dcce76b97d55a6347d9d872caf51ac67ffa51d34a8fd2f6277e6447f28fe9d37dc3b6db10b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9ce32351f31ef074ee880d7ba7110899

SHA1
83654e5bb3fe0ac9f5b65165a738cfd83a259973

SHA256
4de2e7dc315de84e4eb487da2d311e4a463d0f8622047476ee6b2f0177e8c750

SHA512
124e7498cbb4e5c49b251790cddd8cb76206f7bea5904ca1217291a7e8e401ee38404abe8b1b56609e8488bfb25f938fd941cf0479d6e3b663ee784953f26804

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f72257ced58b62ea809598b407b40e70

SHA1
87b38567ed0e47614cf4f6cfb201acc3ca9eecab

SHA256
0f06521f69ddf362a571b2d120df48466f7085c551235053112292af92532d5b

SHA512
6296e549a133fce8df26c32392385c4c8643892b0544b402227b87005b5fb9031f9c2866a147caa491b064120373421bd55f622c16dd57bb8d9e285c3b9a643b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
48f99e96249851f6f71468b7d63bdc96

SHA1
1262f19a83324ea5788fbff0c1fd397e1bbfeae1

SHA256
3ee4c5e415754a58f5f20fa14349efb7e040411dd1331ec45b80c541a641dfbc

SHA512
318212a7a869453aa0607bb6fe2abce7c02f9a0886d00bc2761cead8e3561594eaf274225732d0016e0f7650d6201b561e377720f3130cc45d905ed9f2023d5a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
53422dcb5225bf164b9eab66b65f703d

SHA1
67b90c21b5442ce43d6c932c9e2232a746dbc44f

SHA256
856d99fc73bda467ee282489b75dafd79923f1fa6ea082b30f0ed21678462869

SHA512
fce446c209372978132bbc96917fc87f4b0d1e500eb02bf7de2ef6f311a302a733e19461ffec5e3ebaac5ea86de44e28f5187c93938509fd9a47685d559d6586

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ba82fe228d74705a4e16906c8a1f923e

SHA1
85e3fe2d8c54acff9dde2cc0e959f5c582048632

SHA256
df02fc85ac48af8a935374d34fb9f15bd484edc09042e2b5c1b335f984a1d1a5

SHA512
eb4dc29b064fa31e6af8b98cd45b03ec1be264a584b7dbd59550341febb398133039b56fccba1c4f63035ae15e021f821a62cc71db0839e59559f2d79a079075

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1aae51a03f38511ac9dc38c1725048c1

SHA1
65bbc07bccc7d651321ed8e6fa19fdc1c5238971

SHA256
02aadbddae7cdced1990b4236a14dd0ab27a37d1acb42a1dbc4e6b47c7ff0fb9

SHA512
f7db24f61d54d321a417fcfdbf8a185f72ac817d559df0c21218f19bddf5a61afbe801d70e57f2eacbc37cc36f83afbf6f2a9193c02b33ab9e4013a0ff70caa8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e48308af73abfd2c352d427bab938a93

SHA1
b556247e0499bfe4db023ad46355f797528eb908

SHA256
41019568a5f8f41495ece0213ee53cb6cedf4a693fa3bcf1e4b12eadcc748473

SHA512
32987975cdd4214b3354859df1fbe69b8cdd0635d911307afbbbce8b212743d97cdf4d0e493fe5257286ed0f50aa7048d73c9eb3021a8204e9a1fc45dc5d96a8

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
e8ed17ba78e95f38361b52341b87ef3b

SHA1
caa0bf7c868daa8ea3ec546578ea3cf2b9ed555e

SHA256
c22d292f2f55c3e24df47b5d4a7cd64bf06944b6ff0bd49888bca099e530ed9f

SHA512
5d57e7de4c27862f63506964d653a22eeabac2a118e15ac1c708d65b3240ba9cafc6661ea29d532a9ba8f1256106ad2bae901d87eeb88f18d344f73d7d64bb23

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e40c18a2ba062c2d24b2edf39b85faa6

SHA1
501fea3d2df030324b9a5e17e610a626ed165059

SHA256
c3e7b9eb7fae95ec20df8996f5021841daa64f38bf2943bb1488830fca86190a

SHA512
803fe2d79aaabb6c65032c62d446c5928058b494fbb38dafd76fd0b84cd5a1b7dc77e801205db23762b526bd73d52494651b980ec19597b7a1e1a08513480340

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
19966123f535469ae8f97231d0e54aa1

SHA1
27a22cae0ccc7f538642aeeb716b554785fdc71c

SHA256
4226857ffc8ac5c12a4203fae20099603e7ecb04512b222531655d82bd74748f

SHA512
d36fb132acdaa42a29686d2aba4fe4b427cfec9059f3c55db724f7ab0f18e82b24a523b17a07d3d36b34b3d11cd2a6a1197d35cac78e1391547f9e5137d600fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
b4bbb9e5a5b85a29695dce35823ba574

SHA1
329c6002a31766171d36c57a39e8d31e7d47ea52

SHA256
5496d9795706392c2e6b5d75f521b182ed8368de1d09400c93fcefa7f996988c

SHA512
a628103f44e6b5722a676f675c1ff95a60b53dedfb3c79633ec133d2ccd96b7ebef8b591a10dd928571e440e0a0e2eff68be0d487059d2bf8f15971ede4d8e73

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6b3846d8809c57e0d3c9b2fb161b5380

SHA1
abb7aa422725a3b4959fe828a2216099b0f74688

SHA256
f93e0834d6bdafd1ec2ae8bba2da6311f09a40ad2550875e66db2e1aa4c9f614

SHA512
2e3822b185e302da2874b4121b4bcc1c0d7d0ae178e283cf723485338a67529ca50ec0df68a0cfe03ec6b3f5eb8bb99f22570d3f416fbb636048e3714e1d65c2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b6ea160c04c970eae349ff374d382663

SHA1
54f9a094ffe2269f4c8f3205b6716b2900e803e8

SHA256
ee06bfc4a9391e919bad2178e670318780038370cdbb15090fb924cb73dc9dc3

SHA512
374123ba01feeb39a7399287f0d581e5daa5e5beb742017790735da8d4b4dbf250b9a3f329cdc3829f63fb2e5fb2ac44f448d3a4159b097f35e23739955210df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
98c843f451b5ec8fa5e7211136e65838

SHA1
3f33792b9d668e4abf1a537f26dbcc4c040cc78f

SHA256
2a2d79c107b35a4e5e8088589a896409365bd13084f4249fa3a631e4781f5fcd

SHA512
0ecaa90894d17f21030bbb1ad0dd834147a644465aaf0a52a30a24b3d4c923a4a450961c3305af2979ebf5ea9f06944ecc0d73c592798f4fd23801590762211a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
667556e72d8537c07b399c92ac6779e0

SHA1
94c879ccb5169417e64a0fed3fcf7904fd161a24

SHA256
f76538960c80e7d042fe473c31a90ac6a55832987cdf9550f305f892d126d744

SHA512
11d282d95921872b0797f8bc8f02c06a24423a33c8dbf964f1963c097ca7c56248809591cd4622bb814e77386f2ed82a7c570c3af932f34a7a5e259323fe0bd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
35a2be7e52e644d6e80de499f462940a

SHA1
0ca0728f3f0c56c777dcc604d97b3baa76ce1d72

SHA256
f0fcfccf41cff2262a0fc483eea65bb31b72a59a47487a015a98830790e1ab8c

SHA512
0f8ddc10fb175be0728dc1b312bef3ef78652a59f33f0a09e9b79ab7cb10da2666c907726febb56294115b86f5c8314c551327176c7ca1e37642164d1803be89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
7dd59426712e79ae6da34eca70089af5

SHA1
004a00fd15e9b5acf58ea76a9d4eef36ffe87281

SHA256
f46dd46cd111dedf49d30354c2c310ece9da1a83d5a00843d7ff7b8a8e56297c

SHA512
65ab6376140f69dfc3b66814ac8b054068649b36bb95801f3d1bdd6a2890df3a88ddf3d8b06d87f709ccda61659d7bf38b16c2ea9be9b1972fa1a0c4e7d58b46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
9fdb91c8ff44af321bcd6f7820021088

SHA1
68500758af8ee27937cad72feb2453ae0964b33e

SHA256
be3370d7150a726252004417012b648b311cae0bf36919bef2b6711014c9b4c8

SHA512
b5b2f2cfa7a4f4568095773a6be7f3136a1ddf6aeb75f7a6fbcdb1f22f0677c35885ba8aa5913ae3ab0f320bd9b198ae1707ae1d5a542a2133569a6b32bbb45e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
65926d22ec344ffb58d16822c8bcb6ee

SHA1
ff35d7be2aa52d3a93e99ca9213b8082ec8d9b7f

SHA256
4961b6716f9b8de1f1853ba2524b2b39a633b3ddd7c96f8059e938022592fa9d

SHA512
2a14edf292642736c65dec10c8641edf7eba0bc639d642b8a7ef36d92aacdc90800b4b74f5b4d04df1269c11e69f29b30fbec32948efbe1a50d451b117474068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8d61cc395f9fcbfed5b1ce0ec6c2f031

SHA1
061d84067a9e371cbf69607af0e421b18f35d8da

SHA256
59af0867cc5e0440b2c1e257b5943b742f876abf28f71052aa2876dc964ee838

SHA512
c9f6a27b00bf765b743c279319889737ab13eed5d4d2ed6b3aec50a8a36f0600b1849ff2610ad99e10b1fcda92e885fce093999cca5ddbec296a61a2535c2877

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
a44d3d7689703d3f71399a50ee154660

SHA1
e83b8261a0cad6d2dee13fed7704d5c8747e4947

SHA256
ae518ecd2e9e99215e82d603b5de9c92d209b1c8e64eea55242fd6676aa5005d

SHA512
731fb350477df8029238e0dc6e8f9177de1c5cc1660a21df3c8f13e8b2160c35342f9456abc21d987346e4ac9227efa5da7b2da012e00960a8a27c0b3f8c2a06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
54f063217d965e4894597a9a7fb31a42

SHA1
c931356d0eefe7f284991e001d9bebd456225def

SHA256
cdcbf3552adaf7ef78a5ff807f110d49816eda456cd7fbbbe309163bb9082864

SHA512
4cd490ea2a899e759c6534a342635ff5edc2aca7845e2cc6a28820572c28553aa55fd746f542b279d29208f43bd051cca38e55ca8e050761259b3c1fb44ed242

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f2827c0233d009192d63d735c25bf9f5

SHA1
da44fe45a8999120dbb4c651dbc45b69425edb79

SHA256
d1d324bd9ef01bc307c2f7c74916e119b9f7c81946d10de2423bfde738b3669f

SHA512
f318a4dd0a7680690fcd4d1071136226ffb008ba8eaab207f9d6db5788914587dd522e4c8a54c996b7e10c843cf5a44064085da4d972f2a62798e46e930b04f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
829c53176ec7813ce1cb39242183fcd0

SHA1
577ac8f2a934ed89bc44842337a9cc748a01eaef

SHA256
fc17cfbadaf689978ca4acfed1501e10c478f5891294422184069ecb1ee290d9

SHA512
5482c77c57126ed07aaf8eac785d21c6fc2de270b0b123029bfc12ec9b799481bdc89ccef258102327d136822466b75ad901b46340a8cbf5bf5eae07577c84ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
a4e47b0e35a81d1c59ca8d2947792725

SHA1
a6657b3b5d33aa8f637127f81900197bfe103629

SHA256
c313f3cf161e9a5261d021b88cfe680a1d3b4b53c4a8799da26f0c7d5fb1e603

SHA512
4c4b060d362a7e421a3e3d1560b5372fc982214a3d8a5a19fe76f57847e3e21957a607430c397548e8487cbdb4fff613f13964c00b715ec0fffc5f045f5ced2e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f28b92c0b700b008066ff1d4f3163b88

SHA1
ae19f093d8257fb995f8beb6f2a5bed03c67af10

SHA256
18708c0ed3758fc50fd784651d8bcf87b717c52e64ad602d372d9cc7aa4f6d14

SHA512
7810dacb091551efe38c224391b28e86d5c5d444095b4ae33cb8fa27e67458c5e40e2862708f2769b382aa1aadad8aeaf0d6f660290deb992381d632d9951c8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
663c2f12b9ce69de185d32ba55b00537

SHA1
ddb952b711379f9e7bd5f25286925dd80ac5d5ea

SHA256
f120bbc41e58f7518d31313982e202a267a873d0529447ee8d1ae89f494eecd7

SHA512
78b2a03f80e499a73cdf1ac506e2cf72a3cd16c0b7a0473cb3c687cd37e6589b4d8a33dc658de2023bbeb194a7eff245c07dbdde818ba60b2f8518b7e316e15b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
918199fc6490ca1adc630b08e2bfae84

SHA1
347c4dcbfbdcaaf46e31a43668ac0dcec0159580

SHA256
19af53aed8ece3763e249320d3fa306d1ea11ef9d2b4eb9d5623cfdaf35fe6c3

SHA512
39fdb58f0cfee3c7cb022cdd594bec35e5880d5c4f273bd4ecab7364b68e25d205f0261be584e19652474d76bb65c9950b97681142ee58591d14fe10b7881084

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5d3c3daff1cb86753b4742c9930fa789

SHA1
8b65f226650fda92438a604aa7c95f62413cb99c

SHA256
550de7a42203c34952e9a55631473308eae9a2625135471251e03d437c54887f

SHA512
413f39c750584cf85564f53416530e302eb8590bd1f6f541065d5f06bb2239f00a1cb2913be4fe7e2945e26ec1fb2fa8686f47de161dffd212c6830c59707316

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
066849927f40f8035873b3fad001587c

SHA1
f835884ce05363582e6470d5f8f0785123efef7c

SHA256
4c312d599bd06a5b025067f65b848efea0beb071f775e0b430c060fb0eef4d41

SHA512
699a28a328360bc79532a6bad8d4c346e3ee3c3a0655cd5134ad55dd672ce8813ba1eaf85224db25809bb4deff97931422d63f1fe90b71fc32222cc4c2d62772

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
b6e6b03aed5eee77cccb82cfd73a5433

SHA1
ca5e4d5fedcc36626a4f7a6f54708e9bd84b88da

SHA256
05439bcefb037b3f7d6c7d7b9b4fe7f0133220366e4425d509e95380addd3b03

SHA512
83b15ba0117b11bc0a654fa6a59b4d641981b841ccf739d62caf67956dc0e9b0ffaaba8fa7e1908e9cbf03087e897490777ba1642252fb507991f66ffd9e9ab5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
d1979bf2e3cfd553ffa1919c8607520e

SHA1
457141ac82d3f42f513ac8b65536d0f3d5321b89

SHA256
629edfa323695fe29ad98f74835c481b21f6b3d11a51fa3428bcb382391c963f

SHA512
fbd97e91a0a83367564f70453b22fe44066aacf4eacd1f31367cd830fc7254f2d317e87f10a1712f9e50f46ad2d0497c963c7254f4c2916ec0531df148fa1ee8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
31449115612d0e80d464aec08b772bf1

SHA1
d8776ddc683ca6ce0a3723cbc4456224d912b7db

SHA256
f576dd5d9d199e4e7f2957a6148a35e9ba5d0632b4a538c344c1e8a1cd141e7f

SHA512
3fcc2e1e0a390b9c0160c3b3e3379249df4f10bbb43b30d33e0db23a6785492f30f53a64788e1358bcaf25cfa0e0d4a42e425da4de3c3e2fa7397be8e38620c2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6736908ee8c25a76f8c1d33e56b5f71e

SHA1
7a50b13f321132a6a11a9574f07b4b58444a9c6c

SHA256
6b339abe559b1250ebd965176bcf8affdb82aa371900a1f4129e10cb200c4bcd

SHA512
cfa39afa5931703b07c48557efed88b42748851ba1507c91026d9d1d5efd9c3111d23fa7b945a8d04f7f65491fbcd4e62bbd8b1c09c32e2b26c4d119565acd34

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f6c2307cd41fc8c538ae91899ed4e653

SHA1
02646d68f1f7d7e8e2c57a2456ac86a5c62d1c82

SHA256
96dc5880e7805e39a934b659cc25e7c77edefa52bc92b1ad34759d7e394c1206

SHA512
8fbf83a984fabcfb0867c6049af66444346af8d101b4cba307d2a5fd017a8b939b4213ad0bcf606357b2f9740f5211dd454bd6cadd357842fb4b7aae83f513be

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
91dde1075f8561ef4e751fff4e3f6bee

SHA1
76c62339aa25c6beed0890f15a08689ce6b0fdee

SHA256
cd6def88ce6e0d32200f965e655942360c84bc592de2551f8664e09fdb34f40c

SHA512
196ed08071f2e3451df67c404c05db46c129a608e774d4477df5bee7f114c40079a1752edf63e2cdea9847fcc0c88de4c5f579578d8a938cf0fa96fde20cdab9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
42c7e26870463a9db0775b044580fa96

SHA1
9e0b3f034b3acdfeeee72424f2a50fd180a10f16

SHA256
dd5be52700d2cbd174d60908476da8c838f99e3c29f05c6ee8b366afa0ac802b

SHA512
512acb8e5aa235714d278bc33ba45d2d345b99df2c8873cba19f3ab3be50fce895bfc2f29b3512af7dd8adac18de0cae51fb5cf32752283146ec1aa05b90411a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
e6f69d32408b6147837431cb6cbae6c5

SHA1
7699fc666cb3558b316ff8c39b10ece1a6961642

SHA256
913576efc8a60f1b14e4cf2309006e829f1cb1c09b62dc92c465921d9d8f747a

SHA512
e82f1890436ca06074f5ebe5751314f3b9e608d35b74d725bade556a0019a3eaa903a75a2dbcae10005427eac56f547d8799803134fe084d336efe775461f839

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8a21ace028d86e0bb8a4db4f422c3cb9

SHA1
ef236b799cebbc2958a0e3076b57401320019697

SHA256
e8b5ad2e478c0fea11145df3094ea38813fa0f269c4c8ae26f4341cfa1b3d5d3

SHA512
8a00cdea540435038b3ea8f1168a7f9b70d84c6e97eb74651518c2ac7d52e0a41a8212910719043d5046797b1703b79570fdacaada4dbfd589c652f8a87e0905

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
31bf4e3cd77c8b4e5cfbae6041bffce5

SHA1
7e3be8827f6fbf50ac4eb68abf6933cac7704b78

SHA256
08e26ad88e3dc97ebb42abd39317e8426c700a0cbabda00c467c1c66aa40f2ed

SHA512
8c4d4c9a46ef54b1d445cd20dcf74826bf42541623907f4aa0c68b41180b29d3d82ae5a0669088e716afe2df99aa2c5472287ac3fe33e8f8556a21866e2cd82e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e1b2ad209bc7ee02fccfd0f6e62d35db

SHA1
86f9075bb0532984fb32864ae7b86a57084531c8

SHA256
18ec84fd8f33631c8302d5183842b6ef0f317a1de57aa2ba56115c615ff72cf9

SHA512
95fc89a2828b1c6881d52e5943b6beed968893126493d2fb73da68919a9f88cbee6761f9fbe205e375e189856107436d2e18dabe97a0ade77bfad7b11b5c20f1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
1f1c56bccbb20bdc8f8d3808759c4690

SHA1
4c2b0bb92b4fb6f7671376548ac144abb7136cde

SHA256
81a9e06d9162790846fd37755beb19d398b250320ab7d994cfffe6566728ccbb

SHA512
afa22ee7dbe5c44cfe943f2803aa3faed97ebc083c3444d04175d1ff57f7ea81db229923971051a1bea8827bd2d7fc315d3a3097e06618a109a80a3176d131fe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
6df579bc8c0ccbfc17584377a6914469

SHA1
ad8a2ed0c9de44ba113bf6adcc75722310c34007

SHA256
31745b95337eedbd6457d0b01bcfffb184f0d69dadbdf76a27082e8ea9221626

SHA512
48a6a90c1e52a6fafb8d873dbd26533aaf55b93487685f707e260fe2358867e5f75c088cf9e8c1582afef72b1cdae2eb56ccddbdc283f1180f0679d86f60b638

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e25230f82b6d0a8838d418da5e2a5096

SHA1
687f9a7a7089b4257e484907a406740b0574d677

SHA256
f343be8570273a98203a9643cb17e14b1a3144a9b95a66f8dc49d310cbf7a33e

SHA512
77fce0fa678cf9a3ea2d98a7300b1c0b832e7b8f6e206b917bc150f78940913258b72cfab1e9ebc282566120df8c998b567c30e50b5130a17324530b40a65f72

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e7054295c8647514783e79f495dad655

SHA1
8caf8e2ff2116f457171856c98ac9003cb97bf64

SHA256
49a17c9fa37859ad41c267ea8362487a4486fb2a58856584bcfc8b3f12cf7bdb

SHA512
c6fb939d3878d6d4aea8696f374005662c2393283f2cfdf6c856a7680694212c48fc142d94f7171a7a5632970a25dcd32c92c992a9e382c5f06d87b81e9c656a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
78049bf5aa94f9b249ec24774e3e5078

SHA1
6f2729bca919abbf293c9820f6770b4d706627b7

SHA256
140f7870a3a837f148c1a9a19edc78412b0a04124e47ebcc3acbdee616ccc528

SHA512
dd991c1f26844620637282bb3ee3866489023f804f16e0121492a70df219797c370ad659f475a1260d9a65f252d4e0bce8de97f6125c532171e0c883d30a13aa

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
00380c187995cc154ce54786ce1cf1b4

SHA1
33352051385271fb1e120a935bebfe223cc372f7

SHA256
bae608355543b0995685ab07aa7604a2f1127fa438a82016dffdbf8976b232e7

SHA512
7db0e28746b7b5689daef288a53a9cbb66f93fbd2df46bf7349dc9e5f493e9549f99bec5c9cef994b8e2fe47d4bca93aec3f77efd666d4cb72e555b45f8976a6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
5218270348278b8380573371f6cb1c9d

SHA1
490b708bbf15950274e86cc39920daa7bca01963

SHA256
e8d3049fb08985024d398ec10b4ccafc2af71bd6f0a8b7a8168a271ae1df37fb

SHA512
9411552778ded10f6c5862e7cf62cfbbd70d046ea5bacef75662f8dea9ba94f08044a66d2991fc2777be8f287bb22be7cbdb751c59b82d3c231525a22b4f47c1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35c7020175701619f0f7712b280835b3

SHA1
fe8979138fc1d59526ca4862e1ccf5af2858e9bc

SHA256
f77abc305be4969c8c0c74cdd2453bf667a015cf7297f775e5f064fbe4f5f668

SHA512
b819d2cc39c1bf6acaab0ab2b0441ff1bb2287a02fd02d0240656c811497af5ae90a5e49d26fb0592ba358670cd4fd8826ebf53c846004935807d600267feb08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
cba050512de5dfdeda22983144b29970

SHA1
72b9655fbd28c152197a23e6a91a6dd77f51f67f

SHA256
a20a08963fb774d90c17a8eabdfb5826eef3f0042522fdca4ec9156e99355e24

SHA512
2988190e92a8bab3eb0ae0032f99068b032076b2c29dd6f0c1734dec074e07ae8c0e49e031305260456f5a9b9981ae7a6c659ca19bdc1cd2b7c92ed42a12fcfe

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
205190ae11e7d0d9db6f8e185cce58ad

SHA1
402684004e35f1e65015116cfc089c2e955c2c44

SHA256
4d1d3baf3bada3abb2e774da7feec9e2cc4c925efb1cf242ae92976c48d0335d

SHA512
6ae3a1e077e1e061e73b6715149cace753d392c7e478735c7eccd039b6e2fad9f8eec64ad1ba3bd97e86cc7880d2504320cc5ac29b1b205bda258c9e2c45fc4e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
15272558bf5fb53d642b2634eb1c090b

SHA1
bbd90d6c2c5de2cdef5ae6e3bfe4464ac6037842

SHA256
346e5e5b5f75377658ed84d4e13413372898554d57ea1978a491750e01ba05ff

SHA512
ba382290f988a561f65429d9e8c35a1970b67ac2d2e54112501cfea360c9d27f59ab4f8e960103dd674d7c614104898e6cceee883cd252433a80b02d32e1d96a

Download Submit
memory/232-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/232-123-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/232-21-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/232-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/976-213-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/976-201-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1048-126-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1060-216-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1060-536-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1376-542-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1376-262-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1544-426-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1544-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1660-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1660-162-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1660-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1660-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1812-166-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1812-462-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1832-197-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1832-535-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2208-55-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2208-50-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2208-200-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2208-57-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2400-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2400-45-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2400-39-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2400-58-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2400-60-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3004-541-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3004-249-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3048-501-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3048-142-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3048-261-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3352-0-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3352-82-0x0000000000400000-0x00000000005D9000-memory.dmp

Filesize
1.8MB

Download
memory/3352-8-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/3352-1-0x0000000000A70000-0x0000000000AD7000-memory.dmp

Filesize
412KB

Download
memory/3552-540-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3552-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3768-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3768-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3768-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3768-215-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4036-90-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4036-124-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4164-502-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4164-178-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4176-125-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4240-227-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4240-537-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4304-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4672-74-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4672-83-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4672-80-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4672-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4672-86-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4720-139-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download