d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/06/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
Size

1.6MB
MD5

170ebec05c82650637724311dc2b3f65
SHA1

63e19a7e329ec9dac74fc0116525173cc067ffb7
SHA256

d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1
SHA512

88c97cbc4d6e9dc86f0e9ab48e6676ac75997b0f963427bff91f607c381406942cdc7900cde23cfc9fb6428509599cd7b84a6e8ae35839b83200d69158684673
SSDEEP

12288:RJVMV/esbTD2wBUBOLQfVZ8nOy/3n7/HAkdtQiLWhVp0rtdLW2Kp4t0mY4AF:RJVd0TqwBUXr8Og7ggBRFWoDY42

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4868	alg.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
4412	fxssvc.exe
4744	elevation_service.exe
3104	elevation_service.exe
3064	maintenanceservice.exe
924	msdtc.exe
1860	OSE.EXE
224	PerceptionSimulationService.exe
4628	perfhost.exe
3920	locator.exe
732	SensorDataService.exe
3564	snmptrap.exe
4272	spectrum.exe
2412	ssh-agent.exe
4544	TieringEngineService.exe
620	AgentService.exe
3036	vds.exe
4856	vssvc.exe
2264	wbengine.exe
4284	WmiApSrv.exe
2872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\System32\vds.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f4aa8eedc8648821.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_96109\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000651291a65fbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f83b0ea35fbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cab9d4a55fbbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083defaa55fbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c6b104a35fbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1ffb8a45fbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e91307a35fbbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cdaeca25fbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000583bb4a45fbbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099dfd0a45fbbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe
2012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1048	d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
Token: SeAuditPrivilege	4412	fxssvc.exe
Token: SeRestorePrivilege	4544	TieringEngineService.exe
Token: SeManageVolumePrivilege	4544	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	620	AgentService.exe
Token: SeBackupPrivilege	4856	vssvc.exe
Token: SeRestorePrivilege	4856	vssvc.exe
Token: SeAuditPrivilege	4856	vssvc.exe
Token: SeBackupPrivilege	2264	wbengine.exe
Token: SeRestorePrivilege	2264	wbengine.exe
Token: SeSecurityPrivilege	2264	wbengine.exe
Token: 33	2872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2872	SearchIndexer.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	4868	alg.exe
Token: SeDebugPrivilege	2012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2100	2872	SearchIndexer.exe	106
PID 2872 wrote to memory of 2100	2872	SearchIndexer.exe	106
PID 2872 wrote to memory of 3596	2872	SearchIndexer.exe	107
PID 2872 wrote to memory of 3596	2872	SearchIndexer.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe
"C:\Users\Admin\AppData\Local\Temp\d61375b6def10107bb659c4b74e78b1ca6485d24c189c9c2c05bea7be9cbc4a1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4952

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3104

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:924

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1860

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:224

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3920

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:732

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4272

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:620

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3036

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2100
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b8ebbbf267b162e9a873bb0fbcf6e02d

SHA1
fa591ad801d93131bb021b936b37849c3d99b4db

SHA256
951030a722b09363e43702cac52d2f487617fbe29698af13ca0950960b83e88a

SHA512
47e5f9b5e565611f327a3386efe946ee20cea315652ba53d57a52242e615e218c878aac592d08f8f227c9e7c3944fc1b4c1e6e410bc0f3cb3771aab246a30376

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
3b6584dab80a0168e67bf8a2a2107330

SHA1
882c10c6216da958498e3c6e85e8f2de89aa53ca

SHA256
94160ec5a0448fd03da5c1cd15ffac0e8452ea9018de36212533bab765cce33a

SHA512
e443f434422a795300d22c1c76a243e06907917d4fb9c1f6f4350a51c80cdddb40b7c30dead664e2edc340e57215374ba431b092b880c082fb621bd40b2a0cbc

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
b3d63abbf87db162b2dd361adaadcdbb

SHA1
efd903d119c3321daf885a0a56b2736c4e22c60d

SHA256
cdc6908cfcd80445eb1ae0dab052c6babdf30f4232d905175be092fa5e4717e8

SHA512
b97e9256a4d2befbd790eb09b158a9669706e21affb6b916be08f515e5ba7dea9af6069a2fcd89238196bd41e6ec4008e369c4c641e47850138f9b06c5fe58e9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
14952f3bb60ee6f553bd8dc9462aa379

SHA1
b030a39484c26f3d9eefafb651116f9c51bd1fc7

SHA256
8d3d4d1a123582ef6c04b857f36701a99936d95b51d39e04dc81e27a42273931

SHA512
b82c5033a9ec5a2bee0114a9e3371f7b179f1c3e8b0c7cb02751a5c010f8720059525ffb662b1b06fb29db9b38c65fe36c2e90de34bcd6a2c2eb7128614d556a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
72b459346be8728f61fa5ad42b9e7ac4

SHA1
392de6b8c08f71be11bc7db0fbc2a7fed43a31c7

SHA256
9f6d10109660e1ad3161c4510ea69e5a910ebe486362fac2b62e9321c6978bea

SHA512
7ea78b2e39751ef9d1537914294fc09820b0cb5c95afc527c3eabc8e5d5015c65238cbb7d0e94dd353379a0c6ecbf12dc2882c369e8b01fadb72a39e88de95e0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
fadeb2ca74c12bff5145b07820c0a16a

SHA1
da91f1c4bf7fc44cbf01a5d7c25a4ea867a89672

SHA256
89bb0e67a88b942f35e03220d4d3efee84d23622592570b62a48cca82b0ece9c

SHA512
400472245d013c733b11db81bb633807c80b73e7198085a055114e525f7f9caaea610e029a695086d917fe14541a3c934826a0bb01c95bea5015a171b732e79d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
a61ad63692531cb0cbffe4bb42658978

SHA1
cd2848946bf5a22d2a0edd3d74e301a2cbb173dc

SHA256
72cd1c3fdd7b4cda928658c94b176a7cd86ed26b11bbf87c9f9887c119ec35dc

SHA512
bbd232cd79b4280174520c8ff2969d62d9e5d267d7617c8b1d4254cc9a590442a324df297b57a7585bf78d96089d15f642afbad84d3c1b3a628d600d72162c49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1d54da14cb1f1e4aaf2c07c80e5de1ff

SHA1
b59cb40d07bbb9e1a542e67f4b8627857e5c85e8

SHA256
a3e2920564fff951b772b73cea48e1636562f6cd7e5e26bbc6edea1df5e178ee

SHA512
26f3c051c66057b66a0b3a3a7f12a462bc5d55595018ceb719f2019a9896ca65deef74b7513d553c7ff0a663e17042b8b6d9379a92fc7dc24487be546f119c33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
5649705aa58cd2c287ce3a797c8a5f9e

SHA1
bb93e04c47c6a5a709dd683b789b73e771cdf746

SHA256
3442e0d2c3ac9ac480b524e188512183de63491b148957a6f6941c1e56a89a8c

SHA512
6aaba6b68c4b27a90aeed8b1ab386f225cde4a5cd38bce6d75198f5006b5352a74c3961643b3b45cbf8509f4341a63b72ecb47805dae7da7b0d37244c7cdc88e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
88b3f9a0bdaac2b36b0b9341512bfebe

SHA1
5ea4f791fc22f2cf623da04d693a32a5cf014dd7

SHA256
67824addb82b1769d5acc6456cac60d7328695d23e954c8179c60293bd4bb19d

SHA512
8c47aadbac78e6be638ffe1b94ea87bd5c522b5f15b4e5d413886dd3e5188c8b73974710f93354d9c6fdf6a9463006d61e404154a44e6b25e09976241794d741

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
457cdb48a6c805e77ee76c0a6e1c9a2a

SHA1
fbef671a13b0c5d58b58a365843e275240149924

SHA256
6b8db7cb45bb52a7fb0be1ca223ed2d98c4a7f28de0529f4b18a88f0a0a972e8

SHA512
a291d63c7042296ab79cb03fcd90720d6337c5025c739888cf89f81fe4afd026b3069b1ba93f8b0bdcf614ea928df84f0a663cf0414a72eed070c41f6c4051f2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8bff1e07545317d75afa5d8713ec4ccb

SHA1
96c006b0ba6033dff0b0ba613131e659c559fa30

SHA256
c94fca47cc383cf00654410ce4c288d7cf9035bb17143a63ae9ac20af7a15f83

SHA512
e7dfb669a4bec5172b6f839ae55c6d1f030f7d54de63e5bdac6e4bb026c410d3ae3434ca3c6ba3a53cfd6f0ba8ddfa8dfd7b0310578d9a6253209d3308bb32dc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
3ada43bc32bf0369601120feeed0be46

SHA1
00372c90f0dc51cb38a566940286523f7a7a4f74

SHA256
5372ac3c4229f293663d96bd9b75c0e43f2fb267e145bf23bc2f7066a1afdb79

SHA512
0ffc47c196f2636b2f05646cb0a4625e36876315e5290308c7084533f78032cd3895bbfe6e1926679f8958e53ead8c95bae1e53db51ad75e924ef6cd4208aa41

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
203278d9a82b36197bd2b48ef1401f4d

SHA1
fdb35ada4dda070226caefadfe862529ce8ec888

SHA256
65e002e4a791c291d732a181f791024b7571efa51e99d411bf6e82980ba34bc0

SHA512
8cfd9d2ac0ed0b1f91d2887aa80612662b9497b21f64022b61aaf0e3feaed5483ae5c9fd3933158859dd70d525a89ba4bc573ce2186b5527837814dc104dcb8a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
33566f09709fd1965cf9ff01e131fb9b

SHA1
f0190985383333066d27bb164151c1a93c3dd21b

SHA256
27112c6f217152d6d5064e4848b2f0a1786444c4f00033415f2e3a1a2eb00ba2

SHA512
5579fbd21cd2a9d944aedaa96114788302beeb36088b75690ecd12aeed3ea8374d35a82e0952fc7cbc4e235ec6cb314909116efe1c23a8eaf5f3547a220da0a1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b7fda24582c01e5073c03b814dacb61a

SHA1
bcf6833fd009efdf1cbd21ed31883ca78f3084ca

SHA256
d70541c91f5d0d2cfba94ebf46cada0ea8a1a9d72830dc6dcca80d5be8922e0e

SHA512
748047d7c6335925a3409af056d95741e0f3e6a403babb2a9f3d32af820c08ec5fae4a0c454d3ca6d3408b2cd3a106ae6d2228f7d1db13960dac233deccedea2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ab41ebe9f54b678fb0399eee766bfe39

SHA1
adfeec2f471a6257ed34a72cf10196abd6f5617a

SHA256
5805c666be5a599d8083492c2998e149f01d54c21ed0a81c96de19479101c367

SHA512
533efed1ccd606f6817af17490ff2a6dbe709915809b7efc284c4fd238ade8e8b5926e4cc42dfe311560aafa4f3539edc167fe93a183ee9da4eac1345b7406d1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3fc67fb2c015dc64e7e92172bbc8b529

SHA1
b278f1cf3ddadae6d6fa135e3efccb281dc7562d

SHA256
8bee144a0a58dcacb7ecfb0fc0d3137f7cd467e7aa5c5ea603b2c16a6b9cde8a

SHA512
85fcb7a026363f41ca3dad1cbc36826d359e5455c1a624b2c1a3379ce4f227dfa297dfcc26fef3e4da2ecac7f15a4163a8cbf73a90445010fdd201603146c271

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fbd93cae649bc0a2dfd1c6e837ff0628

SHA1
a44f6cbc3ac177c013f5c4d41d8417f4a5486fa5

SHA256
9008a6080fde112ef4e5f79a17f0ef60acb1f88e9a3941257da6aaa56f933087

SHA512
8ed38047b74cfd7e2bb02e5afb6a758e6240d0b5b64bb9460b8e0f591ab42386869ade29e5317dc7fa9293c4e4b2bd91d44f1a17883822da94d2b08a27df951e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e053a46ec0b56d6c45200cf330fc97af

SHA1
6aa4489859a06c57ee79dd15fd5eef7a69d891aa

SHA256
0729879c183a7a5522efda243a837809ff5856de4369dfdf1397299a45a80471

SHA512
25b46fe30186abc774baf9125ca1c8b384b83fa602fa9fe92711fe5c3898a92b75be1d953d0c71a78b80ffb19fea302af30ace38c8d7bad0ac78714a7e8ede2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
806cef736a217190e2c6a1bfc612c8fd

SHA1
df39fa40cc5033310cb5d8e6485eaf582964d7c7

SHA256
4cd1021b458a2ce72a37f20abc939b01c099568da1ec9e79ef3f085e8e326623

SHA512
5b944493e63f336720cc9e12f67fba4aa8d358df9fb1963f4c39757b3012544c83cf9b98b8f417afc49c827920edda0558df77fd2a8f40e522862f86af4dc966

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7ef01416feef4c7e5f6abdd09ed334f0

SHA1
8d75871a9c9e2d4fd3730d479725f96eaad52fc5

SHA256
cfe6ea98de94356386faaac6ff30c5d0ea3d8866d45ce0b9a3d57cc31637de34

SHA512
0dded202c8e191c946eef4864ec7128a740da1e4aa72bfe083ddbf08f782db2ae8e13a99052f965ba185f397fa1f46694c7b796c1212321947c3152833b7dc9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
5d96218f26464a5bc36842c7bab75844

SHA1
125bc6f38ccbabb15ce6341aa53b67f278d1b399

SHA256
215a1325a9665c6349d2d733042d87564a9ba716d9315b1ee8480b1dc1228f17

SHA512
ac7bb16a0f6b3a63e57aab6a4b93cda503efd422faaf5e020513e53b0cf043f5b7e28dd79caff3e5e30d0aa997d2f3f8dc44e65390309d2e4ff7da355b1ee45d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
5c824ad59ad347e5486de17d0f9899e4

SHA1
7c47ba68cca4daa52e42bc6d2e5f1059930a06ba

SHA256
6941cfa073131b2ae30271454daa659612f11fbba1c24fb042e457da0964c76b

SHA512
6d61dbe4918b2f9d644f6b9800adc450f7d897e03d2185424eeb8ec6cb3917f254f748f7e320fc111a31d0223bfe9bd13f7c4aa10e2678f16de50a1c839cca4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
b2b855ca2ea3434523dafe55a9ff140d

SHA1
058e0e53f6a3e662172c7d0766bf8ab000da591a

SHA256
ce2973a4b727eec086b0b7f105c3b160511e49da21419b9a8d0d5f809f6fcdd9

SHA512
38e857ea87b1c202cf38cef16bd64830b4d6105e73fa8b83f6c862ccb7f6916bfeff7ddb9953bea72ed1aa4f453910a0755f6957e2ac2900d780003afd0e567d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
ef398058fc04515780bcb85034084235

SHA1
b2b9c1b7f47549abc8e198d332fbaffd6be32028

SHA256
867e79b0916e2a2464f5dc6c4211686ee56b38ca1838db5bafd60d7e31bb2c8d

SHA512
fb4038867ca3519a91711c0861a74040425c2fc8a45807b8bab28486a63fde0d5cce1257179fbf050bd9ec919b6e35645db0f1cf0cd794cc2801db976d52eb53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
25fee2350edb52536b4dd1d42c5f5fa4

SHA1
5dafbbde42881f50ff406d77bc74ad803c5a009d

SHA256
e4013c5d86df169b060f1a0da11043ea1f06742a33c55a5b4dbc98a5dd696a20

SHA512
6829120c6d0951e81db97a9a935d3b73db70a483444270f00fefa98ae5980d3fd442ea47a9e48d48ec37741b8026207ac5b2284955c12508cbf8986720e8cd91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
8899613a879b205d94add9ed8e1e4de4

SHA1
2cf47e958a1a27bb64bc575a995c0b4cd0baf083

SHA256
6517c0c5da3f47367aefcc0d65e2c0d80408f1e30523aee85c450cf17c7f45ab

SHA512
43469724e3748b7636988c42e5c37cecb48b63240f6a19d1fb841de937c1b0d1ede4681469bf25bfb92371f3c9d7162dc1e66286b8aeaf88afb2b2c46072ae76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
05168c8d70be4d0cddcfac518a622ebe

SHA1
a2f6fe329c311d3cad91e0b986d6d5b036fafa90

SHA256
22e4d9b3388c32d38d6a1b3a3e96ab9b3d4d4ecece3b9d7473b08fdf92651714

SHA512
34f3043c018f8fee721327b4d3b0e140158bd48b39bc806f6d7a4af68aa2a9f75805b7883ef1f391e17b3117d59c0c3010426aa91f05e87dea5dc894ef87faca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
45872004e27b3c573318a4284800ceee

SHA1
41cdca9ce5112214636d280dff36ac1fe779fcfa

SHA256
88735183b603b30946dec39de806cc51e3a7198a280e058857d2e464302ceed2

SHA512
741ec6dfe43c0e50ffd3f68ffe289a7d87874ae7080e9880ee7f2ea4f7a86b96cb89a089107d71502ba64066452cf1d1bbcb4b5f6d391ffb116486c9d1944c43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
952ff0bbd91059a1501e19688eed2985

SHA1
81a5662cb0e12b5045c0dc0fa6c0f596d243b4ff

SHA256
fdbd137947dc85040db6cfb1a169023624beea75b49d46b71d5bfff758efdf77

SHA512
1e721a807311bd923d4c7550b85773d1468bb8bbaf82e12efd630b08554971e01f7c78e4d5b6d5ec4fd58286891608301723b84e92086da0551bec4f3712b928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
841c13544aedecc9db88acb39bb0916a

SHA1
15ba253374bbb2643e38e798b9a95d718b8e5e9c

SHA256
5c6f67f0c06ceecbf7783e0b7a82b33d69ef07543a43059bb1d18855b2434b48

SHA512
9905354082554fc40200e8179f6e3708a01aad4c5ae06d0f44616dd253d3476ab2dd44b59ab6d2b17fab601365bc6f99da3bbb0c4080b4e4876eaa059b01b5cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
ee698e3e71997a72c7363a8a7f3acd79

SHA1
1e6d9d9c8a93452e1379381542d0783346b1547d

SHA256
64832c58ce83e5a8c91c8b048f001c49116095515a2ad38c939fff6cd546523c

SHA512
5576b99b5dbbf14f61192142e0e2215f76d528d0611a959de79164cd61b32817f0d9cba26f0fa528e025b72c2a60cc1f3838d2f8cf4666bdd425dda9803601c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
457588c780c2b7828ed15a75d43ec338

SHA1
e2771b0fa82441633e573fb6b5a4075d7f8e2ff9

SHA256
36be27a2fb1961dc42989650001f204f6f6986546b80b79139be33da49be139b

SHA512
67a64b30d128f3e2f8c235bce1eeb1b17f850309b9bc16d962afeb38661c8f61e2ed403e8c61e9e4d00d4031b50a33e5a453accbf1e94f67365a3f8d37230c8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
c87c6a4448eaca50c9e26bb8af04a75f

SHA1
30a1474cce877383b5b8ad9c53ebfe6c5083f2a1

SHA256
0e04284eed773bd043205727696e7a0810cc2d00478554987d728c6da0e26944

SHA512
7b7b1c4f9fd52292172b715a3158b01be3b5eb5a69f7ef3cd20462cd1688e9e44f3eb485047e7db3ba32652303c1b6eed2c76442b86bb147151c446159a8830e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
68f29223260f9ee2909b0c23f26de8c2

SHA1
356a20aa33cccb17b2358e09e6dad46842122c12

SHA256
1dffdaf7f5c94cdf7cfdb59b7282968c4538c9262daf29ff020290faf659a7a1

SHA512
f40a2217d6eedf1691479f2bfcbabdfe97a2a5be3e79c5f8c1a46cbbf14b3c0e6315feb9698a024ed5b6964fe504f457027833d6ddcc18b5b89f6913b93a573e

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
988c8ad9fbdc8250e1361746c8798580

SHA1
c9eacc4f8bf4edea680a4277b112bd930895b017

SHA256
0217c1dc26cc56afe199ee8a92593c89887fe66ea2fa48ce41711a9754a6588d

SHA512
3c1a678e88f376b1ce7a29ad6f938e7f68867d144185052f75671717311808ea73974dffede95ef62c5f2b9d692edb99ce5dfce6531eb7ea6acb7ac4a071496e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
a13602ab3d2d3958880fd1143b4d1e55

SHA1
93d1b1bef9027777ef9458a198ad6e01d9eea658

SHA256
6ac572218da658a39955cf9929db45996b9c3f96bec3a76b8bffe10e373ac1a3

SHA512
2a75aef5dbf32ee8375f3a02224f5f46850887c4df010e9938c4e4df9439cc10d62cdd093ba9673cf67358ca649364e3bdd13ce072994bfece9c44f53911b608

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
6d63cc914fd95ae943fec9f81af8a689

SHA1
97c01276a326eae8281f113a79e1855a5fe0551a

SHA256
ae6dc8925ab239d5f48014766b80d99aef60ee38b3b27dd92af9cb2dfd86f924

SHA512
9cbf140d089fac17d3b32ac25eaccc71cecec3861bef7e2db2093e7ad068adc6add14a4d530615f60570db7e03c8666f033a3fd978f7132fdf914bc9d538a465

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4315f5f4bdc3a180e380e379d037662b

SHA1
c02332767e1a76235d18b8ecbfd5c523f3fe2bbe

SHA256
a15342dd8ff6320c89efe090f3308c8585b1a0859662d394c8b8e6f2a1aee7e2

SHA512
c010a4b165426f2af713125b7463950781a8a600693480a176c83c7f0af73e809def0543cde659d99227854d0ef7c1cf45dea1e82c4b33a07981c01a16c2b0f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
e1a7af528cedd82704bc862dfa3df1d5

SHA1
47df51fc5d44b564ef74e827b10aeb5b1d4e1a1a

SHA256
9d39d086d871ee9203a942500cca4b0a77701a97d0849b1c70b21717703931e8

SHA512
67c6572a8adc89137106587261bf4a8371fb20973b3dfe56116a1f9e4a3b155fc939af7d8a49f678e92ab470af0d733708e3ee074f3eb3082c8ccf28c89885a9

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2cdb5c06d1224f560aaf6152f18d246b

SHA1
69101696874519725ea4df2b3bb03f81f006ccec

SHA256
91019b03f0bc13f6bb910b66a96dbad84db9f2cdae1fed07db70a84435db71ef

SHA512
8901fb908013f78b824af2d615f826636876ff9bc1a8cb2740974991dbee53cc46cc0a2dbc2271f7bcc17b9c26516e3dfd0368e9f564fe3b0c244f5b41509a04

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
5505808ec925326688c6b2b4136f4a2e

SHA1
caf4df7c76efbeeb7602cb1a7c901b5c0061f79c

SHA256
6184a7dd0648e107ae6fc1523454fb6ce0f19bbfa04b575853625c3894431257

SHA512
66a90ee3d5ad3e4ce6ab79fc967393e8eb8433cdd5f9f016561ef6108b443e4fe82c6303fa9673dbf4e5b329ab50a226b2f601f56cf6f2a3ff537f7e1c3749c8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
cf9fad300e1e7db8676a8016665039e1

SHA1
b91328c689a8e8ab45f4327b405d9db86481ec11

SHA256
c92834dfdc2a8ec73fbc715e4fbdf97b54cb6984910b97d5714498103abffa46

SHA512
b8bfd790aab134360b5b2dae8db6d104284e8f1aff0b4ceefe33f5c9078b1abe438bac0c89d983b3b337b094de0a310043e36eed34369d1218ea59ee72489ded

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
7adf6b1a4ba5e73985e2e381f4d570bc

SHA1
a798b4f9554ab57f66e9b4884be93f61d92f5300

SHA256
5b75beaa3f87d4c9d19ebd47b5cc2a8f68046398048793d2bb9ba4ebe64b3e90

SHA512
784470efac64e1de7d1fc1fd2c5aca98dd5eb4ecd3db20b40a9cd5e141ed45f6e9d50bc4f0ce1912c00b05a3ccf70fd5d8277424f131bfe1776413bbb88090bf

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bd28282fb41055c22373160517bd1547

SHA1
e43bea93d2e927a51faf366c3b8061d5bcb81ed9

SHA256
765e87b2f0afab72869d19dcef035d361397122a1d6141c0e2939f10d220bd23

SHA512
1d465e101dce4473bac8eec65a2aee2d84e82a98988144d1270e75db221ac6fae4f630be420d7fb36ec48af9f3d3730136ebea32ad7c7f7ec5607e2743c2de10

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
adb22cb54aa9b9e2b5d6f4536b278fc7

SHA1
c4f72806c388e9c1969c6d13807462770da48535

SHA256
716327b92363526a956cf26aafd81aa39f81bf738981c9ef8da1873794419731

SHA512
ebae6fd609e5e1bbe7767f3935875f7c083e5b86d25f2ca94522a8d62088c7205721d14856c697ea5e85bb558c420ebf07e994c45c4bea9390da7a5099ea3eba

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dde1f677b820d72a95ca94056443ac26

SHA1
4497e0ed64b553403d012d9fbde083bd73245e26

SHA256
74b45e0b85d22d2aad70fba5e1fe1c62b12846e41118067d64447b084880caff

SHA512
99b875cdeaba743a4fe13bc9af1680bf1db5406607e1ef0daa62145bba814694614a27d5b1ef977dc55c341e3a48504ffc7ee83d1a3804dca598038b67ee0338

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e7898e46ba16ee8349585031ad777a11

SHA1
cba521ee5761d1997785e85f1cb1a8243298732c

SHA256
8e253006bad7ce5e29d92746a50eec2296d2de133a145211b7b36d779749cda1

SHA512
d4fbd1b494c438299ddcb850e1d283574578fc57d1d7fbecbe172f583682e03722c436884d24fd23b6fc17c47b5460516fec701b1f02787acbce0cb4773bfcdc

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
9b7a2aab0547d22e47fdf99087711286

SHA1
65e7842d79516a9112cd1253fb41c4336335c24e

SHA256
2b5121c870023853b687ee8d11ab11a4d2f972be29ea300052a0581f618cad2c

SHA512
0ba0ba13a4a352322cf5ff7ddc86bc68c4c7977e5f2a2ab136a4135e23394cd58ca39196aeb096dc9e8e1f68ada5b61e64cdccb5bf7860694f615e80cdcec124

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
58d955871ef729a2c2f7fd765a3f7301

SHA1
1956922a1451ef94e0dcbc2f39631958c8ce385a

SHA256
5aa5fe43387e89f04c47bf40a0a661706e4213bc098ba7aba8043d488b5a89ec

SHA512
a3cb5f6bc37c838911fcb81f2195cb97601c018ea5893493742cb2d46da17f58b815c6cb89089b94b43e1628ce07cedc626c3f3987fd0efe39ae5469d94005c7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
4c1bdf7b7438a9deb5ed9db847d84a62

SHA1
6f1839362b033174c2c06e5ea4a225e2ea19ab68

SHA256
d4425976a286d353e0b2264477a36a2d97b08b3bf89526bdf3828a326eef2071

SHA512
80592b6c9b4418f0c04d865238fed45c7d302dd4b43cc01d4926d4fa06ad783e71f2cfe22c9f4ee84c3bf41e8cfe63534be5cbc85317fa1080b8d552705e6f25

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
a40f0a9776cdac445caa4e3eabb32dfa

SHA1
f0e4c4e44775caf1cea4c25dc67b3c5ea4882abc

SHA256
a559a41efcfe91e61bc5a68a3c9bc8e7a596f75d3424fcd0fccf88c4a224f471

SHA512
363841d8685891fb76a7f85a1f1f8775456d3658b3ad0bc358df4659f3a49cda72d6172d9d3b1577cbdf7df27ec5317429a955233c42c3caf688872dfb864773

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f2b84e07a71e40828e123a7dcec46330

SHA1
313a5c94f8d3a017ee0a8f0b187a4e5308eac344

SHA256
b541caa886c6c89da653a999bfc520e7d3944ab926cf1cf56cb829e89beef775

SHA512
a2bb7bd3ed999608bd95bde7bf3feca88bffb464dfc74294774da1ff7aa7a35117fc5de067eeba475ec6de6d37a8a24b0bec077010cb9c7e7ad70598a10d9c79

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
72fdc3c84ed1fa088c820df1f2e8cd2a

SHA1
b9c783998ee0e1c0cad0ccef7fc25ef603e27b09

SHA256
30cb4f3b33f68be2dbe86571f1cd647eff845c60abf8e1141d58b56634bffca5

SHA512
ceb9eee921d4a6a00879f93117501968b8c3f340034f8807d5f6e7929b32d0a3baaeeab267adbc8771e859de050823d7ff62f58dafbdd2305bc836c6d6c26916

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bf504fc416f812e5b2dc2c8b3f369e8e

SHA1
5a9f4fd1ba47b19a9182ec6dfa6b1c75c76a5cac

SHA256
b7b7f8e17b335cb522d05490c079edf66422e8b5ad8fdad549868bbcd1cc7988

SHA512
b5241372a22f467bd4b17e264a7db911f06f8561796dc8be113047860400b52851d1d7e17107fb060c93e43cd2e132da10a15cdae7d46cac168f3be9b1c2ba99

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
38b291aaa5c412e9d622b7d534083d8c

SHA1
45a9b1969914d6a0aa6831f8d309519064185a86

SHA256
e7a5869be2e6e93b2454e7aeb5d9fbaca72f78795fb38ba030a95dc85bd0ef36

SHA512
54d002d466570072465c3b1bc2aa37b00eda6bab977ac1f26d11596e9bc6ab6f96389ad3d9ee4aa11208c4d8289da30d0bba1d6f785659e2184127ea5295fa8a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6f712fe83e5e093084a61b31f2315208

SHA1
c8dd4a1e0a26dabdff5bf253a5e13e4d5f55c84a

SHA256
81d4dae9fdabd57447baf6418904f983a4e504a3e2f5fafbfe8b185b05e894a9

SHA512
e625d652ac2696cb3af02fa62c10920bf70a5f890ebd5e78cac45ecfbb1c5448e32bacc75d999aa8d444cfe276f590ae140975c4ae4124c8456431afcecd9fce

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
3a4dca07bc8c461048127d62741d3ffe

SHA1
e714046354112e3ccfef6f19573d1e3fb4a2e704

SHA256
1f1eaf1f460b2ec97e5bc1fe8afb85c32b3323e15573a4ed482d90529ca169e0

SHA512
c13bd44c924133c4b5fc06799cc8f5034d5f8ec89414937e7f53e2c7490890893d5a5f4d8aea7f963cbd2887003e3a2f1bfde7f9259551286d2345bbc743225d

Download Submit
memory/224-117-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/224-236-0x0000000140000000-0x000000014024A000-memory.dmp

Filesize
2.3MB

Download
memory/620-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/620-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/732-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/732-281-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/924-209-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/924-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/924-90-0x0000000140000000-0x0000000140258000-memory.dmp

Filesize
2.3MB

Download
memory/1048-352-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1048-8-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/1048-1-0x00000000022E0000-0x0000000002347000-memory.dmp

Filesize
412KB

Download
memory/1048-105-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1048-0-0x0000000000400000-0x0000000000663000-memory.dmp

Filesize
2.4MB

Download
memory/1860-114-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/1860-224-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/2012-35-0x0000000140000000-0x0000000140248000-memory.dmp

Filesize
2.3MB

Download
memory/2012-26-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2012-32-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2264-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2264-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2412-187-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2412-603-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2872-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2872-611-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3036-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3036-605-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3064-82-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3064-87-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3064-85-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3064-76-0x0000000001DE0000-0x0000000001E40000-memory.dmp

Filesize
384KB

Download
memory/3064-75-0x0000000140000000-0x000000014026E000-memory.dmp

Filesize
2.4MB

Download
memory/3104-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3104-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3104-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3104-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3564-170-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3564-502-0x0000000140000000-0x0000000140235000-memory.dmp

Filesize
2.2MB

Download
memory/3920-260-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3920-147-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4272-581-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4272-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4284-610-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4284-269-0x0000000140000000-0x0000000140265000-memory.dmp

Filesize
2.4MB

Download
memory/4412-37-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4412-50-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4412-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-46-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4544-198-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4544-604-0x0000000140000000-0x0000000140281000-memory.dmp

Filesize
2.5MB

Download
memory/4628-136-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4628-248-0x0000000000400000-0x0000000000636000-memory.dmp

Filesize
2.2MB

Download
memory/4744-53-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4744-59-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4744-173-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4744-61-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4856-606-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4856-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4868-128-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4868-21-0x0000000140000000-0x0000000140249000-memory.dmp

Filesize
2.3MB

Download
memory/4868-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4868-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download