8a8e16bd46d5663c8bb0e13e6006530d6ebd2a6c319258d7165779107f5cf274

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2024, 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

06af623977a2dc81caa08506b570b180.exe
Size

1.9MB
MD5

06af623977a2dc81caa08506b570b180
SHA1

6ad5b50173f04d021bc9aae0b533dc3881352c01
SHA256

8a8e16bd46d5663c8bb0e13e6006530d6ebd2a6c319258d7165779107f5cf274
SHA512

82b8f1cd9a21e7a0eea48ee87c060069bfcf7ba0b55ab852ad5d82791afcf0991c4f481860227f0db8a72ed9eebe717c993c400ad785b931738df2e0512f5c9e
SSDEEP

24576:dDMS76huDyqITNjx+mZCkt76f/24pN+XNqNG6hditW:dDMi6tDf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1124	alg.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4684	fxssvc.exe
3584	elevation_service.exe
3956	elevation_service.exe
940	maintenanceservice.exe
1252	msdtc.exe
1580	OSE.EXE
4636	PerceptionSimulationService.exe
3336	perfhost.exe
1564	locator.exe
4172	SensorDataService.exe
2192	snmptrap.exe
3732	spectrum.exe
4104	ssh-agent.exe
1936	TieringEngineService.exe
2400	AgentService.exe
4796	vds.exe
552	vssvc.exe
832	wbengine.exe
3028	WmiApSrv.exe
1892	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\snmptrap.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\vds.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\alg.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\msiexec.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\AgentService.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\vssvc.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\24eaba92a46faa3.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\locator.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\System32\msdtc.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	06af623977a2dc81caa08506b570b180.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_114093\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	06af623977a2dc81caa08506b570b180.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	06af623977a2dc81caa08506b570b180.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e88f8a01fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab63d2a01fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dac4d4a01fcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000689ceca01fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c62380a41fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000736756a01fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e88f8a01fcfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a26a83a31fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1c5b5a01fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e3aeaa01fcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1736	javaws.exe
1736	javaws.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe
4696	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1456	06af623977a2dc81caa08506b570b180.exe
Token: SeAuditPrivilege	4684	fxssvc.exe
Token: SeRestorePrivilege	1936	TieringEngineService.exe
Token: SeManageVolumePrivilege	1936	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2400	AgentService.exe
Token: SeBackupPrivilege	552	vssvc.exe
Token: SeRestorePrivilege	552	vssvc.exe
Token: SeAuditPrivilege	552	vssvc.exe
Token: SeBackupPrivilege	832	wbengine.exe
Token: SeRestorePrivilege	832	wbengine.exe
Token: SeSecurityPrivilege	832	wbengine.exe
Token: 33	1892	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1892	SearchIndexer.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	1124	alg.exe
Token: SeDebugPrivilege	4696	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1736	1456	06af623977a2dc81caa08506b570b180.exe	82
PID 1456 wrote to memory of 1736	1456	06af623977a2dc81caa08506b570b180.exe	82
PID 1892 wrote to memory of 4264	1892	SearchIndexer.exe	112
PID 1892 wrote to memory of 4264	1892	SearchIndexer.exe	112
PID 1892 wrote to memory of 3536	1892	SearchIndexer.exe	113
PID 1892 wrote to memory of 3536	1892	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\06af623977a2dc81caa08506b570b180.exe
"C:\Users\Admin\AppData\Local\Temp\06af623977a2dc81caa08506b570b180.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files\Java\jre-1.8\bin\javaws.exe
  C:\Users\Admin\AppData\Local\Temp\06af623977a2dc81caa08506b570b180.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1124

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1012

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3584

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3956

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:940

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1252

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4172

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3732

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4852

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
bd6bb3d6ac90a18c91a100a77cba2488

SHA1
3ec6585fdd7b6850e635f7ba74f7b8ff864a4bc4

SHA256
76334d14a7441e09413a349c84edd808b4ac10691ed6fa8f63fe7f2f358a44d0

SHA512
cdddf2ba2164fdf33e8c5466b51c718cab54ff76f7b88a2346fe0779bb0c813227a4e2937f33ab6fe8cc01ff9f83953546aed487f80edb2bcfddaf3fa409c720

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
4b465a23f69f35ef8d17d5429b971b69

SHA1
dfdae1e3c6e0284f82fbb56d07385e1f869ccc51

SHA256
2a7cb3899ba9a9944238fa75d5928b6e85e6955b4e164b09f926b98f664ef831

SHA512
ca9106e673b7a8912765d23da061678fc819cd6d90268bba824c0288c5bdd91cc76767a656d0b0e5f3465971510258c3c3d9239d0aa07de3c02ee4eb5d6ff110

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0586e58d8fcc8f94ab1f09b904945cb0

SHA1
94ef761143ebec29b81f704bf1c8e0c7381d409e

SHA256
0b4d8b2cb3e6a62477acded6f046640ef388e7eacb684b0a00146552b95c3631

SHA512
8285282664bcd44a5367a47056709caf9f4c16cb85fdf8b1fc8fd96718287a2ebb8d1d554fbe07e66472a1327daa814c030e477cc46e2b3030a8665b7e2f1f7c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f38caf5b6e53ed9d80d8aed4b6d2dc2d

SHA1
13ba7cfef11c7bf0fdf09d4cfaef58f4e9e4d9f5

SHA256
d32715147afd76ea4ce53991685815f542454396fa75692c7f4b8c1edf3e859e

SHA512
23a6c4d03cab02928c592d17dbd745e4e25727a67ac4a1f6d9a1ff98986f7d32ea8dfb9c4eb9666c9e9acc18be007e20435817a8e1dbed704f0aa3f95b5937db

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
853b21a6dd9cef33eb3b843d8052368d

SHA1
4da28b55fc3ccf9b89776dd454192418d418b094

SHA256
f568c9d5cf9296ebba18510842f38088453be70d724dc300769eb2d6e9c27f58

SHA512
288d9255d91e43a3cbe38a0ac95e4dccad54dee6ae135eb133951c3a3c95338c477393daedd8c8b56e761b95d3bc6e692412f1385dc1aeaa4cb842dbce82f0a3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
64930a0cf5a8be4a8f1e757b8b82e16a

SHA1
fe09fef7658f5b354820b3e81d4cd66b7b6e48a3

SHA256
8b6c2b17c2e8aa4ac957e24583b698adb06c8adf2972d0b2997a09f4e3b6c277

SHA512
f45da192a42ab683e8593edadc54ae5f497c81de33efdada5f16dc445201d0180c6a1a8f4111324c0a0f203030b4054c9085d51440087ec772080cf041d3d477

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
6c1b747bf3e60ec77039835afe342618

SHA1
256ef4fcc13f2b191063dd68d0dc3d166bfcb2a6

SHA256
087c671b1560cebbb799722a79068c7b1c04ddde99ba39e047ca38e5f013042c

SHA512
7229bac6eeb2a7cb9f81b0e7e9c47fdac5bacfc507a455b5533076cb47eb9986ce53fb9ecee01aba70afc6580563a1d68d2af3087be7e060479eac2d3adb63dc

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
26eb00dd7ad8fd5f5d09303c4d924eb3

SHA1
4335f60c01c90d0470988e72a76e9d564babb9f9

SHA256
9c4d44590b6d6e32b98c0770eb225a6ed051a08b7739e0099011c8a86e2c3eb1

SHA512
b23ca481b92e237f14782c0dada27985286d05cc9c341d6e97481b149fe1c73cf71d3cee029633bdf58157faa6f395a128bd7981141c259d554537a56c32f924

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
0d5927ce5712d0eb529acfa2d5ea9c3d

SHA1
649ca1200031576b44acb82ea5322d2bdef917b5

SHA256
3713d50dfeae73eb275a0dee0516b5d7cb58aaaaa59e159a5d5b312eed0ae26d

SHA512
7b6e24825d8e9e8dde65aeaeb43cccfd3f98dfb008598bd256603d28cb21c37e29e25efc965db39806c70a7a503518b2738a683fe483d86661b0623bd5472d48

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
82c0fee507ae13546da2f33d4e314059

SHA1
4d0977c2b0807052225861ca4c59eb4963643390

SHA256
a078b410ac86be584a42922a851aa9ec28540e1e15cf764e21f9095e2bf8ce00

SHA512
c422dc37bedb194654a421a5659e5ae81ce01f40244146b2f091d4c4e6cae0530c09b84d02d6d361c44e6f8e5760b189af4bd5b444e04568adb95f2957f4a998

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
696167db40c5e5f0f4c004296ecb14fc

SHA1
8d9fac9f03783d8e1034c777d2a78ab96788a716

SHA256
b7a60ab1ced4b4a226db6ebca352b77a2ef2efa2449df6ff23e9619f30ab01d2

SHA512
091ca330efb8c865018558adac312f16fd009cce11dcd71f478f0f033990b16296672da4be301e4f26d3ce6195ccefbd12778c5ee437946f20e77f85adc1d867

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
48f05d17579d35f8d958790a703ebb9e

SHA1
8dc616dfdcc380f75a80d1ac8a231ccb54fbb5d8

SHA256
41e31048067e5642522697b28e783eb985d3541207951ad3646366f582a2db93

SHA512
0a775e8076a0717aff12f12a3342eee2ce19ef3f40f4b0d62ce665093496c8e6a64e438add175c5e0f6048d68b9b7d3a34160c6b6a25d47388d529023829429b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
56bb8b9eeb58325a08351bcfc39a5c39

SHA1
ff9061cb9a5b3c9f39cf36393ba94c4013878c28

SHA256
fb87bb50fce8f5accb3863f6935f61e616aa1663d91a007000231e2aafc10d4d

SHA512
707a561f1c7a756e4193f09ecd414cc53af5ab41d067fea4a315a9770c22c1bc05c830f2489ef7a676738394437b0f57ae57a1ca35fb58877027c1159782c359

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
fda3f41cf65a74add286a73d8b27f66a

SHA1
fd26e079d3c764e36e29e62cde934668ecab01e4

SHA256
c23c50f19053f0d04ec426cc44c95624d6af022fbfec59e4d6b166b4fb8681ae

SHA512
2d57204d9a57bd2852eaae6a0f1bca9701416df52f14c0906dba5b62bfae5992c3669ee3109fca55466921992bcd1ae8f4957351d8aaa8690a0f2cc3dc15bcf3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
18b30f89689a2e4b7fae64fd2af4e585

SHA1
881a21e2c5ac98142d95e24213bd6d4b59d053d9

SHA256
3077f2ebacb957fbb49deca94cc5270db911cf8ac57a334ed7b59fd33f899a35

SHA512
bbdf3c36ffe439594a60666245fca4ce7ce93e9f9358652a1e6091c08ac4e90f7193f347de6e0feedf79a1f1fd2ed2d08bf9925911f06b915cc0c6e9e713cd03

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1466937f1d077ccf66a4668643811a4b

SHA1
a62a1c53e1aa8cc449b3d59bce2590514a7b9efa

SHA256
07eec144a3a090eb1e5e996dc93fed914f46bc1db9a7b00497f59e63587a4b2f

SHA512
2d7eff2801822b5a1ae58068f02c0daf9ed7d88a809b3b8de5df65ae17676e0b58eddb0935d9eef966eb9dcee028751d7618182f45d9d24a15de74fa06973940

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
6f41ec772ffb3a067c3846434a4576d0

SHA1
b561b06f2877749c175095fc4baeb7a02828d916

SHA256
57494ddd363fbd9b0a6e8bd610d56aebf1b3f006aa47f29ccae7481c3d51d78e

SHA512
a955397c354f2caee24d53e01c25fffa766e034ded8f9694ec41546695a16ad24f5573672389d770c3706fad1ea6f9ac018c70c6a78fc2c622012ff6c0ad1bc5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
914e1da7d31986c6cc11d855e2071c0f

SHA1
20eae7b69ba435d6117de3ece4eaf454a689def4

SHA256
211922dd70db1a9e7223d5326178d09b42aa92c520e9e119b36db28e5ebd98a4

SHA512
dc6f8f3cb3c99e1f3e31d512ff2006f51b85a20e07167ad87b04452975e6799f32e4ba1942320723ea38356a257641c098e888c8b9a2c8c97ac921d8cc9fa3a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
258969069d9dd11920afa6c299d5cc30

SHA1
9091d7bc86f2b8b992ec6e8620bff0f4fa609f2c

SHA256
72eeedeec8c4c8b25cabcc309956b37d8d44447322a16e32f238628c46824af5

SHA512
a54334591caf9c02cb5a2d0022391b05d4dd0d4850c2ba5d50ef8f2337984478cb9f6ec7770e7c35e35a1dc5f30a4dd9672eab3db2f6227b9e6b5e9c6409bcfc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e669f7568ad44f588d0808099ff4808f

SHA1
11f3b631d85deb4e7486f7763becdfe5e18293a8

SHA256
ff4b71b153b42c289971b7bf913606341127f3968ebe267e00c48e942d3737bd

SHA512
12e4dc0928c8c93402cf64c4d156764a443fcc960a9abdc2b9f183bd1419a5baf391ef273b758e0730ce11026a1cf8f2b35b8b0fb77504f0587be73ce806447b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
cf71c3678674aab47a8d0b7f68ddc4c5

SHA1
47b82b5db1ac30d9ea00d5fc09c923230098e31d

SHA256
07c0e612e302a4c0bd3bcec08fd2bdfa7a769cc76c2bc1d638d0b4db45a67a94

SHA512
6086c7c2a1473946276147a0e9bf8455ef9912014b67ead4e8b66138ebf3526e74bc6aa4e78c5b2728b9b0359dfb0226df61aecbb622af9f6811d3c686f2d37c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
1d629ef138093b91f90c8fcd01d47c7e

SHA1
56e263c31cfcbd1005df426e4d6aa5d35135349f

SHA256
81cb74a04b0e6a2301ce097de3902521f3cdb707e4819c3c0406857a08893485

SHA512
754820a73944128dea65244f6a34cb73f95b0de39a685459f1804d73e0c1314aea164ee4ea245512ee7397269cd33414fad8109c51ee0ab494d098dfd1a8f8fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
2953b55e682ebc5444602f07e9028a65

SHA1
e2e7a2e672c770e811e2fb4641430c502e057929

SHA256
898c627817e4275ab7f141925cafb8f0059cf275f5599056ec17e76fb23a7915

SHA512
f48f5b6e4cbe669342256dd69c63f8c4cf5b7b61b7887ab27a87640a1e24a9d142f0ccb4713be01f917f696b96b9b5e5470fa25a422e7df7af3c3350d0f7814d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
8b2a7c7bf57e946143e6b2fc147cebaf

SHA1
61bb38ea785e5708c8f4e6ac74b1a635cd82b838

SHA256
b7c0c1a6caecf3800c7f2711eea6a7d5b999a8c603678c102eee450812fb2e8c

SHA512
66f213ed07c5b1d11de1e7337ba520e7e5ba2847133ddad748659b936d0ab481c04a147fca5b7a21f820edb66fc5da1ffedf82e7ea5d75fe9e63b624205b7fb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
adf3f678740fbfcbf63dd56ffc0dd042

SHA1
6e4288b1175471852f92e036df6acae2fb23c4ca

SHA256
140ade597eac19cba5c310e9a3ecdedc032cacb7ff9ff8d4da881bb56dbc0676

SHA512
7c36997e9bfad888493bae257f210392df415b1d1b83035eb4beb27085f8e95369d91dbed7eea9fb76a991875447dda5033b81c11f03faf51c8bffb801b8d857

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7f924628c7c5c84b86c4f6aa789c18c6

SHA1
b7a9fc192dec813cadccfb6cfd444034c2170fde

SHA256
451bf6da15994811cbbdd3a86a1d17ed5a76f7da48daa930cb2e4d9cf2626793

SHA512
c58fe874c352b3f8048b1ef6a3fb3e8e9e72bfa82535aa1adb960dfc9156be0a4328b5fd1fe7c7022461a77761f1de05a6d3b55b70b0fd9355ef8d0ac428727d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
dd8613c2b365eaa4976ff2a752f86433

SHA1
3bf28fbd044c4cb245e60c31ed857b9f125e7a1e

SHA256
aa13eedabfec4295ea962f94440900075c466007d8207fce103dda3d37138fc4

SHA512
4d8705ef19e0afe0fc2c797f0e110ca154017e5e564a2a545c71c38419ac83ed56cd5a51f764588aeee41314aaeb5ccef3736efcca753a07f6a3278231575bd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
2f6a7da58c802f1c6c334efca6881734

SHA1
e5d508a1469264b97a9f8a5e384c7c703109af6c

SHA256
e788091d24f6e7d278da21ec5793416579a348ed4c578f055c4dfe1baf7d36f5

SHA512
ce54f8553fd848ee8e20057f38b57000cf31b5c840e0516a778155e313d19c37b6005d36a9f4c25280a6cad3c0767fe6b09e7aa04582d854affdcd557a21198a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
2a2d7a6a814bba0bddff8fa23362b910

SHA1
be388767a9b0bad468185c00d31a1b7f11e67132

SHA256
4c656bacbdd9335cc144ce142bf172fcb259827d7f60449066352062f28562d4

SHA512
95fbdeaa7e992f5e15037a91998dc32b947e7da0c03dbfe743ba45a2062c7a53df91a64aab4d47e5c4a8050f1a1a0d3aa54177f07c8b37c33f3d06c4cbc560aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
e8ccefa5bde82e596a9eab3914ab27bb

SHA1
e756e743e50c8f601a293313587124eb42fa438c

SHA256
307659a1dba20afecd7f0a6a294b0564010e4f6f924d19cdd6596b598e637118

SHA512
b6b881bd6318ce59dde7ca24fa51cf6291efa5738fd5bf5b416fc6a70f5e9ee12b04c2e91d30af5fd9304ace8f1bcf43f2506a1cb7f8473e2969a7854e3f768d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
04894252f3a96d08d71dcd5a4b0b3672

SHA1
3f049adbf3e06138ef29f6b8f6fac92911633138

SHA256
02d745cece8918bca9f14c711f494ee8cd0b65bc5f5a322f097fcc3adde5a643

SHA512
5e273192e1ef27beb8ec0a9ae4963eb9183fc8fa597d43c126099bf7bb9a121731db764c1e90921a3e03f90bde3fddb05d7c1c43fdf1a25b927c029155cfc7d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4964b8509e2689fdecca83d30d0693f2

SHA1
dbcb969bd2f95801f331b3f7cf5d1f997ae72834

SHA256
01fec0b8fdd60f6e7334379520ad113f8e15e55e409b8399d9f4a3a82372c490

SHA512
7d9e90af2e455b411d43ecb121891bb1fc05ad35bfc37b2b72903d2fc0bbd2d41cf84a293e50fa2560b2de5b39cb707d9efdfa01ab648c061d09cd1264032de9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
83c799c74f4c65ae615631070f1589c5

SHA1
689a4a97fe31525b57a41bc146dca3f4417ed83d

SHA256
9e41015556cda90b865f655b37ebadf28873f55806501713807eab6884d01930

SHA512
cda57be23e8f2ae39d8d3e73f8dbe59f38cdfbf7c697cf21f4cd092ae2c86ac0745b6da14298f63f5881c06e587d263a95b590af554a01120ae5db0991c43416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
a83b9dccacb7cf8d043278a3ac6fa2f9

SHA1
eb9a7b0bf8192b860cd6285524e6b9f742730533

SHA256
56cf0894d74b21c6b1e3bc2b56f621f9c85c99abffc2badc872bb6156e06df25

SHA512
57334155b7e0003ab99dbda0887ff9363d016a8d29563149b18890ca54f160b4e324e5efbba63eee4ea5b0b4cc423441898ce6ca34ea9d8b7613eb0f43a0b62d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a8c9625738cd957473129737d814c1cf

SHA1
91fc7dad3d100008601c2a727de35c252c44faa3

SHA256
cf36075874d00220fdbeb77ef1d37027d3f0e57d4fd23b58f8e22cf585d99378

SHA512
17c2e8b23eddddc5c6f42f75d2d561a5ac74c0765dc910e51b510205bd21c4c8815efddb92c1df926fe1646a4aead0bceeee8da37e0d7db35342fc11871b9297

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
323b9e85a2a08a04a67f585c8c0270f1

SHA1
8d886d5aa8aeeaec4f103a3a9f8b61cfd7d145d6

SHA256
ade9732822c7940502d9d977379a843c9337970ef1abe0dcbc18c3dc91db4d25

SHA512
f90eec1b8cd8b1e24685d39a910fc7b0d326d15e1c961e7e37d5512ec0c61bbee88061b883c7d5ffb8980a4c007cd0488d4703a4dcdea8aea04abbb1f7aa27f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
6844bff0b67ca653a99ec1cde83d3665

SHA1
02148aa5a4e2523730e5c55835b1712f88733cee

SHA256
b070d3b6eccd022850216dd4a84080a11b7583bac8f2e15c32924b30849b28a2

SHA512
7372bdaab4101a918b0f0729b8efd18ce8c3277f0e2801dcea1ec3cb6c9d8930b63b860ac22c4d3d9ef57d71c7e4b6265f314e9b08b34a787b3d3cc8d35506f0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
dbc7b512f8bf8e670b74ff0c84009afe

SHA1
7b527690e0169eaec949cbda9512001b1c3fb4cc

SHA256
4f7b4c98d4eb58fda44f76d90a7d7e9fca928639541d02cf9ef02dd524356210

SHA512
461e1c536f4f06abea262d4a160a5f79f6e11cb08d86b179840d290f41492d0666fb20d286257674d79b3d5ebea36aee516f1576e60de2e5d47d9c134cf511b3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
0df6e30a0de02bab4e6dd9238b3aa54b

SHA1
83b9ccd6e45e759ebf7b999db202422087d5b269

SHA256
c971b95eaf2512dd19b0929a0824154f31b6f5c16f23407822afb13003d9257c

SHA512
4d6eec37bb115bc680f6346eae2ed32eb58f7a65c5ad3ddbd392da16cca8d9d79679d066757a7ae4e1067a875204b2262ee0f869cbe6cadb7ed7b65a413c7e0c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
b20a1e3519965af82987da3950de8228

SHA1
b819f45815a68596152061e699ff77ca4ab51d02

SHA256
df503ced38bb7505df2a0483956122cfbb04ef8f41fd3cad5c74fc7452efbbee

SHA512
17a17b1757337c7668ed5310f862f53ef19bf3ee402bd6a63b7189308b9fef27a00cf6eb580ef8611c76cd7ada084e8b07ee64d0d63248f3cc73017b76d88cf6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
71826e1e0ccb509ae20678b9f5bfafb2

SHA1
61d43315aafe820b744af3803dd93a83f0f371c7

SHA256
63eda5252a568ddd25493261c9ca8694989ece5c88e830e7e04be35be028658d

SHA512
223d48c3b64e8725585c26dec3dcc34ab76af32ea2a36448e061bb900c57b63b0e53a85667dc7965c3000cc7b4e7adc256925f6cf928b5fbccd9611fd9a19b99

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
cacde53d40bf34f4e367779ad389ac31

SHA1
cc3cc62736b1788f4b1333afbbb3077db614546d

SHA256
ccb76003218c890d4cc13de6427d8a969915e8de0b2f2bf12ab9877b0bfdedbb

SHA512
d97328bf85a3abc949f1e75f98130f72887d5444eb926a394cd1a5207689d74cf2751325a189100b6a06da27af19f0f4e7a933f7060af208ce748e1c9ec4cc0a

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
919077752391ef017fd21fd8cc655aee

SHA1
e4d75bb183c4575eccbaa5b3c70f23e009f8b969

SHA256
57c7bdc17bb456bdcc186d9c3c5e8a435c8539b0a1076f122466f3f466d98013

SHA512
909ef3259ccb1b3d01abdb920843e17d6ae63d9297c2e85c7b0b2c0225f54f443974b8262162815534c3437b48a85bbf4e7d8e0e65833a73e3339cdc833b1bc9

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
4087511cad1d3ff05bf05190baa4398a

SHA1
336f6168fa9bfab98d2c033cb80459bbfa970989

SHA256
2d314aa641d2341823cb2015ded3706e016cd0767edb54cc6c6cd2bdb0a9164e

SHA512
15347d2045279a7657c0c8c242a0bb23902eeaf03f993b35939e626f8e5331b5eaac1a8f303299c81498c728e66d32ba4fc1a5c4e2f91d405733cfdbab3a85d7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1db724e34392f957dac2be2067ef931f

SHA1
7e3e0d785a0b882f0d4c53b2bac8989a9aad0aa0

SHA256
6dbc3137e42987b579e980426ede8b6e0deac7c8e8d668145ee6c48be321f50b

SHA512
d73cd720db20167ae510d348e9123101cc5f3cfab51ad8655903668ac1675429efa7b22703846d3d93b272fb12e274819d54f02cb1597835b295bc099af9b5ee

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
a1a2379cbe62fa8e9efa2033f0e011b5

SHA1
46c79845e7e84f1f44feb257e38ca40c31c99c61

SHA256
fdb7af72615fe3dd300bbc4677770a1c9c1c39e6bf2f96fd93ed166b279f7ca1

SHA512
64528ed24760d9c3cdb3fda85b06ccc40bdd47eccb806afc99e29c5ef829cff0120bbfcb3f749824485b483ec32453bc77c4dc81640f5e2fb50bda414b92c6b2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
12d3e9f8ecf9db17a330c81acba4a58b

SHA1
192fb792083aa2ff70e343acf2629013968c752b

SHA256
f36d23de421a4c7b046c8ba51a715b90b8f0304d69c428b23a56b67a9c692c8c

SHA512
6143eba36f748dda297c87f57970acec4550d8efff0d735fed855eb510f6278ab0d699efa33ba121201f4b7b46e2a190983facda8e71e169f1a18c94eb442fa8

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f3f496036e0f6872dae5efb1bc855468

SHA1
7c1f1611782d371d1b3dfecbfcc6b340e148105b

SHA256
8b7d7cbec048691dd2ad91bda0b922cd635bc65e651d1d456d087f4a6fd1ccb4

SHA512
388ff570a9c1b751b6fc65aad05b2dbc8caf70a48f3508c205e66121355af9b1d6aefa8ccae5ac5e3f589f6a1675dab426603bb6c8e5e2ae786ad79b08f08256

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
138d28d1d22515afb217267a004b24bf

SHA1
e5cd1dbeaa286443bee16286cbdb13a0ea3229a5

SHA256
7c3cebd4ee339a7af3436e6b1d0878947221b415151f8d1169f5726f39aef93d

SHA512
015ca747859328a48118848858c768e4560a1b98cd79439f4c47b301337e1e2271313003c81fbc7ba3fe95185d15cbcf2ccf692fe482741137b59e1cba2416a1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
608c1ac5ed2e98daecedf7d301aa032b

SHA1
2055f68bbbf7a3c96e103d72640e01dba8b72252

SHA256
b5b66ea3bd8ae5cc92370fc582a534b5e52883d6cd7ed4fadabfd56802e7e2db

SHA512
1b2c9474b53a6cc8cc26786354abf49aa29b72e66e5ad11479aa33c9f6ad61a5752285585809afc039011a40e1e276a954e5a40c9c6f726670eefb7b72ea4a31

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8e2665209bcebdd1b7226f5cb4f11a0a

SHA1
85c51ae1a1b37f2419729881737c1152cf08a1e6

SHA256
09dbc953bb6c64a8495b14d2c3f20aacbb8ddb716c16a05eeef6c52d8dac0d12

SHA512
d030daf3bfc74ff526e2c85e7739de9aadab20bdcd13d5e633aaa5eae8d0cedb7cd3ef12f7df90a961731c4b60762b2b4da668d228ba68f4ac63320037fc54d2

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
5b0f60c8e1234fbef2042ca205b3e290

SHA1
039d77a53a35d950650c6cc30205020af50826fa

SHA256
d4ad422ed611c71cc28b52e3a9414fb3d85fe886e5ab020303cb8aed67d76246

SHA512
6dab697c53b4c5a27307630f55ee574cf5a2e41da41cddbf0aa9e7dab7cc4f010889a1ce47b0f7287fe4a7b30d49721a8e76409bd1500df005b2b13b7ad78275

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
31a87b749559ae2496d99d426a084165

SHA1
6aa15362359e706a809f1eb1f40c8566dc411ab0

SHA256
e6e92ad79b04a47ede098140e5ce629c24beac71d01f1682ba9e8d4dca35b4ed

SHA512
f98198e8b4b3db140dfd5356e44a91203dba8457ed783b22b08e30e7521d098df07260383a4464805b542bb7952cb1d8b86899dfcec82ab4d47bbea9fb5b3d1d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
0bdbad59db19399d3aab429f515e0bc7

SHA1
ad5f0a6db57c86fd539c5b811d56fa9efb1fd02e

SHA256
4c9d36735bda8a7b9470bc50a4fe499b648f4061985987f18c2f89d923d063ed

SHA512
bcbc8cde77baed4144e1e45eeb53723166a09212a549a754f9229d3a73200f0651e8947404aaf82021478209ae6bbe7205e88f57ef6f17cb926f3bb47a2d5db2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
dca9f10be3c06294fbc164f66664b2ad

SHA1
6254f50fd7ea6120f9001743f0961f811628a2bc

SHA256
b501f1f85900fdf2614d1bf2273613636689d72f492051a94081ecfd2378a628

SHA512
23b1b64eec6f30fa4e1bd99517cff135da63c667a1ae7e50303ac2885bcf4c2a140ebaf1d1c3d1eebdd9a29d6ea20551a896d369a18c8781cb72b2bf23dd85a8

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
cda4039a8aa5a72ece41f37f4ceb6418

SHA1
91b1c1087290e31c871c629a368ed16e8c6ac67e

SHA256
1c30831d744d8bae888b133b915e5c20d5c6428770ae28e4fce59dd4dc220f91

SHA512
9d77d5bc878f9f54616331c72a26dce5a5102a8a647f3d445dcb275c50d804e9b7f6dd4eb6e69b2c28d020fe1701d739da8274080d2292685fc3eaafe5ca741b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
55af264410cc5e1342cfc004f77a1f9a

SHA1
096c836d768326d5d47ed7a7577460898dfc7b90

SHA256
b177794b398cab5fc939097be894bfd84e36195513cfb894fdfab36c2c26088c

SHA512
0fe42536edb16e146a542f4f51adf329baa3ae7ed63bf9d0572fe8ff47472f4eb27c60c2453f6e644f55e83c2f075edea819911a3cd6858c579fad0a4866f812

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
07b54a1c8219b0be37825e9e65d06c04

SHA1
34d942946b8f0d3453c6c5e5834949105eacd03f

SHA256
90554e5d33d4a603d9fb5ee33e7b27112f5701d283bdb3e46006d088ea1f21f4

SHA512
a65cd73948f510c9b5b1d1d2e9a1ebe483d2221a42b3c84d7e3d97920e012d8602091b595a4cc377f685bea158e7c33dcd547d4f3fb8bc2a6b31e896d512a0fd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
d9d6aec9b2eb9f02271d328c4f4d5647

SHA1
4382531e641a708bc807235f5bdf6741efa964a3

SHA256
2138aa128f9630dc1d98cf6284cee8812a0f84dc91230853a0c1b687eb70a96c

SHA512
1675e8bd62d3ea0a610afa134e409cbba9ad750870245f6a2c182489dfdef83152c515e24e2f542cda78617f992f802183a4db0a45aa593fec28c474545d2cea

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9c6423499594324945789c787a336b0a

SHA1
d57a351cdd0b140f6a0209e0f1d81c49e03c7026

SHA256
9ab292e457b3e19122dd57e44eaeca8abc3c0089e7a6a97e5d78c57a42342e1e

SHA512
4c627f58044aba4a8b7fbf277d851c7a6e8c773554598bbf6e6eed0915542a0dd336fd5db169467a595aefcf4b1c13c82c4b788c5219d6fd354e45e3d17ad795

Download Submit
memory/552-333-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/832-334-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/940-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/940-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/940-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/940-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/940-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1124-22-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1124-21-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1124-13-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1124-123-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1252-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1252-624-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1252-92-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1456-433-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1456-90-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1456-0-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1456-9-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1456-8-0x0000000140000000-0x00000001401F4000-memory.dmp

Filesize
2.0MB

Download
memory/1456-427-0x0000000001FA0000-0x0000000002000000-memory.dmp

Filesize
384KB

Download
memory/1564-162-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1580-625-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1580-111-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1892-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1892-631-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1936-331-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2192-164-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2192-629-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2400-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-336-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3028-630-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3336-161-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3584-622-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3584-50-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3584-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3584-57-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/3732-329-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3956-623-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3956-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3956-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3956-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4104-330-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4172-163-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4172-514-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4636-124-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4636-628-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/4684-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4684-60-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4684-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4684-40-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4684-46-0x0000000000DD0000-0x0000000000E30000-memory.dmp

Filesize
384KB

Download
memory/4696-37-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4696-36-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/4696-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4796-332-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download