52de3762905009c040b709318a49e499adf72685890048135ba24f965d140ff6

Analysis

max time kernel
147s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

179d19793134113a1e88b9859bfbd7d0N.exe
Size

1.6MB
MD5

179d19793134113a1e88b9859bfbd7d0
SHA1

3ed3aadbc7194ab926e50e92486ffb1be5073cc9
SHA256

52de3762905009c040b709318a49e499adf72685890048135ba24f965d140ff6
SHA512

c10965b4408a7347eba73d332c24be8c08d9a4e70418fb80ee30ff2aca8a9c406871cb6c34bf40c3129f470d304c65278ff028d4d247573ff4662fde7442d94f
SSDEEP

24576:r0XDGTNjx+mZCkt76f/24pN+XNqNG6hditW:rjf9Ckt7c20+9qNxUW

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3432	alg.exe
2696	DiagnosticsHub.StandardCollector.Service.exe
3204	fxssvc.exe
1804	elevation_service.exe
3652	elevation_service.exe
1876	maintenanceservice.exe
2292	msdtc.exe
4600	OSE.EXE
1312	PerceptionSimulationService.exe
624	perfhost.exe
976	locator.exe
4608	SensorDataService.exe
4216	snmptrap.exe
672	spectrum.exe
3308	ssh-agent.exe
4836	TieringEngineService.exe
3424	AgentService.exe
1616	vds.exe
4452	vssvc.exe
4564	wbengine.exe
1884	WmiApSrv.exe
3588	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\vds.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e45c3e6f75cb61b0.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\alg.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	179d19793134113a1e88b9859bfbd7d0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{796964A3-CF91-4ABC-A549-587EDBF9030F}\chrome_installer.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_105781\javaws.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	179d19793134113a1e88b9859bfbd7d0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce0534e2edcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a45b4de3edcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006924f5e2edcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023bda9e1edcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000871001e3edcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004cd905e3edcfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c3bf6be1edcfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe
1408	179d19793134113a1e88b9859bfbd7d0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeAuditPrivilege	3204	fxssvc.exe
Token: SeRestorePrivilege	4836	TieringEngineService.exe
Token: SeManageVolumePrivilege	4836	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3424	AgentService.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe
Token: SeBackupPrivilege	4564	wbengine.exe
Token: SeRestorePrivilege	4564	wbengine.exe
Token: SeSecurityPrivilege	4564	wbengine.exe
Token: 33	3588	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3588	SearchIndexer.exe
Token: SeDebugPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeDebugPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeDebugPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeDebugPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeDebugPrivilege	1408	179d19793134113a1e88b9859bfbd7d0N.exe
Token: SeDebugPrivilege	3432	alg.exe
Token: SeDebugPrivilege	3432	alg.exe
Token: SeDebugPrivilege	3432	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3588 wrote to memory of 2348	3588	SearchIndexer.exe	108
PID 3588 wrote to memory of 2348	3588	SearchIndexer.exe	108
PID 3588 wrote to memory of 2084	3588	SearchIndexer.exe	109
PID 3588 wrote to memory of 2084	3588	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\179d19793134113a1e88b9859bfbd7d0N.exe
"C:\Users\Admin\AppData\Local\Temp\179d19793134113a1e88b9859bfbd7d0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1876

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2292

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1312

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:976

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4608

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4216

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:672

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4564

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1884

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2348
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6decc7cf4c4e82c7d231411b221f2f00

SHA1
8f0a4f82732ca4d02de25062c3d538e2395f9885

SHA256
31f9fc26e4df62d398bf30c320e1749899fd8c07b4608fcdf896e1d971d8c7c9

SHA512
fd9dec5447c2f8c79d9e5feba5a9ed1451188ed92b6714ed20aad9a9dfa092ab8e623ecdd1004f328514ddf8015f70de1369602973913509f2e75b4fdbddc503

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
ab862b4f19d8fc31cf8f8a139a2ae4f4

SHA1
28e816009ad2fd5f2b7d892a02edf6e6e18dd1ed

SHA256
327478112e10b00349bbf42322364a5583327d358b3a80021ef59e0eefa3786e

SHA512
91d3960623664234665b7802a486f609581c6b8a37cc1d3202bf6fd9fef93f335db723f831b81ccd87d235218de8beaa9856c5dca5d1456ca62a99b78b3d3d56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
00bab08a2d71abb97a0e1d8881e6d366

SHA1
2eea53f8f80b70442ac6d07167fd00c1fbc221f7

SHA256
2af275ebd91c7819a0100f122c163cb5b3906ed705241590843383230bd289b4

SHA512
d98461f9a5ff6659829b4bc9c298b0516979cdc53b458e3bf0f79f95f531702ed5ca8991d1a3bf8ff2276869ec101bf79e94cdd90347a12711a8539b33b63ac4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
242d38d1959f2cd65e92a19be1860c25

SHA1
dc0af302bcf631ba6b1076e39a0ce24e5d9642a8

SHA256
6e887e64ebcc7bf2c236988dcd1e6a0c63aae42a6d5c9b79e66ca555d6e2b5ce

SHA512
1701d345a0e0f2711b897e5c93c2030ceee4d0f3ed4577f593164666d3ef6f9fa61c2010226cb9f9396389bf395b0da4ca10f711c634cae297d21628ec57ec86

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
49c489cad58fba0ac34e6de8f88aa4fa

SHA1
240bac07469dc2485eec2e15dc06156910404f37

SHA256
f99215d6198e77e9529b01fbaffbee33e26612fed1af3d244eaa39460ed7f776

SHA512
ea37741391f0d487f3323773695a811adb80cc368aadfe4c8ed19e1f55a3f9a42cedf3bf53593c3c4212b712b6b0e8d0f8b0486f4ff05662b9cc2d8569ed1f87

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
abc23aa8e71189c19cf5d413993475a7

SHA1
6f116d783b8c47b0c5b1fedbf0ab725f6bc81369

SHA256
051c28171444af5a8841aee4b47e3f915decdf2580b425a2dfeb42ee4b84f029

SHA512
2714d1919d4a185f85dd774b74e7b0d2a6dc8241bdfaf04d02e83aadf366de146a50a8cdec67f9bb52c42b88f207dbf4192070b575f8fe2918f2e3a6379d0d37

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
107bc4329942b1a873e7e3655d1ad6bc

SHA1
111638898e291ae21776fd084cfe45919e273f26

SHA256
e458bdb8a2914a54f059abf211bb3d3e87d5adb99d33d3cc2de8760d2f1fd18d

SHA512
1719f9d8d79008416a10ccf4f9a4ddc0c5ce1da3b922adc58f30a80db8d3194fa8cbeb62de8cc332727397edd25fa8552fee7383907946e2a3d11fd6cf7ce309

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
d0744d173d267c7bdeb42ca41ae08409

SHA1
aa8e6a15f475bb792442ecfdacdf3435293da254

SHA256
fa869af558c2c39727c4055a84ce097a3242a76c2fe94bb4c969deb1ef103bc6

SHA512
02855264727888815aefd68da53868009624ba089fe898981501ecd0e1563eb4f373b7f4109c7eab163c4476266d6a940d2dec0e21e322a6f95bb24a8e6fbf97

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b18047ae66478a81c44dc85d5ffa05d7

SHA1
b5fcbe21b0cd94462b2fbb8d7bdc4b6b7ac48f27

SHA256
7874f815bfc9b5bbc7dec15691842c7482b3c5fe1fc04fd1777951eee97c4e89

SHA512
392eb89d39d679c86ba51a24837ca6b4aa5d46bf78428d5a77e237c0c4dfe97fc80090acc08c0e48a2bd6942642bf47702f99b502a45547cefa1d878bc5d2304

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0c63bfb6cda063dd0c6f24292bafbb35

SHA1
86de74ad3d3cd3c84a88ccf18007227ab438d548

SHA256
5d188f77f4f119f755bf8ada654c6dc79ea3537e3d2626d249579891645df5d7

SHA512
f7da21bfa3824c0e6b3230e50034e2b78ec8ca6d853f7b54e3d5284503a1fc147c4a986cbe60d0e6fc1ad44f7ce8d0bfa3de5a9dc9d0122bf6f27bca2611cee9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1e3d0f7ce0dc7191a616b8fca6ff626

SHA1
f681242acc551ff64a06cf4c23b171672526af5f

SHA256
6d0909b6a0cb6f21c5b92726623b346f5116f07825363b815babf79f4bc610b9

SHA512
ce65ad5aecb8dcbc3e22d3e45f1b6b74e86f2e2eda3540070cd51fb401a525359c487c24e2463929867bd54307408298031fe163d747fc20fe2a6abfbdc907a2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
44c3773181610d12ca14c5a6386ec70b

SHA1
51dbe244b8a6fd31594cefe92bce626426c02720

SHA256
5664d4e857f1e8ad0f7a440618f49318e6c7456c2202945817919ba3d86808fd

SHA512
ce69f70abba8b3b521a4356e8f0b59f5de9eccff28c199d7c5da59e579188de106659f3278ec973358c1199b44bbbbdde8a3c22263fe107586404ee5f0c638b0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e376d8dc345e89d073ce191448b210e1

SHA1
a15329f256a56dd42f1713d75f5c587bd9e7bdc1

SHA256
fc68fb23f9f1c3ce4f74fe63e9da637699ce93e038d073e32a30a3ab3b184024

SHA512
430bc46e805f37138e0b85f0d6324a35fef8351485ab99ac2e4ee0274dcd7effe332d74d0e0258b058078038d02d3a0c498661486ca52c3f49b44a878b6ae28b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
7f7e70d20b71fe5f126833ea952e0751

SHA1
8d42a88e82f32ad9137e6934a5a1f2277cfa6d91

SHA256
e96a66916710fcba4b2e8efb7b88d16990a9313cca6c6a7098d453510651a9ed

SHA512
4f6729e472cd7f10227a84f522521d36d80298a6a477329531c5791fecb30e3bf851ae981a8927a865f95f1449c2e1f29dd3b312ff6ddb5665fe65453a804295

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
a7e98d4f23bdc3884c83d49d28bf4788

SHA1
7e75c1328f67d06e6cc68f0c8cae49745a2f40c5

SHA256
2e4f08715c5808901a3cc884233c418a29154520e01780169bf1bb852959bdc6

SHA512
f6311e87cec1dd0819b995f58a7f2b0bd09c7c803ab7d0564d512c6be7a7ada304b5bbe75cd3f580c73c5b5c9d9ea8abe12a344a79b4ed849d2e54a9624e8eda

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8768e093d9efc162e45c2158eb6d4f9a

SHA1
4972199beb6cdea7eae2d4f3ed6c94daca966d43

SHA256
eec0e5c56aa3c7cb7f216e0e61a64cc0f4cb710e5586b174ce88753b7bbe9c4c

SHA512
62e56401c5f2762ef4073e2e26a949e5e67f49d66a47eab30677415b1871f871b52abfc0a9abbe11c15dcb29a34b8c7ec0ed423303cbe7fb80c9b10ec63e8967

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c85dc1ff9ede8c0f156f02346357333a

SHA1
9f3f930cec68050c7a9eb0fb743ad610a006f6d5

SHA256
c293c9d42e543d7189473a9d692b060e63126f6e0daf066c674978bf8a9931c2

SHA512
7963f3d64ad260e4393cd7e5478b6f7a68e77113492a70dc29a69f1331fdbd9916486335527ffa6c60bbfddaab3117ebc4a6616bbb6201e6ff6d4021e343b675

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4c38066dff033b19ce8123d38a6b5b89

SHA1
5c8aff2f94975a2e15bd359d034632dbdd763765

SHA256
7e1f465655a0b5e5d9404ae35e72b0de83760c8c249e48032d907140503f97f3

SHA512
6d7bdf3396ce45c59ce83b56aaee017b2fe40e5cac6a2cf571e3036738f5e52268443fa99df7b1eafeabe5ca1730e742544f434e09d78ca07f6cba3cfb34b07c

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
7c215c16c1a819d21cb7cb8458d9f303

SHA1
cd60c61c08cfb205e043a6d42fd6df48cb048e52

SHA256
40ae39fe8b7c4454429f15bc66adf37fd74a7e0d78bfc03ca5408c5e86a5b6c3

SHA512
200a7d2ad2e3084c87797ae688c78fe653f1f60c142fd84db197356aaec01cb804dfee8c7360c302f376d151d6ef924dc813068e9b501b891bd4a7c74426a8e2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
77f9a93a04956d16e338285de48b7585

SHA1
c4180726cec2a1404a4d8d4db4c264c94ab87e46

SHA256
5ca559ba424f6ef0a43d74a812748b58f21a7cb2f25da791fc09d7c83ff04491

SHA512
90af5b905a31e756214dde23635626901bcb3602e62e8bc062c533571f7d15e13572bcd52d975b984d95539e3d513d6c14c8cf6c4bf78820288ee914c4536305

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
65d5f2e32b4064eec2e73d599d33891f

SHA1
a41eda895146be7f5afab0f135b751fafcc42b22

SHA256
85436a8cca7bec11529db81f11278015bc24077f57dfd533262da0f166890b98

SHA512
c32271ff4a13632f87c1051c3e0d080d4e9c32ba90196a946079e55ebe96cdba857768f0d9b3fed1b7f0210395ed4a567060e84f64cdb08f848f83f246bfcebf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
8215bc332c52db2a0d3eb663070637a1

SHA1
87d0475c0ab694ff2732f3aeaeae5c491e72afcc

SHA256
1b686722dda14fd5213487451ecc1495bb1718a88fb22d083471d3c2f910d625

SHA512
9cc8a0175a980eb61f1f26c2a515570503ff3b88fa9bd672633d619f9ac6be2f5f05e10b211f4677e994972590e6766a9fdda927628f5f2a8b8a0c7cf970cbbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
1bf68765b14b1f3e2a936328a15a5de5

SHA1
0562ac36dc393b909a9376ff1e44d87ffe535717

SHA256
3d3dead0d8f4f9d0575bbfd18abbec649fed6fccbcd9c899828a618315e45c72

SHA512
471c91d1acae23fadba8c53ddf2e24f369fff53f7729e00995037a6ab7cdb314e2b8acd19deb033913ac38be00a4f8b21c91bd1d6db3608b6881baef1561e5f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
2f2f075228ab6f2f2cf349e300df92d3

SHA1
873f2bf3a2edd9533f4a8a3ad8b8fbe39734cc0c

SHA256
3acecd8687838e87db6253b519c6d21fd6d8ae9e3748a64c8a26a2bdea057cc6

SHA512
35b34a8d1b2ea502e4ee8336de97f0b429c24703ccd111a43ce21dae634e32ce30c8b0a80fb2ac38f3c7e82876c0556bb9f6cb3954d1da6f8e765114c8fa6484

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
f99d2eb6fc074a3800ae4fceb9d25a83

SHA1
e3a7144a06641edda11af01460f24b3fcd31d4e1

SHA256
d44f8d4ffee4cc6e205480d559349643bb0324d192abcb4faf7a8d52a7b47dcc

SHA512
f9f58b6a29be69d60c99e53c1035ce0f91b21ec88b23425073220b185ed8d9d8626f2295a5d2db4773c19ee366c581c2267902297822995f2bbb56ebbbe0c3be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
0fed1c32079c0f5347726e4584eedc16

SHA1
936d84b35a16860b45835f9a82be2d1422da8887

SHA256
fff68dd61be37e626214e00fbebdf44ab3f1e31e7e12ef1fb7f46187ab481ec9

SHA512
18a07049bbbf72ed1bf2e066f8821db95039bed6dae66627d14534020b9981118f5ab5992412384bd2fada7c466a87799806076b8425bd189c1a255d797b6b1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
602b07dc67351cd767d9604556415b2a

SHA1
b0284af39ce47bab3269c1cf6a92ea0e31445e56

SHA256
564c790a92e9728d01bbca034549e0df72cd8effd93fe6966f4379071918f024

SHA512
af9c88005af142101408a72a0ab29a848778fefb83099dbc6556286cc5970b94a7f6f7623175278814cc81820188e2edeefe81cd3eeffb8f447c2632cbba72d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
78043376abaeee4dea7e6ee6fbaac647

SHA1
2c5a654ebf320849e956d974dc9d37ceddb002ea

SHA256
79d3136d6eb56a15ff7dadf8ec03b68948da219d200938a3bbe2b6b6c9eac80a

SHA512
905efcd4af9cc187f6c4db066d4de875c8c88f9dbac24fb77bc0c0194726067847cf1aac2e182824ab576a3f19705cb3339a08f0535435bcdbdc9caa7f4203aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
553c0a28bc96a275781abf79d9aeee8f

SHA1
a5aa5f1701c06c6548e0ccf054d29550a5811e41

SHA256
8a73087caeacc137e8bdcb41e312af90b566ab60babde30be51ff44a6734b673

SHA512
e9254b6ba7b2a939abeea4d9b869770b3ea501b94869eb8362ef7a8ef9575c1e60cf0e66d665a071278909f5b60259ca053f065d5d463fbc5db08bb743d5fd79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
8e765493231f88d97260facca3ca8c8f

SHA1
88cfa6a8d59f45b9061226c9ce06289afc502078

SHA256
0da518776fddb92528bd665cc4c13028c17ae03b74e61ed1da376bf7ffdcb383

SHA512
ccdfe9cdeaff2104b0581f2e6669aa5117676c22e8b86132310fbfe279cbc509a43af0e2bdcbc736b8892f1e63e1fecdfb0670b4ca596938175efa9714197517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
4617796c9daee9845a3150612edc7c71

SHA1
b99a72de894c35ecb87f9cc2da4c233eff9dbfd8

SHA256
1be29825cb0ee4bfdbaaa7d11a5a47834e337e13a71d8c3d44dbcb69d5a37565

SHA512
fdb25dc17f6088067fc0231e0d19f4dd462262ebf7df131e4d7116170d56a0327eea9586681a3c628608d21047250c519fdfdafdb815939e33082784540ff603

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
adf434d1132c046da3d33a8dbe0110b4

SHA1
1f5f493fc0629293041bcb6ef1540f152c9ca8ed

SHA256
1ff3ce13a3baaa04e8e29c285d1e79104b74f1c0c77302f6fb6fc6e698cc7d21

SHA512
d814718e2582f239ba3a53d5f7221f8200adb9cdc3739917cf220dfb6ce4fa79430e35be93cee2e99c70d58cdb835fe0ea6863369ae46a19b348bd73f7c7539c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
a08c807727e9157d6b35908bdede44ca

SHA1
b17820233cdc1b79934c01d964dbfb652b8a6a2e

SHA256
f9e92565d7a4c76fc4f092ec9314489c854100c5b5da4a257066580f6924741f

SHA512
1f9370dc6c6c38d6403b765faf72e68f7fe42e5054a0997591e5cdf75fbc5fcea04e597bf9bcb87a882f4018d7a9de9972ca6878eed4c65b52f9c1f7fa97ec5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
5ef8374f611ef779733e22e12602d93e

SHA1
acb0431e96a0127015cb37e823a315628946062b

SHA256
e44c870444a3907815b8015d638b260215cd8354ab7bcd6866cd599e66001db3

SHA512
e009902226c56e5a7cf8dd20885fed5ebfee886ee19891d5083b65aeaf1e344678fc0685b72488fcd9c3527909e67bfd823d35e7bf089f163c89dd6e3a122aaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
9a8124d157689a249ec2f8ddde9301b1

SHA1
f60dadadbe9d9faa8ae630a355bf3c7eada3bc61

SHA256
c616703ff95594b3c76de21c215db0667d0e44d0997ca9fadf1509616bdb804a

SHA512
16c617f9b573362d7db733b543c04bbda651aa3dbcffd1514d43ba4ed0677f1e36fa031ceb445854b1f01a9d28bda4f29a75a3e06608670e32e538ba1c00ab23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
050c44de030d3f2037a6d080eebb9ef4

SHA1
1dac813777490e9877e4ab723e04d6fa43623c8d

SHA256
a38a9801b77f60503fa61fbd199f464039ebd2525dd33e8b1d7afdf3dbe86cd6

SHA512
38985afc814655ac2dbc2fad525ff127759a02dc23d413f4466598cc4583ef626c4a26a862dfd72c3f7ac364320ca957f08e992425ce016be24f72db8590f262

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b23c749a52e107b2b8f33592f2256f59

SHA1
ada11cbffe177cb70c4742184ee204d3fa98becc

SHA256
c6e51c10c7986d1ce31c75392370281f6e3b8f50709de2b4173198f4e2db74d1

SHA512
420a37d65fe5ffcee10792e7b729084bd0917115d084a405ad78ae0b9b17dc45a70a44f6fb35d4522b7e0cdca3ec8fafe8ce3f9696edfd16021a5fd709a12564

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
81263c686fba7823f5035f776fe783c8

SHA1
3fa12517fb91f3ae54edda5819d50a87226e3d72

SHA256
d83fc0795807a3472d17426c78bcd1d1e26b45126c86c4790d60782b66c97d46

SHA512
7500b05114c9cbe20da35f467a7d102d48b9eda314f77bc5d6759d8f16d5dac7a5b23ec148a396cf5951972c1e84142a985e38c2d2076ec09190e0ad44438dc7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
b7de30bd94a3c93f7a50a4c096cdea99

SHA1
7c86922ecc2609f6309603d89bc3b2efa03db0a0

SHA256
6cab954b3ed14a77de843f0f6687b60c45ffee40d1c0179c8f2353bb82b0ba8c

SHA512
5b9049468d2d1ff0649b92b8943e9afd7c0705404a1cdaa4fe04808eb1ad8889c680ef050a142fdeb74b1ce67ef83d7bf00ebc84f0948e711adc3f0206942dbc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1c2c300bb3497098a45914647d3d11c0

SHA1
34416fe307b316325f6aeada0704fcfc423028dd

SHA256
0a29eda04bf85bfd339d964daa6d2602f954a024006ae4a3051f9a98d02ffe2a

SHA512
0da9454735ae8cca3aa6ba1127ebe4e7b157b84d7f0a2251bc21bf00d4d783a280df7872ef5f4006e0c1361f37a928d59c36dd5b8e1dc02f95b25c5625151255

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
cfc424f65e5d741c9a771845fe9ac18b

SHA1
44caab7a6ae6791e4ce1c856bc291ff9890fe66f

SHA256
c8c25067df4322fbff425af30561748f5c723fa9e53c0e212d381269b4172ce6

SHA512
2c8543cdd882849f4d62cba7cfed6a1c93ac0390ab9bc61c37e3aa4b91b8f9e3e559c45f0056338f58952bee02d2bf0161d4ae80c8328d2d21353bad720a69fb

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9b7a849ffc0e08214fba392c7e29fbb8

SHA1
696e72dc4daa52cd6d0791607b39416272f6446b

SHA256
a16c18b06975e799f3e36407c9f7b6f225e2d0a44a10646fc969862c36ff47a0

SHA512
9fa89cddfde1b819274918122131ac6198ec0b810fd494ca7349f16cc4889d86f581ccae045250d0b26605b2e576ca604eeb6dac4a40fdb561a2af8105bef07c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
6c854519bb6b88a18fb919b717f64af2

SHA1
65fe8904c2e3bb4a52fbf9c5d246e709e44ce8fd

SHA256
ee57c5fb4d97cb98934f7c481e0558201afb6b86e6fadeb04affaa32faad584e

SHA512
6a2686393073d7f548d5648a0af35bcec369e27ed0d3ca7c0e49b47620f0f34b26b14a27d4878a2418b599f8d1f6b204014548b84cd5c52ffd0cf176a45fd906

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
160e418ac462006f7a0446269d7bc82a

SHA1
64304303117be267eca05aca0e32ccbaa7557c54

SHA256
f44f08bea997217931dbb709e65efff718baaf74c1d8928a845aec501c035419

SHA512
f5f7ef4d1997325bbe9d2f2d26fb05eeee313fb38d0471901b63dd3d2656f26119e96c01554b66ee72b4cd4e5f9ec20b1bf19ea077abec1b7969856252185694

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
4b1c8ae1f1326db8dbff139106ce09ac

SHA1
a01fdee707a86b101bccf7a40f571b855347c65c

SHA256
b6f821b37eaa39154912df98c1bb59eea789b2a937850a9a2745eda677e0ff4b

SHA512
e07fc73348914bf64800d90d4ef4f5ef5c9f7315c5fefba778152bdb2a502fa683729a884659e0e52c8b816e68b2c223100a9aa9026a8e4539c7c4f51ac77544

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6ae73dda18f698989f2292007fcff5f7

SHA1
a3c955b0e4105905aafc33bf6c245dc8f321d0f4

SHA256
5ea50ae26a93ff363f72220010104881d5bd526018f730d1f347e290d331ad55

SHA512
f8c5256d9edf2e8a118c39fee18f2c90275feef70335ebcc812b8e10f13a06fb4b5d54766aeb46cf5a68bcf28dcb387ce061badcda9e3136b3340c6d139b676a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
79e6b80c887374bb4e1195d022fc30c8

SHA1
35313ef86c79b8ba57a4789b9b53b22c59bfc7ff

SHA256
e0413c937ed9782b5a7dbd9d88a71f788b81cf3167a998ff4b5d8afe5a769a09

SHA512
4e9f6158bab2ae51d2c28359f40fac7674230a1b430fc42bac22d8f563fd58ee992dabd32e83646bba1060566a440bf56a094de32112cdea181d5c4d4aa7035a

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ee022c115988b3df46ec7b1a652e53a6

SHA1
afbc3d3341310b44529f0cb322882d5aeba96c14

SHA256
e5bab3321e6402b4ac157c5b7fe9dabcbe1995e0632fa16a3bfca4caaaec2514

SHA512
a1d292c25692724681fb18f091fda2e5f19f5a4f6c9910f836df81df21795e46084a65eae1656479677bd054d07b41e19c180c54c017cf744d44d9c3f71ba804

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
e01d9744f3e91d952fc33dd4d2d8fbda

SHA1
16d5885fe0eb0972952c9a906f4aeb4804fa7714

SHA256
e9cbc521b3053881e7023d6c88b742e195354b560b51e8a2d3a1bb59bf639e30

SHA512
74e69727ec928697c8cb37f4b252cd423e9408924abce83b7707a47e707f7f0a05db279537504072cb858923722a90877861ffb559e9bfb9dae042d495244cb9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cf6b9346ef92d11c8a28a27ec47470aa

SHA1
ee5d5947d03388aac10cac2712cb6b8d4d6c44e2

SHA256
5941be78ded79c0b3a94ad95b7ed149f2cc688981f9f4e4108b168fc8f790d7c

SHA512
b27c2b55ae43969a2800951b878a3a45b5fe65fadb50d162bce28945dfb4ced8c58d9fa967609b24455b69af0a98106f51005a6b1bdab49ec2c33bbdfbe51b1c

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3e9c836902952169415d2cc9db03adde

SHA1
10daf0a8d08ccd5ed8e77a9304572d2a7353cd08

SHA256
056828d9922f3354fa8717bdd2ae243ea68391d54e3b1b5de89fc9c6880739b3

SHA512
54091dcb1b047bcd5c14a884473884fae574c1bda8982f032c1d7e3d4d173e64ce6a79dd815b3aab43d91958852beccca62775150abedae64fab9709f38dccb4

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
85229707a140e243422fa535c37bebf6

SHA1
904a4d848539da9d29f247e60ed909515b53c12d

SHA256
6218b74c16955141017b7dfad6594f9bb13d9b535953185b1ce282cae994721f

SHA512
50332bdeee456edeceae0e451fe07167844dee0e8590bf7a7eea2ece8d633c101e9117e51332088b158fc7e8cba5cfd0b77fdec56d5532cd84ab701342ec5158

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
3eda6f21f6ca44fd7f643b59618180a6

SHA1
7cc8a5a0a1665f31af2165a4086a5e52784ec80e

SHA256
9ad27be92072c3771d294286b7ed9a52d0af186b447f4c506e1a28f0524666a3

SHA512
67059fdb2fc9e50833861f9f84b345d462d685cc728b3d1e0c2971a5f7d9dbe93036b7b1365c554d9fc2a8786f8497c5209ebdd5cb1c7493cdd2be7bb407a5be

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
61ba85bdf768ea78216d903a97653b1b

SHA1
5bbcf131fb5fce22f15371a3c423f019d7061919

SHA256
b2a58e042de6448dd493390d873526832128a3ff1aaad1a1419feac6faba969a

SHA512
a675e5354a6247d50dc2ab8d89d7e305cdd2199c2b4755f6fe254f4dca8a655753c09d289c8b63e4a9086da5802de5524c73cbc81559e2c8362ef05609c296bf

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
a5798487cbc6302d9205d9de5f5a8192

SHA1
d2958d593d817376b27e82b604da75e0376187d7

SHA256
f611264ce93f9d0d05cf5cb40faea136a6644a2f0d0c355681ad2fa7049c2151

SHA512
fe87e517414eb0a121096b848541902a4937ac42bdf8bfa3e71d15551c2f5710fb2849c774ba4b8b9ad6986534eb96789a333ab5fc63568c100e6527f45579f0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f96943b83fedb329768f6746ce3e3fe5

SHA1
4a71cd961c6afdf884a412639bd41b43d27bd437

SHA256
cb241fbda64cb7ec0085011106c7834361796a62419b3e8d4985b6b4884410b3

SHA512
4ac13515f058da74d78cef4089232cf41bf274bce74243139f3a3b0303fc5c2eb8f53a5a595833053eb8defb3424db3262fb630e7fb248272a191a3bf57ed2fe

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5acc5ad0c3baf1945ca4515b4cf96565

SHA1
8e3058b404989b6c77a975df1ea59013c016ac23

SHA256
c1c6fdeeeb01a494945e34cae646bc14d79299a0c96e065d7ddff86bd2e70e2f

SHA512
e585bd53121ffe65fd7a57249d84c030eb117d38f7abaf361fd5d8f901735eb2b2a7653ec9cd3e3d7909e717444e116a859b269d5967b405a685e668c118db58

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
1e1015e9bf49fdcb121f0d60bd20cab2

SHA1
c1bb95ae1fdd3b4e8fded9745ec2d87960750ca4

SHA256
d3d84fc50eb56112147f37f0b28b89c56280c2b0fdb3131c86d6abcb55b4dfb9

SHA512
18d203bbc6d585b35f077036c381fce206455fe7bb58dfcce3a82d7b1c55e0f0a9f38e233c557dc5e2732cb4c2d9448a9dd2ec452fb619dfc1c6068b2587ddc8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
3dff0c3e6d3b1150c82d8a6ee459b08c

SHA1
09fb63fc5042918b425c70ad4c76e25b06d2c947

SHA256
da9fdd215596d2ca62f733e8f42b47129a55188e765ba4b756d4e07b18b9ca51

SHA512
c0b0ee2ad24dac22beb545d380cb08bae04457a83134f28a84823ce72667eaa948f4580e2a87f7ef49eae64717a77e64635ab8009aea6250a6c1c29a34225b2f

Download Submit
memory/624-260-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/672-264-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/976-261-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1312-259-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1408-9-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/1408-0-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/1408-543-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/1408-544-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/1408-7-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1408-1-0x0000000000450000-0x00000000004B0000-memory.dmp

Filesize
384KB

Download
memory/1616-267-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1804-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1804-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1804-550-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1804-58-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/1876-72-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1876-78-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1876-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1876-84-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1884-553-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1884-270-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2292-90-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/2292-253-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2696-549-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/2696-37-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/2696-35-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2696-33-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2696-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3204-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3204-49-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/3204-88-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/3204-87-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3204-85-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3204-39-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3204-45-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3308-265-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3424-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3432-546-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/3432-545-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3432-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3432-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/3432-23-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3432-25-0x00007FF89F910000-0x00007FF89FBD9000-memory.dmp

Filesize
2.8MB

Download
memory/3588-271-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3588-554-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3652-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3652-258-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3652-551-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3652-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4216-263-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4452-552-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4452-268-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4564-269-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4600-255-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4608-262-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4608-510-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4836-266-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download