383778fecc20e580ca09f3d0d47f27f8bcd35f6f4da27a66e1a28d74ee30e75e

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2024 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1667c03077dd877635c5ad64a6c62070N.exe
Size

2.3MB
MD5

1667c03077dd877635c5ad64a6c62070
SHA1

c0753e4d2c04954614eb7e98f78c2b73dde0acc7
SHA256

383778fecc20e580ca09f3d0d47f27f8bcd35f6f4da27a66e1a28d74ee30e75e
SHA512

d7a5815bcbc5550bb99ebcb653fbf93e7796715c30fe05c5ed235dfd4504240ba1d9e747067bc3434c5897ffc87b4f36ea91d30c13337ce5e23df803eb436215
SSDEEP

49152:nQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0jAf9Ckt7c20+9qNxUW:ntdnfnwp3oOLuB/3/uAfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
1236	alg.exe
3112	DiagnosticsHub.StandardCollector.Service.exe
3972	install.exe
2988	fxssvc.exe
1248	elevation_service.exe
860	elevation_service.exe
1432	maintenanceservice.exe
2004	msdtc.exe
1828	OSE.EXE
3632	PerceptionSimulationService.exe
3852	perfhost.exe
4072	locator.exe
4540	SensorDataService.exe
2056	snmptrap.exe
2444	spectrum.exe
3412	ssh-agent.exe
2708	TieringEngineService.exe
2372	AgentService.exe
1924	vds.exe
2508	vssvc.exe
4336	wbengine.exe
4932	WmiApSrv.exe
404	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
3972	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\11dde1b792844182.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\locator.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\System32\alg.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\System32\vds.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1667c03077dd877635c5ad64a6c62070N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	1667c03077dd877635c5ad64a6c62070N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1667c03077dd877635c5ad64a6c62070N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000026030f6395d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bcbf736595d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e167f26295d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1c7b96495d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038986c6595d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000058cc5c6495d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b695a6495d1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000071fd306595d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe
3660	1667c03077dd877635c5ad64a6c62070N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeAuditPrivilege	2988	fxssvc.exe
Token: SeRestorePrivilege	2708	TieringEngineService.exe
Token: SeManageVolumePrivilege	2708	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2372	AgentService.exe
Token: SeBackupPrivilege	2508	vssvc.exe
Token: SeRestorePrivilege	2508	vssvc.exe
Token: SeAuditPrivilege	2508	vssvc.exe
Token: SeBackupPrivilege	4336	wbengine.exe
Token: SeRestorePrivilege	4336	wbengine.exe
Token: SeSecurityPrivilege	4336	wbengine.exe
Token: 33	404	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	404	SearchIndexer.exe
Token: SeDebugPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeDebugPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeDebugPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeDebugPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeDebugPrivilege	3660	1667c03077dd877635c5ad64a6c62070N.exe
Token: SeDebugPrivilege	1236	alg.exe
Token: SeDebugPrivilege	1236	alg.exe
Token: SeDebugPrivilege	1236	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3660 wrote to memory of 3972	3660	1667c03077dd877635c5ad64a6c62070N.exe	85
PID 3660 wrote to memory of 3972	3660	1667c03077dd877635c5ad64a6c62070N.exe	85
PID 3660 wrote to memory of 3972	3660	1667c03077dd877635c5ad64a6c62070N.exe	85
PID 404 wrote to memory of 1580	404	SearchIndexer.exe	112
PID 404 wrote to memory of 1580	404	SearchIndexer.exe	112
PID 404 wrote to memory of 4868	404	SearchIndexer.exe	113
PID 404 wrote to memory of 4868	404	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1667c03077dd877635c5ad64a6c62070N.exe
"C:\Users\Admin\AppData\Local\Temp\1667c03077dd877635c5ad64a6c62070N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3660
- \??\c:\017a1d1976e513e7bc25\install.exe
  c:\017a1d1976e513e7bc25\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3972

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3112

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5100

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:860

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1432

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4072

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4540

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2444

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3576

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1924

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1580
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\017a1d1976e513e7bc25\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\017a1d1976e513e7bc25\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\017a1d1976e513e7bc25\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
20f71e27f8175ea45581e8d66f14bd86

SHA1
f5d2913814ae92670498d94a9d49476d46aeaf71

SHA256
2d78fed246b9397226ab97dce6713845b6133a3e262c26177771d3a8b0d60ab9

SHA512
7387941d7c1349db5a540aa94625d539aab55c449528ae52267f1440aeca218cc02abe5bef83b4941589b753df5851dc1ab820855bfebaffe59a8c4b979cee2e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
110aa3261ec7888cd9eab0d29418943f

SHA1
a29ba2e54295cc983a6403a8ae6197e7a3842a8a

SHA256
c1c2b3d91ec94345136b34b95da3a6059ccea586f68b7b519a31aa6d395ae00b

SHA512
7881ca4666536ce4d8ce951f7e26f54728ff47f6201d72f7ba4d4b614a1617a9a3402a13613c70a982bc8c16e2d3d97076317a7bb237f7940e49100e1e91f0fb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
4666d2c7b207f6a4a20e175ac2c20628

SHA1
24095aabaa44fc38dccbab61471bc72af123ef88

SHA256
97b6711b85f2e8af80ed3f3d5d1b5ae04138b0543b0dfc9f356917e7c0859de8

SHA512
82dc80eb4c01cca2e1223308fbe37e14fac60a1fa849e421712e80a66e76c191782949e5bc1c20be7c392fe7dbe87c1b02ddcb787b5938401455b3deff422817

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dc11e7c9c9371d8c9c30840ffcd58fa3

SHA1
773b9f597267113783d0bd064cc8aa4e8b34eedb

SHA256
26e050bbeaf267de72479f4ad8aa5d917b81044d1a73804d95938a01b06e05af

SHA512
7857b62e680d991e8a89968ae463f5c00eeddeef869cc12c9b331743fe9d7fb5af7f1c207c230bbf996095c3e0fc569d4ebe861680e2529f4613ae9a87ec4a16

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8928e33c906645930c67f95b4a2116e9

SHA1
51fa2a23c1c93aadaed3e21394efe0a6e4a06283

SHA256
63bc800e36d6661989ae1d4f5dee32a1a2faec50ee7478506dd21db76b9eb6de

SHA512
6f2b57986e0e005e53e3f89133022f80ac3d1e1ec882ed189413f06b0999abe4217fc943775569016ea2fc2d757898256f0ecd74d2d189cafab39a998da4cd86

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
580318ccfb0f93bf5c4918b570403d35

SHA1
57c0e6e64df4979a3aca73a780e1eb8c07f1c246

SHA256
80035a6e36f40cf2b7725b0d21baac4e64d0e3ccf6b91c35bfcc6e33bc01d8c1

SHA512
a011ea29868bc3ece94370315bdaccd51eaf3c3c09f99411cb1a28ca98458d248498d1e11e7c5e93574bb719878c92bb2abbb0d5c6bea132414db943b9ca6655

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4299c9ec4c7d5ae24e9ed3d6a63a6b00

SHA1
ed2707c18fa2ce75374b1fc9c1f6f0eb970b927b

SHA256
95b463ea09a4581931c9b5df2c21a74b6d5caecef81b1d464f4e55c5ef8efa5b

SHA512
2fec271ba836ee1fd94a6a1e1eb9b2f37896d8c271d13c4066d5c443edeb88473a2462eb50be16ef48bfb5ee02f86c5044bbeee7313ce136589ddedacfba58f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
eb0c68dfb0f93c2e10a5bc3be29ebd55

SHA1
0b1a1f8ecfc5a6565548f82212425db39b019399

SHA256
0d0a85874b1f3e4a9a33485c0228c0296bb93bf7225e57faced339f719e77240

SHA512
ffd9cf043ce2241d96dde09a93d892289f053ddd372aae1436fdb6ab2f1a02c5be1eadb4c157d5b108723e059cfb90aab5b2c6a727b44aec2eef83517d67ea6a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
00f5adedf30def13201f940eef0ffabf

SHA1
21b4eb2bec98819d6886db05eede3bdf1e9b8493

SHA256
0af900eee6db72cb38961dd0a896d3e369d7f8e14bb1af58794e974ef4d5fbc4

SHA512
01deb30109e144ba9f38e6c0d880fccd0b97d32ac4044b4a79014917191577609d7b799034bf75eafb78383a78fc3e3653ab54dbe40ca49260a862bd58277241

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
a4619331dc93e6adcda812806d815626

SHA1
d3afe488ae670cfc38f30910912900a59c8b6e83

SHA256
40aa592786c29b5413f9d23bb08740fed502c4839224b9471adc81fef8fea829

SHA512
7a32bf394137231c0e75d2d21979932931abf89d5e0316406f11778fda75fcfcdb5301356c4c89123a11b820a5af5d87b87d8088e5564a4cdf7cc576a4eeaf9a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6ad9e5f3414eba412d3151950a43eb69

SHA1
20115b8c83ec61d5cd44f185e3198296e57abfca

SHA256
894c53f5a0dd06069753debb95d3bad4f3826f1e19acc17fec8af79a30b60eaa

SHA512
59de00936db4c4c5645800ff4781f75654521995dec2b57f9ca7f7dc6250c9cde734084ac8ee88958e3cee6b86b564ed75c897829f732f4df35b36af0a6e61e1

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a11ed69ea8c22f2dd79ff032f41ea2da

SHA1
e780d77d30b6352325981734d064dbf7e5401acc

SHA256
e559b6089627847ab34dd9879d14152ee2a7d3322447b98d2855cd201f4cd2f7

SHA512
07e396da8a6f86405142581e2fa2a2120f7eec80530cf68ff4aef73cb6cdbe67b3cf25a787f50380fb50742121c2cccea443a2e8b8a1d8424ed4ba8e2682344d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
60708b4324d1d9a0b35397f8bd123ba5

SHA1
6afb8b0f4db71d5b1bd9493dd25048cfc1547557

SHA256
cc7774c33fa0fba61ef68b3330c1cdbc4a898f5eddf4981f67035f6284481d5d

SHA512
45253169e330aae5c6132587da6793e96ab0d041047fee7a65d34ee84c1c4fd18d0429f6904d3a96a52ec3cd8b1b9f6b699f5297f4fd31f74e16833447674ef8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
122be590db143ff21f0961bc10e4ce3c

SHA1
3a61468d5d5660ae23d63307760058ee31b8bcdc

SHA256
af1d8d20a2429acee752c8ed13949515781580b900c8b302708d854b85908daf

SHA512
01ff4c4103c469efac87101419b088acc020ccd696aff944ad9f4ed775b79e5390e63e553546750bac0ac076099c2465f33316b84b89210e442bbd9de538de35

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dd749946548d12507cba3934ce7abe6c

SHA1
4716e25a8fe4aa1695326b46ca9bee48e9245969

SHA256
25afcb2613cf077b763d5e748d8600d88bdac53419ce3af6dc633fd63c34843c

SHA512
cc631f8dc871cb656c7f2221a19fc09d8d273b58245430b6928fc7b71e89c993fc691846af74217b654c4e2f8331683a70d44746afa9987200e9f2e81018f075

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e95924cca9a7fb4606fd440ad0d36947

SHA1
af6fe022d87cbe3e57dd94dd61c112b043c77ffd

SHA256
412dd4bdaf5696081d85f581adf388b1f7997a1f907affbdec7c356cfc11b67b

SHA512
a8cb45cc5eecd5b8b5911e99c7543b5b3a332489650ebbb1d48c61a105862a33ed18e6db7c73c1db892e00ca216fe1e5d6fbde6b3500a408e7713eafe5e83621

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
4995eba81fb78d908775c1957ac00d68

SHA1
3792a1cc0e4713a9722ff11c9fb5d6427ac2d5b4

SHA256
6f6be576f8e56e914e6a51d4b51812ec19e640ed7f343f60fcc535dc4f898b72

SHA512
0e31f521372d2d6e7cee2e709141a75c39d22042490f1a356bcd348e0af12b2d681786070671a019099aaee9173dc91620f1616cd5b08c8376ef2c34e4e88819

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
3cf701c78e0ab7bd7b872d72673307c1

SHA1
795e0648beeb5426ac72311da2b9e997e3f6d716

SHA256
040d9c6f74cf9c797b057995ba211e2aafa1231d0bbc88f26d359b140b2a5463

SHA512
c7ea1c1c6f8559a1c51aac5b5377fd672f9231e22a2239cfacc9727b372a4be50b0609b754eabbd3e94cdd61970a0ebbbf504bdcdd5d3fc6bf83d5e57091b1c9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8b8d9a832944bcfd8b44a27ee737c404

SHA1
226e22547f393de5c6cdab36c89db835d1864a84

SHA256
09ebef50f60acddb3621c8354958c16d8eb74b3c221860f8beb188f623dfab51

SHA512
53473da6cc59f6d1173f32d9f4b49076db1cd7af78f7117761310617e8defd1eb49ac1301751008ecdfb132390a0beeef151357852a7712892907ee40b8e6454

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
dae1229cbf6035d91926feea5f3ee867

SHA1
934f4f7dd5653e2d2a0105ef92f47ffa0e46be76

SHA256
a206c61afd355b0d9bb97cbbe766d66f2ba131705f8a8dea3d2694d44a9f6a1d

SHA512
6d161a833c26e613f6fde1e808b69e9ee0553a7197809f734ef04b747fb57696968ecfb11ddc6e90754f02d82e101c099c75a3ba0f339dfc807d136c266fadb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
94b1208ce1a349eb5760af63b33e2993

SHA1
1bf0cf17eabab4b36d8f1f3859989f71096318f1

SHA256
528c73f3969dde8464346bc5370e5e430ae87e20cb8d11e9389331881ded8eec

SHA512
95612dca8c7357e014f9bd612a947c590d45372cc201a08ba65f25093fd0c1bef7db39a7821c35f2e4b4d087829bb21f1e38c995d623b0c5107407f3911db14d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
914ddcafd4b24bfdc28c885aeef82182

SHA1
ad1fae47882c850fb0508df56b5204c66bcf55bb

SHA256
36c125fb57a85ab9e0acc0189d835049de2c3f7ce8ad52f642d8454df73480eb

SHA512
c3d6e41d93b5dc91bb999c5ba37f46b54051bd767c93e686366cba51be8398815c2510d99a92d069831b89f86e9676e83b3ec0499964f52806d3fd89230b3511

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
79433196ab6e179d95ef2bc628d11987

SHA1
0f9a332a718b010fafa2e3abcef0b4f78d66c507

SHA256
eca5949102555f60a370822e5a60da137e1641e3bac9161e254784660d24e9bb

SHA512
7a8644d23cbda4ce879467e274653128da2dfca86ba236eca74b2069ccc2cbb738455c5d046024ee8baccdf3d0eb3f147b29d4601859f2ccd01018e3578a2545

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
99e25cf83617ab90bc17858cf96a2e52

SHA1
1d13b63a9443bdfbaf117f04e8c724af37042659

SHA256
c267777e54c03503e0f3bd3c0bf1f2bbdb706f5eee1ebcc3688f1bbbdacf26f2

SHA512
78e727ec25d586846c87bb9d11efb174612b98a8f42798759ddd251319b713ab061f98c6265843298c9fe19a0b6e2d8f63af604c13a1e41078d910888f07f937

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2d94de22eaa9043506ee740a5f7cc781

SHA1
f631ade502e2d2acca7f23f3b38a16954ba05b78

SHA256
9a32387a3f77aec6ff0e8d42cf66feee0163a02f57bb255b0550ca76c18d92c7

SHA512
b6b887f60c92c09440031420b3d72a1357598ee399cb7059faa57b366b422ca4c171671cb564a99d3c093aac36593248e41319388db50c370109ba95aed4cf3d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
38791e8cf06a35b2bb52c6603206e732

SHA1
0977b32a93f411464ad1f7295ae2a5950602f49d

SHA256
60c611a9a01c0ae463f45dea34fca9b2eb45b34ad7243dbb73be121ffde4a222

SHA512
5c9f083505e1617aed0f8a7002ce61298d435d78ab20eb9d22200ccdf002018de6c7eac84895b10b4d78f7eb06367ae34b38464180a2abab4d1e8050f0e7c845

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
b64eabc61264b3bdabaac4f0cf9817ad

SHA1
df23a232fd035b64afa171ff5fe5b819da076ecb

SHA256
1e308aa4e31fdcf3d97302f3a87674b114bab01a430004d4cc5f638a27571b5d

SHA512
f0b2f339dcc3c8ecc4d5049666c6ee46c6e35d6f29f7e6fd619278df19110df7831e498071f835062c326584bd77448043defc4c7240b6b5aa6dd5ce3d2afb40

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b500da5564f487acefd49377208e799e

SHA1
3eafa703f34683911d4e74c21c20923e5321b047

SHA256
385cf2b6598eee68f713d23f1126e6d75383042d366c53ea09f50b24bafaa66a

SHA512
e93c3c401b52060be6fca0b566407184ebd4038e39819c7b4e89f8811af54331eec61c46442b84cff94daf5e48ccccd63ace198d9360fbf41451d6b14d7f5822

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
21f4d8a49cfe9e8645d28d15041ff596

SHA1
870b233c8ef9c84915855b0f33bdade05e4bf909

SHA256
33d24e544f357dc4d7814eaccfa3a4712c9699f537578c1e066d2f47a463fd23

SHA512
9dacc5d7be0310cef539d3aed9a530c0b2763201324cdfc710e60bca85212c078ed2925b18a3c1df7115c4729564c9784e8efd0daa9357cac25503cfbd591a90

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
f21744aa9bdf6cb67c607c1ae7476ed2

SHA1
122e76b467769a90c48e3a2e8bf2201f9405f84e

SHA256
8c6bb4b75867c06c98c1f3f7c95e8872917cadc367aa59e181db253c510b7086

SHA512
2738ba9fb2d925c2a51faa746cb5625d40bd2a48c6e0a602a024e396c05573dadbae7c978e9cc59f9f88dfbc60b899feaebbff0b00bc0a570c217b6a661b970e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
367ded07d506dd3e8f095b4eefd2958d

SHA1
d30c8d3390facc4bb2ab021be2b7c58d73b0b086

SHA256
30c5c8f0334b4e0c0d8de993a4689f5bc8acb5cf862b63725488b2899583eff0

SHA512
0a480c40014581c85480dab318c6b85a6f1cd9958f1dbc3fa0dbb3f438ba761bc0849f7ad844268698adc64eba442d54a67a0163a60ab7dc81745e3147d85c12

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
df0016a2302c5cc14e5c8f2c5e8cb9da

SHA1
0e8d69aaf5b391070a50895f5a56d68f9a256b35

SHA256
3a8c0a62050fdc7c44c0200718ddb6571e07f2c2860b59f1ffae2da2b3566b63

SHA512
b551fdfc55294120f6564b80d38a8bc770281bb99b4f08fc96316251393d17871506329da45d9094eaa6038c595f6ecc55cadab399c712493c962d29861856dd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
df256c45cfb6f8a6393681a23595d161

SHA1
9eb37391c85d04f8caa03d0a4950aac114367121

SHA256
5f08d3d9514f635021e3836ee2be4a09f346e434d39c5175cfd06caf0b3a6cd8

SHA512
3c5f9ebd8f533bc8efe0bdf5dc4a833baae9dbb478338ba5af03a5629d31ceecc516016c197a5391f3125423f44c02a62d91ad8d0d7b27fbd4cac74e8b69da43

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
93b91f79de5d6b436a51a3d0bad248dd

SHA1
d4ab8b516b59483c046cb5027f3e11147c552c5e

SHA256
0250cef10df0f47881796676d2ca768a93bc7f8aff6015e6bd35f73c31ba1805

SHA512
ebef1f26778ec45884ada66cd5f2524261940a908d75ea7bfbde5184a8b1a44852f30db4ad059625e6b5c327bf15fab7b5d3f390a811323aaab8cc5fb862bf48

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
dcb0d1900650d139a40cd4cc77d8a4eb

SHA1
6ecb7e6828139ebed0dc83113a9b3abe3c0b7b37

SHA256
ee72614ec89340cb3969c4a84c10d43e806765e5c3860df8e6f5af1d301eb7a9

SHA512
737887137807650319a27e335d3a5f44713ab6418565edf1ff0f6d9603c827303c335a04eeda647194bc354010fe02598b21fb5ae46829ef0f32ff89a29d505d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fc6fa9f919b5bb14e84e539b6941ba4f

SHA1
63c0cdd5cf4d9d2b3726716314de18faf7dd4f92

SHA256
ea48759ef27ae8b275648e22b846e77535ab5eb4b6bc09287a3d25913bea838b

SHA512
c107eef7d642cc3c6497c05df0e7b81190fdd379b65faff063b5bfb995ebc314d4e2670a5859a65f36dea6b0abdef5884dda199c366b3f234ec674a00a1f70d5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
09b7ffc2a01d4e3e98c1d12bc02b7e77

SHA1
8172acf1c96177b0e772820d6fc2bb81d0efa02d

SHA256
2e770521a1d3c15cea059e1076193fd8aaf4894edf7bea10863ff5d6658de954

SHA512
4534abb47b84ef9963c6b454404c9a72ff2ee771b8512798a8215a9e4e89e875c334a83adb1c60a0260e04dfd478310f367cb720bf2d81106deb750354743d81

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6b92748357d102d8bf7adab9203cb034

SHA1
78643a2e335ec9e3c923bf2058080a1af7f5cd04

SHA256
281abddbac8c9c668dc99dc8f1fa54cf93c94f1b1a60e67ccec34e124620fd39

SHA512
c16ee7ff1da3f928ca3af04a722846227e60f196b62d200b1a22327aaadee3ae2ff63904d5c8fd8b6ba869706578e33237e26459587b0b691fbecca82d51f9d3

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5bae214cbf9fa7b969fbc6937b524eda

SHA1
fdce0503a3a03053d35e4c554fac489e8af79009

SHA256
8888c5d8d80b6922b9c6b7c334f961e56b07ae7716e7259da1b308d31f574c17

SHA512
3f2d3fd3e80765755f3f3e47443911bc54976dd595014539e6507e060d87edef77a25adc2b978b3e8a867274680f43b61e8068288854251db7950f7a030459ef

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
5b65bd898e89bdb06ce5919a9dce26f6

SHA1
4182f8eaca9776db76d6b47681022a907a2ef195

SHA256
e16602c4196838f853ce5cdb30e7cda6c2d3989fe4ce1d778ecd236ffe43b1d2

SHA512
7e9679716c44e798098d78d8c350cc751d05a9b2fb3c132ea7ab57557dcbed7c1afb42032ab99b2e9c6140a0c3d2864dcde4c6454a105f9574bfa3e8c59ab84e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3eb7bb9bb8d1fb67896c80eb896b5b24

SHA1
df55ba7f7dbaed9b20f5547e9139412139cd6d62

SHA256
d210c2d657a7d8b3e391e9336ae464575d691883e59ae864df24bbf8215f7c3e

SHA512
b9cf9b4161bd3c19d1abe4408e12d183f2a7ed2c1ff8c5b1ee847495674984d44f0f1d07ca7a2de6bdbc1ae70e32d3835fad3568801b3d90c88ab64222378619

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
eedcb023684cf095eadf1b1455ca09ca

SHA1
6ef02501c2a6a16bea83365284960903e06e86ef

SHA256
a0929bb58f4af5a115a13ec8eb7481b9a6ecba334b923f56eefbe52497baf04d

SHA512
31e1b7d9bc50da0c8bcb732fea7a9efa336e74cb6c3f2eb4059b30e362161563da7d3c77117bb7155c7d312fa23028c350b1d7f6e0269fb77ab6fdce09c73236

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
7503134a033aee93b300f8bbd67ab0ee

SHA1
6eb392e27c86ccbaf2ad87e42c4be26a08460bd3

SHA256
db2d1edbfb6a48b35d744159bcc1fa5a6be14f9c0b9d8e5e3a1faaef23339ee0

SHA512
966488038aabd2cfaeae4781288d05a3f23c7b28096c4c935c0178dbc1d9b5bc5db6c07e1beb9e202678db6310fbd4ea730eb4e28b00dc64945d09cbed818954

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
31a9ae795d99b8fd84472dfca2604365

SHA1
cdc438a70a8862db70938775c5bace51b0305e92

SHA256
4c87c6a85dd83d9e8a4bdbb6523e19983870a0a4aa4d4552470307fce962fd23

SHA512
8c5fffeb5386bad49a8516f8b29c081afcfe82456157ed2f7bfdbc415189e32fe3d368a92af7e9e5bcdf5674953795f875b2436f0dc60299831dec08ebaa9a4c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e449891e0e4369e43341e662bcdc5942

SHA1
44d95631d9ed37f8a700ab27744d9a0a68e473e5

SHA256
2a2685bb4536dac494ebf611dde86979e5668f28d1281fbe3602cce559007a14

SHA512
e9a720ed17b94d483026de8f6c00bf767545290210e19ad36886fcda417418863dc5cb85902a3f4dd4f72174585c3524bd53ae3881ffa66c314e4b94c6a4fb69

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
9dbd92c378bfeb5fed133dab479965d9

SHA1
15a7b0de4cb478a2e93e395bbd959cdedb216dc7

SHA256
998070c7d44a3b4e7011c426aba4f42253ce984420945bb932317318f17d0936

SHA512
a3b00c8986f1771c5eb936da194d3244c1a43227294253a28fb16472942f67f066f961319f2a8c753616776820e1143edd7d906b8635d7961208a179a6112587

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
db81d246927027264e12069ff96d79a7

SHA1
06a4e9989db197d81d959350f3753a8b77bfc9df

SHA256
0bfea43ff6afb1459812feed4a93f1a33ae0fb3ad8194b8821dff391ffd3ae10

SHA512
750529592c4ca8ebda2c3253069c6556ca101cf746754b2e54253009bdfbe328887dbb93a4306da112d9f57df1322e6dd70a49a4fde689bbe36b8d12732fdd08

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ebdb438fa54132c2dc65d04b156a5485

SHA1
79e8547c2928b035ff818b21fd31558a2e3b89d2

SHA256
d1a6cd51ddee615a20f094787437880d7bf25d3c0376d6db8ba942fa187e1fd9

SHA512
3aac5a171567ff906e5873a39dfa59461a9a63ca646625e54f807c83e734f8850d0d48193a5cd9737a51de226db07816a4b16db937212c3f148f8cfda820d3e1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b24f8a1295ed6a5589fd0996431be158

SHA1
250b83fee0b38433230483a0f598806d152cfbd9

SHA256
9e8a600514f840bbcd4e8c71e71dbc534ac93a940f4674ca69af315ec4e5b586

SHA512
39c42667e4c2f2ed9040dfdcdd27edb7478acd6377239993896b23b1fec81543120d7f06a78c3f6fc73f2f656f0d27188ce63658e6e29746f129741d6f3c81ab

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
ba7183046e8fa2012a41558e6060aaf7

SHA1
a4a115ab578f5ed32898a02320329ea9d986f4ed

SHA256
99b79472f81dd5389d10af9a41432ecc45d0652c0af15104fca1ec96cb064434

SHA512
f203c4844411e8c00ee52476c6086dfc9cd15845cd50d29ded9ddac18d8bef0803726eccf622e125ad2b96b6a9ec3d9d1a65443d3514d86adf141f2e631f0739

Download Submit
\??\c:\017a1d1976e513e7bc25\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\017a1d1976e513e7bc25\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\017a1d1976e513e7bc25\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\017a1d1976e513e7bc25\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\017a1d1976e513e7bc25\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/404-304-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/404-594-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/860-211-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/860-104-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/860-102-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/860-96-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1236-157-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1236-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1236-20-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1236-11-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/1248-88-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1248-198-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1248-82-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1248-90-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1432-113-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1432-107-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1432-115-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1432-120-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/1432-122-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1828-143-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1924-257-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1924-588-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2004-123-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/2004-234-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2004-119-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/2056-187-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2056-410-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/2372-235-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2372-247-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2444-199-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2444-487-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2508-589-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2508-261-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2708-587-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2708-231-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2988-93-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2988-91-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2988-76-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/2988-69-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2988-70-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3112-25-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3112-36-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3112-42-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3412-564-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3412-220-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3632-158-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3632-260-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3660-142-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/3660-6-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/3660-1-0x00000000006B0000-0x0000000000717000-memory.dmp

Filesize
412KB

Download
memory/3660-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/3852-161-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3852-272-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4072-172-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4072-284-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4336-590-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4336-273-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4540-563-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-301-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4540-175-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4932-593-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4932-285-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download