76758008c8dda8d48d3faff0d7f23dbe5970557f725653f5dce55666fa4ff91a

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b46dc8a736f92d787be79520103e0f0N.exe
Size

648KB
MD5

9b46dc8a736f92d787be79520103e0f0
SHA1

0b65525ed00c5c6c2474b3b40fbcfa26457bac2c
SHA256

76758008c8dda8d48d3faff0d7f23dbe5970557f725653f5dce55666fa4ff91a
SHA512

d7955a455c19a22297381804b04914250c6a2d0d053bc5b97fb793d3cb5b444407cbeb48a3e1ebd125b70b00c46c97acdc8a29c56c9a8cd1d30ae0e15f23b06c
SSDEEP

12288:mqz2DWUKWRPelh8t14F4YfDY+o7KO68G2G9Ih40cjs31K6fq+hTR9PyuV5xFpQo:nz2DWoRmlh8t0D+7y8G2G9yL0cMoThTd

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1132	alg.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
2508	fxssvc.exe
4836	elevation_service.exe
5076	elevation_service.exe
2484	maintenanceservice.exe
376	msdtc.exe
1488	OSE.EXE
5096	PerceptionSimulationService.exe
2896	perfhost.exe
3844	locator.exe
2936	SensorDataService.exe
4048	snmptrap.exe
2916	spectrum.exe
1864	ssh-agent.exe
1576	TieringEngineService.exe
5116	AgentService.exe
3328	vds.exe
4932	vssvc.exe
3016	wbengine.exe
1660	WmiApSrv.exe
2468	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\System32\vds.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\locator.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\46ce9dc1fb58d5b2.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	9b46dc8a736f92d787be79520103e0f0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9b46dc8a736f92d787be79520103e0f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099ce224bd1e4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc6de24ad1e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024a53a4bd1e4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0e0354bd1e4da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fcb2c94bd1e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a87c524bd1e4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a046db4ad1e4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
1000	DiagnosticsHub.StandardCollector.Service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe
4836	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4084	9b46dc8a736f92d787be79520103e0f0N.exe
Token: SeAuditPrivilege	2508	fxssvc.exe
Token: SeRestorePrivilege	1576	TieringEngineService.exe
Token: SeManageVolumePrivilege	1576	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5116	AgentService.exe
Token: SeBackupPrivilege	4932	vssvc.exe
Token: SeRestorePrivilege	4932	vssvc.exe
Token: SeAuditPrivilege	4932	vssvc.exe
Token: SeBackupPrivilege	3016	wbengine.exe
Token: SeRestorePrivilege	3016	wbengine.exe
Token: SeSecurityPrivilege	3016	wbengine.exe
Token: 33	2468	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2468	SearchIndexer.exe
Token: SeDebugPrivilege	1000	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4836	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3708	2468	SearchIndexer.exe	112
PID 2468 wrote to memory of 3708	2468	SearchIndexer.exe	112
PID 2468 wrote to memory of 4840	2468	SearchIndexer.exe	113
PID 2468 wrote to memory of 4840	2468	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9b46dc8a736f92d787be79520103e0f0N.exe
"C:\Users\Admin\AppData\Local\Temp\9b46dc8a736f92d787be79520103e0f0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4084

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1132

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2400

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2508

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5076

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:376

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1488

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3844

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4048

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3240

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1660

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3708
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:4840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
73271c4bbf591e4dc5243442372c99a1

SHA1
d042e5c63b88dc27a8819a850f8aaadc04d9c26a

SHA256
29f1bf233dd8179761fdec10e37745b2dc626caf7463182c38463e8233ab9067

SHA512
3b2566cedec2297905442c0e37f435081fd30e8572eaf9e536d62c84b10f79bdb9868aa1eb17c0d81f7fd687256ef113b81c7b414a082721116a41587ec0dbbf

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
cc1e796e7a92a52b2a127f9411858335

SHA1
75ad43cab9243bdc916fc8f9a13264fac6046ca6

SHA256
bd13f8d148f9e71deb835ba7b3fd8f6b03742943b16044b0484ba1f7d11c91f6

SHA512
d6351f913c0ead6fa83b289c8e6ad8471fa939f48fbbfd3f6c5ea18b09a8a434a8e1d5872c983d2966dac8a60db44847bc829a1023fff9be77385342f058f108

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b23e0a2ad2006dd4905d844a6144875b

SHA1
c450f0db4a34cbf942c25d5b22845f14eee68d37

SHA256
b8ba25ea0c6bdf3d06f43bae058316ef33a79a82169c3f498e439b6db2a8ecfa

SHA512
f59891eff0f532c044d08823c4addead5d11a4ccf285a13e1027259e0acc6a48a7f674ec012f5068b7a0761ceae2e6b523ee764cf198b5029508d96068da4669

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c964e943d05ef2450b8417e4ed0e565a

SHA1
98505ecb9aa359def3ef504da7c06d42157e47cf

SHA256
00e0f2a54801383aca726e0e06a4371095cdec18249bd2b38e8d7c0243f78cd7

SHA512
5b14e7ce08c267e6291cfac298d5de0f8b3829f74933565675e6b476738f55d79ecfdb1c2cdc9df6e9a6aa648831c280eb9fe58ae870be01d4d8edc96cfe7405

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b56d63cbf6a6011ef1cc49bba74a4803

SHA1
f3c5d3873b32c9a1b4ef6b543b3b525cb47b59c2

SHA256
f0714e71a0e36dc9f2d13a82351a22897578574e8eecef7fcccc4eab4556ba4c

SHA512
01ffbac21f71471b9b2fa4145f6257db533bbaaee8be647fd015da15eeddcb8949e10ca42935a0dc01494d1e12280d3d1ed95b02390d0cf99e7221378ad2b7ea

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
cc3e519cdacb545ece0f336f121256e6

SHA1
cac74f5cf0e6c1092bea9de577992a7f570094f1

SHA256
de438cc4eccdfaac6b696c2fa1167b8c5a80ddbec4a183ff1c5f5f6db015b5c2

SHA512
a0d43d9f8079ca20b9c5178a28cd3004fc9baa0edb259e2f1441070c6c0f3536d29a339cb43a36cff9227e4c66196186eca92f54ecf9d4d98f3c63372b4439fd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
31403efa0a1c9f08794bb1b3ab819784

SHA1
98d279aa44204d640088a776a2a6d1f760da5609

SHA256
94779facdf1779726e3b304ceed89ce424926a04696d2a276e046937095079e9

SHA512
e3b7baeb17065658aa6a2b9ff776b344777926167e33c15d828771ee121da409dd57edb3fa171237d74d68f60b4dc10eb769660ed86527afc83e1c6d821caf94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a77bccdbe6314df733f692a27b90fcb7

SHA1
cb75f68518ac2ef2a80f4aaeed1fea147f9a3d3b

SHA256
e6bfa7d6c250d4981853962aa84f06cbac73cd19de74aee635a41a31f28b11cf

SHA512
e303f232a243094579497a285cb61b2b407dca14e31d48a833d39ee8c14a50128c8b025f7eac42ca31cbd1b8e23a9f3646785f97f70cf963909703107351cd99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
57710793c9ece8a50e533c8cf8310970

SHA1
dc26ba2867a71dbb37a916c71950e64d13b44ac2

SHA256
8fdac8bac430fd69d55761dc914da08bd6a74f323b8159fcf4eddc2595c90aac

SHA512
68855d31c1f63f4dc24930ff7000fa78a85f796b904aa89bce697f5e456a2fcafa23f2b7cb2593acaab9e3725dd287d95e8e7a2c8d2c4b039746ea444ba7eb08

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
f47f5f529e31ccff6a4ac4cf80f1a7f4

SHA1
ec8a8080e1ea574effd156f81d3e9dd1c1111f9d

SHA256
0b5d0b8d03f34e9918a7995c13d117271ea075af5defec9744a42c7a42aa243d

SHA512
99855cb20a34422dd24f3638f91e46893325a48384254ba83aba5176bea9cdf90573c6501d0a25dd633db32a8455de221c4ae62937693c8d8319e3b1f8b773a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6028574d73c127f9c90ad27685b9eb76

SHA1
8669a997c028c022889fb5cbace3b02b5a44b80c

SHA256
6d182ad9307e59ac0e95a15e2b60ac50940c0d62cb5baa8bf6e32a41e3f729f2

SHA512
9691cdb97837a5c401d8d46693e49a2479eb4c28b9390d2c367be848577abeed60371cc7c133530855a64920e4c8a47afee88c928b0ffca0b9f00715bcb04c3d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2ff34503f76c9e68ee9d2f4aafb337db

SHA1
02cec1dd45d60d6f2652c50806d5d4db54af5673

SHA256
45c5e73e376641f7a88a85b61ac6655a70dbb0660b5312b03d5905be31926555

SHA512
fc4d08ab4ed4483c740da154c53769a11066faa4663dc53f9d90baa76b32eea665423d6a8008b1152076d6f309f94fe99310527ae107dc14eee880e3b1751135

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
306c481ddcb04bcd82cef72e82bf9bb7

SHA1
ffe49e83601f944c22236aab0a1e2b7ee9b861cb

SHA256
fabb361f925b8ddca0f0b59c43b907e6b15d37aafa8c316f6d52895b72b7abad

SHA512
cddfe2a1c48721dc8b64b472e1625a421f5f5a8183bb77d8e3b17a84b24565e2f84f84adde040e6fbffdc66e95878ec4ff35627d4096879262746fedce2ae363

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
e156d14cdfcd89ce3008a31348605500

SHA1
4e79700ba0bc74b61b4296666e6b109470f6d47b

SHA256
2ddc964b6da1c3330339bf12bf2523f48a9d56b54a7231df2e261f0c7b9a10fb

SHA512
79996277f92b307e231e872433813a058d070125eaa42c0040ad8f48521273fc500145d8e48152f18ac8ba877eb8c2b3db408d6888b6c3b7594263d2a0c09563

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d335372845b62a1eb83b1a169258bdb8

SHA1
d3364877b908c5a2fb1b6ecc365ee9d0ee4b53c2

SHA256
f5cbe13922be76663bfe5d776e8382b3cbd199bcf6cb98fbb0e3813291dde8f7

SHA512
f7c30054c581615638a2b8b136b8b099c974b2bf678bcf6c5bd926470e90a9940eb268318ac8eee4dbbdac886f248a8849dd4d4e20c21bb0a0d0eb2098e780f1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
90606782197fef5cf1867ecc55edcaa5

SHA1
42ea4c81b4f0a99e44b71da8a2a8971382009ba1

SHA256
7ba29373cd5839d555a3e232dfdc03061b09772e82cc533308ea1f6794548ba3

SHA512
503d6d14e3f9154f4bba0ef7ff64b44b340112d1088514a682955fbd378fc16eb5e4ed38df98392acf55cd45663212d28efc41cfe773c6237ef9c18d1b8553b7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7cd34f770ab6dabcf5bff34226380656

SHA1
aa86ce6cc5db7836570a6e4a1daf1057f9e6ef86

SHA256
f2114b29d3ecc3b0e68c87e1dd14b51bb7e8403ebbb35204b28da9366a2c76a5

SHA512
ea17eb1de9265e48d44f6a1ee0fdc20a85be18b17f821d3395eedeefb54641378df16f8d87b9bd272d3bbf9464a7c46f55545e410bde171bf5e638c7cda7d71e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
944d08b0a52e2f4c9380fe36b014f5a5

SHA1
5ffce705f86fdd64b4d105094480f1025aa21736

SHA256
c5d02ea8383bb4ee32c05eb374f194999fe65e71caf6a9ca3301b0798c25c695

SHA512
67f07656dd5cf12d0a4a94434c523f0bc470b64d0f5acfc6a8d39f29494339458620f81224dc98f11df6eb8a820adfbc56643e471d94eec5686a0e077cbb9e3d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
aadf764962693282cbc7be3bae6a88c1

SHA1
cb43e75e6d07e06e171c23f3cd67370bdc4857fc

SHA256
4971686a41fe6914933ee9a52754d7ed41dab45651f300f00397c7ddb1c591d8

SHA512
f31767cbe384a74ee80128823e6fb8b7589371e12da551ec9030d1e94eb9c48cb61db4bd97594ebb3aad1ddb594a5f49ad5bfd45bae11e5e671de1e709d9ee84

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4259c8a2034290ce2393a5a2ed4ab9df

SHA1
994e2c08b4d5cf3b395ca47b6d101f3c6baf890b

SHA256
6e0d2ca371758c49b3ebb8a642e4208c36a16f6d1e293d87037a81dcb7b8b56e

SHA512
46be068719fb8ff9952fa48dd47134b1e74dce1293fd498a14fc36c6335d2544b14a6ac0c31f49a0beecae81783fe1161e6c6513322d70a2aabcaf84c4078697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
98d83b90b1c64bbccce1453c8ab00344

SHA1
dea95dcc386dabba1e76b05b32ee6e88fddf51b0

SHA256
e8c8f03f43032e6db7e62534fafd311f2abfdf79f3aa08421ee5b2aca5ca44f9

SHA512
b6ee20ae5d4fe22e19adc7f7c9f76ceefab9bff6bbb79e1be1bb1f9a3a244732b889b7f0837b1659a8d361f90be1900d821b5d07a1dbbc7efd76c69b4d6f7f88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
30d492da09fbbfbfdb1b27ed65ffd1e1

SHA1
1dbf2bdaf391a8722b1c1f4be9757cf0c4223a82

SHA256
16f09bce10344ebff469680ab2282de846a2325009c19692d434cc939cecafdb

SHA512
4e5cbd79de65ec00d389f21af4fe3c35d07d9b19526af9da1ef98d0fe884f51fd6bbb0b2717b251fbaecbf43698d44b8c99590d09ac8197b05b245739db0ddd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
edb4994146787fec4124faf04c7afe6c

SHA1
6bbe42ad5be0ba63e04745c392917cf64b8ccef5

SHA256
860ca948e0333ebddc9c6f9338f5f406c9bd5dccc089d3319cb59a34cea2c223

SHA512
93da8c24d0868ef224194c056f1c944572b443acf3f705b2b0f2ecd8e003d8bee122db2890a2781b8f46525322212211d277be0a9a234fa753e2e6b00e266c66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
22037b53c23888ffaa6cb9b30218d2de

SHA1
2c495aef0e43278f5c4b8b8a5c7454ec244761ae

SHA256
d42e834f6c5dd4d94d68f4a90dbd2452c3c912b8b45fad22906581961cb071ea

SHA512
b2182c73a3af9d8695f4159f66e5eb5ffdd93a35e518d0a653473418b76fde2748566dcc61a13014f103206911599bfe097b06ee9689655de696557a8c4d9cb5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
3e2e32365ff943d94e541645432bdfbe

SHA1
4e2980c671a729ae4f915fa8657ab4658ffe05fd

SHA256
ab7b7b9b51d1aebb1eb28dae3c6f4934660d8e794b1f9d941bd8fa27e38d56e2

SHA512
b64a8b289bc0b249d020e92cb659f276d2720a46b319e81c7522bb8f7c489f278f5129d9227b4d7d704feba943c1dbcd7f59c18ab69464b2f97cabdbaf71c07e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2d29eb406a90091079ef678eb150dfd8

SHA1
4a128e3940773c7b52282bb783dfe0b897445d53

SHA256
c2a919b5873f61247cdaf8a122034b76772620e4c151570751e4416e062a69e4

SHA512
027a63621cf73c7331691eaab6842badc226bcf6411183eb171c80c315c1c4048f407b81b4998dda97bb5dee69ff287a5faee0014c1a1d6fab08bc4480a628cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
62889524861d28dda4163f1ad955b038

SHA1
c00d67e4d756f56a906011f7386e68e45e0736bb

SHA256
e3f88d8dcc4ef459995b57b37670871da836520838c18c0720880a6fe724a819

SHA512
b055280780b3942ceec5c848a3785e32d4244f983ab5d33cff9911ae205095b19278eb13c425c6d6f5a5e21dd2c365d830f9215f6711b20454471ae8d1a0f7e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
47814981ee482db344706c2d5bddb81f

SHA1
9058830e65ba5565796c7641570ee48cfbd43d8d

SHA256
09f2f31b2721dd625f4200e9e77c9251e6c195951960e790ed34b457f9e58df4

SHA512
142078a13f9a323a32ae785b1c55c99512ad95627422c1aac08243fdd03353af6efef203c38a6e9f1ae30561f8aefab5d62dd760f7d834802fe9c756b5a92d5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
900ae8344ce69395adc120f8aef70162

SHA1
5a1d300b2b2c729c0500adfcafbeb3d51fbed54b

SHA256
765d85a0558de456b388c923caee987e113d8839788d905b2ffaf81cd83e93c8

SHA512
947cf804cd5f117cf17bed6219a3f5ecfca61236c4d45ba6099addfb4d655be600b32d073c8cb1f16627ff524f3b0049736d241a250ccd2515885d1400f47211

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ce54ede82d80ac4ffca42c57e138bbe0

SHA1
e6153c6c26ff54d48ae34f92538dc5ed3a9e27a4

SHA256
54fa8fc7de84e15c97e9d83e27b06e9e13adb49cd6af4c8ef915b77756eede6d

SHA512
7b8836c7cc3fed3227648f7ce168012a043ad83490c888c62d14f46dbe014ad200d8a5763330e6f17ecf391c1660e24bf91c64a752130b2d7b5a43bf1cbf84d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
273482d0a464e5b332b8be14c1dfe624

SHA1
4c0c66c51b24e3e3d6e0b12d093009a39b68c183

SHA256
804112e30be7021079a13ee22deda6e38bb93d1c45b8d40cb5c7815e39d6a468

SHA512
208751a0c5f36e8735aeb046a3c8bb198dbe40293eb6615a38f0dea3d34bc7328a2d907fed0cff00a1272449f30ac4e7767ba1ad09d6f1243c06553a93081b60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
0d60dd43ef382a69c50f65ee94f32c64

SHA1
0406e0d10c0cbdd5f5706a7f379b368b3e52f5e8

SHA256
173444b26e4da60a4cf850ffb9fd1ae57e5a8ef4e4f95328ef4dac2ee44aef8f

SHA512
37a2dfaf21225e97cc096a5cc7bdfb0e3187ac21a4da36a937776cf4ef6a75659cce089faccff21a67f6cbbdf13a92859ccd833d47a6f4a384ab24759bded97d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f0570677d6227dc95a483c7d5bbc67d2

SHA1
1b343e3759b15d64a9143f2dbeb581127d8b266f

SHA256
9b5b59b66941a1856bbd48674f68c0e9f4a6b4ee691ff20bb82a8f04715d0bc9

SHA512
ffbbb7ee212b16b87908d7a8de3c9a9d40f93de006c126b7356fdb6a54122b23c5a1da97dd91ea9dfbcf4da8355bfecaa7f04990875b5cee1d70093b8cdf48f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
12e1e9a7469503ce6cadafc47835987e

SHA1
17a2939fd9f194a0a3f55e13e084d096925827e7

SHA256
bc743536287cd7fc226f99b24ac359362207a96b035c62951832907967242be3

SHA512
64a2d680a7b861313cebbff17428327b804fb543a220752ead3581fdd5d4ff40648f161b9d10c35aab7d3e16b77fc1bf98f691ed7f52b79d792966894e4d2a49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f9cc8b1855d3e342c34eb0cfef5acc14

SHA1
67e3f494d09ce7d7aa8c1f9bdd0e14bd81b501ee

SHA256
ae39773aae8af8c0b504b12edbe16186f38eebf0206307bd220f5dd01817b501

SHA512
61cc48a95ae3f06afe9cd3c966fd21649343e382bd0c5273a7085f3ce508641b09bbd0df09fc5d0f905a923fcfc5f8f04f3e404b0ce04e303994ae9f66a0efd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
e7a7565f27c0af64475b6bdf0b54283c

SHA1
a56908dccf228b642256b60157d5f0f22a1116af

SHA256
0be5d5d98a0025cad70b537384bb8a5993b03be154692474f8196210f61e00c9

SHA512
61371f32d9f375d372f18ff84acfb6d1c983ed6f06958e597c0b744b5d9ee75e15e69d42eaac3befe706a2f6e84534e65d30e59313605efad43b76b0394a3098

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
07a39629f5b52965e6306589938ff35a

SHA1
30b6b05f9e0570a0320c91665ad9b9d0207face7

SHA256
b4cdca6c42419c38f0a7c98fce7002697ed60f7683dabe4f17c28d9a11bacfb7

SHA512
461319fb31012d41ab2c86360ec55c89635b98fbb2cbf547c2cb0a54e813a47dd13155cd9de92e24c274bc35a725943fc8142c8c50a471f179ccb25d26f190a4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d6104f3d58e0b2394780fbae90c93ca0

SHA1
102274f9304d2d37d0746f4f693be5760c52fc41

SHA256
7cc32260d86c75d748e10dcab0318c285175331ab3dc52c1d75b4c3d8d1413cd

SHA512
97629bbddfe85eb4aaa80e7e0d9fdece97d9bbe021af026a541ffd8714f7dc27ac885b3e75b9962436ffb921cc7c61589a5fae7a4aed51fd53e77e5e74ac4572

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7199845728515fb2c682b5082b6ab77a

SHA1
c5abbe48e171fe238cc5256e2145cca70c38e694

SHA256
0cb67871189cf30524863b8db09a123992f7a311be002c8ae7cbca2e7cb5a875

SHA512
89f570421623adedf584e138f8d5f8f6d2a3407b81d5032cee1f2eb1b8b7ba43ef98fa1b3330a8b8d4fab2940f6609ef389ccfbbbe4560447d04db38c2cea3b5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
234a73cd70a9ebe4e86320aa8a355727

SHA1
fa2fc9af073f1b86d76c13878cc77d261ec96dac

SHA256
3c86b237954aed8fdcb829a44e7039eef3df0dc241ac7b1a756d86af6c9329c7

SHA512
1f5659de455a2fb907ef4a8d4b24df3e343fd833d4c7e886b7a5b193bc3e10bae0262a74b67732607799febe8ed124d62375d301b8b6c7a8dc2a1aade297c74e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
3f45c6d0ade7afac2fa70e12269daa87

SHA1
0aff57fc752d9a05ee2ed1711f74decf802d350b

SHA256
d3ace57b558d6d9ee9e3a7604191ecfe87c0281d2cded5984209a0385cc40496

SHA512
f44c3d40644bbcd6d3106cdc8c33fd572931692f1f133692657ece501743946e0607a82431f3a35985ddc4cc18c4ad4ece41a799d1a6786c86f267a75bf3a866

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
93b3d95e44c8d922f97aa3c7d8e35a53

SHA1
c0fb1647741aab852fbaf90e483b61f7b7fa937e

SHA256
85b1e557b24aadfd932c4a53034958daf4a0ab9b4e4d877f72839afc50c24e30

SHA512
66426bad7f83aac8092f6134ca726f623a0ce2427bc8473227b4786bfe17ed63404aa6b18c1287fef89e08c058ef5190f99f5c0ce48c6f135bb69319bec3dd84

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
311f3d34240b433741435549f00be5eb

SHA1
c879c0a9d736e60a8b8cfbefd9c01f8cb6f74f4d

SHA256
1711d42ca36b4a14ac3575ffd3ac2999a66d5f80d9bc3f0b98d4845537b46b13

SHA512
b1a166feb8abe0d2eeda5ace7fc4328aee62bad04a6b5d01498547ca11b047b7ec47075fbed41c5653863f86e854907bd1fdd9bc2d9aac85dc13072c1d05d941

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
93a886155ac4e2b0e687d28c0bfaa5b1

SHA1
9c869b97a444658d33ce9c11a04d8d99d5c88399

SHA256
51e287d239a5fe60d5aae4f2ef670b20a14009303fac04b3bb40e05e2a0a4980

SHA512
00f1efecdf32449811aecf556615cf4662fbce5ef48dee0e2e7a1eb9b637d5a0360b33d235898232a42cf1213047f995c2adcba7437cf0108caf039dbe4a18f3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fe93eeef99096feab301989e0d2641af

SHA1
069a42e3928688bc14ec2c156056af8ef80f3f99

SHA256
fa7e7b4fad657eed4d848409aed79fd3bc8696bd344679e7bfc3b9b272ad4867

SHA512
156f3360e87ed51d141708699b08920af88c0d8871fbba0761cee2db622264d7a9566cd721172dea6bf157cc4933c59c75c1533724521e3017140ea9968c8192

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fc7c4f4e98f17dc15e818522435ce5bd

SHA1
d6cfb1fbf9ef9949a74b003c63b2c69ff564a5eb

SHA256
99c115ab9521264a6fe3ddaf056600f7425431e352a31ac0f108f4d5584bcb73

SHA512
674bce02cf3142c56c95e73639075682bcfd0851a33e2d9f18b39f8f32494c34a66d44ff1fb2daec05d87ccda4610b7a24bf764a1ee7cf9748de402be01a4793

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
346a25a90e3d540671e714e299323fad

SHA1
d97e2264edec2e1ab67fe3ad52f79db54defe00d

SHA256
c20aaa6f0207efae523b94a530ed05468c823e1cdf8aa5d7425259a4a1e9fba3

SHA512
3f253ebe394339ad6d5f30200f64ec107c3520748a8febf8f71256afa416a4fc973caed442066247dd27764d45816d8eb97eedccc99194b0a2baa96d99822853

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
0f463365d3879a5e6f76e1e93121291b

SHA1
45d0fe9274d3ae31635b5e9cc406a43c157cd4aa

SHA256
9681e0ea1fe0d51dd1872674abfb888819da45573332aabf432019207f1cb3fe

SHA512
006df40012d65835f5f754af3e326c2c0509e7ad9e3e93748a43d1dbd8310727d60f1ec40dc932b6f99f060af50d780e82a400fa5ec2667d1f986c442951edca

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
873989b2d5e881b13bb89d4a3e8e2efb

SHA1
7c163251e28bd43541e6c5c5f17977d281c17b35

SHA256
974a434d486e7f9105167b2a53073ab6bb4070e8306cf688e21d190df913bc3b

SHA512
bd335e3944c3c762656479c4e80948418e6cf58a12b17079107c5316b65967ebf4e2b815e9db4e6a8f72f24054c5be38c11bfd602dacb015df191500a14f5f0c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
d1904d133c737c6d2ccba9fc53b29c10

SHA1
d0c66c3d0db49b507628f58ada413e887bd9da9f

SHA256
db137a0b4acad52f23248cf53b6416f17454ac54d188b9269773622e43634cf3

SHA512
1addfea45e145564a9f14bbc4f2a332143839810bd5761dbb583759fb83f966c1e7f20eecba6860eaded32ea8e23a7d1886ae60dc55d28967be14584ab3e9918

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
3e3da6a84333cd32b34f689869042948

SHA1
1610040689e6b575c20e261cac1fb81a5983a508

SHA256
eb7524ee5031581ea42f33f87b626f5404de293c54f51b4846d909a92907a635

SHA512
960ed06b0080a2dd25e82077a829fb2162b1f798b5ea74557cf87b91905c101a53fdd1d9b46c8587fa73467ac63a714e95ad55f7d44ea9110b4793c264000105

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2434458e39c5cf131505f8486164a948

SHA1
bbf68a678e5c49511ad11e0f1dd3c31b8883ea2a

SHA256
b9f229d368d4317bf7bdb5852965155114a78e093cd0bb980611a64bc0cce972

SHA512
cbf2608cc511e124474f80d17f77e0858b834a8ca19577ac265b87b20a922209cc4024051b58a6e4b318765a844df5deaa98f16c532c1cf57708819629f8030f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
73befccd5a6d186500c43f677b2f904d

SHA1
349ffcc6ab2cc621742af5ff102725cb928e226d

SHA256
38a9e2462d518986d13457b52be04618590f4055fa92004c9c829abf80ef8923

SHA512
6477be6735fe0e577e35b62f898d217b6e11e5792bb71f274b4dab1c0f2044c86301a9020f4a94890c69858c0e7fc88f63005b38706f925af21b08b6bef916db

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
602610c2a99cdf749b3453e9f9d3703c

SHA1
0ba943f0898dd74cd56ac7810a7f3f76181fecf6

SHA256
e0bcb54876c6b9e93246c1c4e22d278b61ca8f5c06fb3d1f70d7a6d9bef871eb

SHA512
52fdc3cda564238bf2d16d1b58581845ecd13a73cca3bf8ee39d418d5fc82db4e72872afb1c405fe032f50c4b3ea4f6f99dd19f224b3eeca8f8d1a28868f832e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
0d0e227c789021242dd5cca604e06ca3

SHA1
ddcf089cb5f29822a9710a4d214d389156a96168

SHA256
4a5024f4ce0be0fd5c1fff8f38f32ad0a8cbbdadda2bca7226d2f902dfe5cc32

SHA512
ea1a4536e1ee5b780c875ef01dd79a3a8187092a519fb7a0b0575123b987973ba7305a4f78e87a8018b08647e7c691c8051e59bdb1f63b683c4d8a858d3cee0c

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
35fe976e8e4f17363f2481af62a09878

SHA1
a645e9c7d894b5a837e06137fcffd432fe6d2490

SHA256
85b7829053ac621a43c90d021b3a79bc0d3be38cf067ffe92cef0e8a4d0c50ce

SHA512
1c8f9aae207c522ad87cb54ad7e5fc020b863da77c91ada5a8658e53bb6017a14e9409278bbe6caa13f3f06851429b6acc5cf88d6a92d1199cdc298eee01047e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7edc8e8b9d35b379f67d8768577a8041

SHA1
b36f30077ecdfabcf54443f7e6e5a3c462a32466

SHA256
9c774d07e6e5818debe337b56c268bbeb9a35d6b1bc563b539b93297595b06f7

SHA512
1a87e0431cd1370772ba9768180187ffcd4758265d2b4f99ffd177d1440d4465bd0501d334a15702d677c2654b62bf76af755416fbe57a10098865188383c0ae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
9913e3b6baf2054a98dc6ea8f285c4d2

SHA1
af23f6f997ccabb2563a790e3f832bba80670232

SHA256
fced8debd1fa53bedcd4a48280ebdcb898a3bcaee6e6a47292c13eb0351c4e2b

SHA512
0aea04de16261b7f39d931297d38a0d93ee4d07a70243f9b67bb542a5578e2690cfa95d4b9e206a77ecb4c7880325733f0df6674c5537684585aad3bf9653a32

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1db82ca5e8c72655e0efdc8f1b8f666f

SHA1
0b763660d8e9210da8c6c1fc997283a738cefdc9

SHA256
79b3c983a80a919df04c36a8fc9896079de6a621dc8457b361370728dd979e65

SHA512
05f74e025299edaf86ac99464c66dc75a6629d4bd045efc59622ad24fa847b6d85fe4cc2c4dc2aa09897374a091d83e48c93cc2e9dcf955b1609768e00ea8b87

Download Submit
memory/376-80-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1000-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1000-17-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1000-23-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1000-120-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1132-116-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1132-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1488-72-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1488-78-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1488-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1488-158-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1576-490-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1576-144-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1660-496-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-164-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1864-133-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1864-489-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2468-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2468-167-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2484-54-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2484-62-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2484-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2484-65-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2484-60-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/2508-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2508-40-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2896-97-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2896-108-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2896-102-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2916-125-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2916-441-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-166-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-488-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3016-159-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3016-495-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3328-491-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3328-152-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3844-110-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4048-356-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4048-117-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4084-7-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/4084-106-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-445-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4084-1-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/4084-446-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/4836-33-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4836-38-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4836-31-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4836-147-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4932-492-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4932-155-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5076-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5076-151-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5096-84-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5096-107-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5096-90-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/5116-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download