ede87655a416171a3f6b3c752a80d92c061234c4539b0806398b1eb043d60ac3

Analysis

max time kernel
116s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 03:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4f67f4f081048a5d178b2407d353b920N.exe
Size

1.8MB
MD5

4f67f4f081048a5d178b2407d353b920
SHA1

e8ba367341db9f6383df994301505df7e6d4cea4
SHA256

ede87655a416171a3f6b3c752a80d92c061234c4539b0806398b1eb043d60ac3
SHA512

01e8b27ed92d41d215fbef517371cfef4d8a87246b1dbb7a4104e174bbccc0ca276ca3dd1eafe0e7d3bc4dc6175a906bbd0b3df9678b88644f3b111b0dc23a01
SSDEEP

49152:4EtnrICSooGSTs5xbX022fjBxrj3t6lFQeuwRh7IfbQT:vrICSbGSsH8EEe1h7If8

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4436	alg.exe
4484	DiagnosticsHub.StandardCollector.Service.exe
4920	fxssvc.exe
4716	elevation_service.exe
1496	elevation_service.exe
2852	maintenanceservice.exe
4024	msdtc.exe
3732	OSE.EXE
2500	PerceptionSimulationService.exe
1976	perfhost.exe
1228	locator.exe
2140	SensorDataService.exe
3552	snmptrap.exe
4728	spectrum.exe
4744	ssh-agent.exe
3568	TieringEngineService.exe
4116	AgentService.exe
3068	vds.exe
3932	vssvc.exe
2936	wbengine.exe
2900	WmiApSrv.exe
728	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\445ad6be2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\System32\vds.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\locator.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaws.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f67f4f081048a5d178b2407d353b920N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f67f4f081048a5d178b2407d353b920N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c0ed7965afe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b072e065afe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a654c566afe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b804d666afe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e07cad66afe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000687fc964afe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000056bd4b66afe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040ab1966afe7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080825066afe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe
4216	4f67f4f081048a5d178b2407d353b920N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeAuditPrivilege	4920	fxssvc.exe
Token: SeRestorePrivilege	3568	TieringEngineService.exe
Token: SeManageVolumePrivilege	3568	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4116	AgentService.exe
Token: SeBackupPrivilege	3932	vssvc.exe
Token: SeRestorePrivilege	3932	vssvc.exe
Token: SeAuditPrivilege	3932	vssvc.exe
Token: SeBackupPrivilege	2936	wbengine.exe
Token: SeRestorePrivilege	2936	wbengine.exe
Token: SeSecurityPrivilege	2936	wbengine.exe
Token: 33	728	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	728	SearchIndexer.exe
Token: SeDebugPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeDebugPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeDebugPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeDebugPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeDebugPrivilege	4216	4f67f4f081048a5d178b2407d353b920N.exe
Token: SeDebugPrivilege	4436	alg.exe
Token: SeDebugPrivilege	4436	alg.exe
Token: SeDebugPrivilege	4436	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4400	728	SearchIndexer.exe	112
PID 728 wrote to memory of 4400	728	SearchIndexer.exe	112
PID 728 wrote to memory of 3852	728	SearchIndexer.exe	113
PID 728 wrote to memory of 3852	728	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f67f4f081048a5d178b2407d353b920N.exe
"C:\Users\Admin\AppData\Local\Temp\4f67f4f081048a5d178b2407d353b920N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1140

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2852

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4024

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3732

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1228

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2140

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3552

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3136

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3932

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2900

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4400
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2462590d7dc7a5ec7e9931e4816c2364

SHA1
2910559926e2812e6b2d299135402ec0ff749f77

SHA256
3e02b520cf258911117c1226805dcfdbe2c25d948158ac32ff77b76c3b2be6fb

SHA512
4d94654923ce6271d7a2c1175766644e907908dd4d128fba4f46f1c1d90c1e01d60707792ab1585ff92abc5421f736555fcde3c19f297c8529f6899cc5c86179

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1d501bdecd4a07f70d9ef4c308b0627d

SHA1
00f6ea5ee75203f131511a1ae0a4dcef67d72527

SHA256
b0f59eb94a22a1c951d3fd4891601681599e4c99b4e2b5b3ccff300e0749c213

SHA512
a86eb4e46ca3d819c34d2e85d790602c1a9d45ff60fe6ffc4817485eecb87575de28450ef4e63f483f2127af120a020fdead68b7216510a237a5748f2659f269

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
1e96eea30d75c1a04dff2ba5b0078c12

SHA1
d7a686f9b96327041d57baa30f979d9aaaddb032

SHA256
089b2b7100dc93d58e824610e0a8c724cab4f558d7dd782266872f1d3e186941

SHA512
65136cf9d8a3310e5c3914217fe454c1c7118a88bcd02aeed89fa7ab605519fcd487085de4c4f1902af7271b3087b78c681bd4a35efa9963a5b43f757ad830ae

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7067ccad352a297defcaa3c161bb0b85

SHA1
a9a58bfdb2e0fb2722e692c8ab5dfc5147f271b4

SHA256
e269390eec0e5b8ae7dff24539b6ef01e4a00a83f0f4be9618c9f73c3239bb79

SHA512
1b8ee0d2fdc2adf55042cafd5b3555523e3a6f2c5fab954f823e7911f66446b0c9da6932899e9c5317032b81b4026f279615219132ec5cc3ed2bca45a318dd43

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6d1c1b06d5d136ad76fad207773fa2d1

SHA1
dabfaede6dc6c5e3a0764a257cdbaa8cff1d20d4

SHA256
123e5be304f1e08f76940dad35a06f81aec087a466120b910fea2c1f99944edc

SHA512
96e303f28bd72989e27665323976d97140a87793ade5550e8983dcb853aae4392c673027fede78afc9e2687fea79b9a2aecf1061013db3af7987fb5e5b0033a0

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d5e9f7de500cd20a0dcd70c7029ff0e7

SHA1
7fac6814ef63a90f14dc30e7645d2952a59a0e7c

SHA256
41bfd881d738aa0b3a465ebe1ab720fcc7cba9efec517f5436540c14d2a04f02

SHA512
974f7d2ce3796042a1de4a86e1b2daf3b564ea5cdda54ae9195021bf23aa7c6487c4d8a08f4b1853d053798947172fef0257d750f41fb9c9d93b6d2aef13ae9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
47ee1d84e2a25e13eb07503acc97520b

SHA1
4af9136103a73bb031f39d6819f2ef14c32c612c

SHA256
d2d956035ae299a675ed68278d7aaab578907b640be8baa0bb641670599adfed

SHA512
8afbfa1e5f3d35b4492f09d926714f60b220e57f07d88f82c40b6b3727648451c954b741955828c311983bd1c03fbfd921a0831096ba237b12effdb3e37f9ae4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6d8825b7fe2e74f0fba4a7c3a19fc40e

SHA1
b676c5244fc64af7d054af79f91e95c69deb1111

SHA256
c06511dd5d37d2c9ac48199885e17cca99bba87b7a2f7bbc8381c5260f25cf59

SHA512
b0b1716087bdec4aa7a408c0463a6e856f5f8ad0b3553ca59f3113986f5476fde0a1218eb14e2645cc64f141d12a235ec04ec207fb8c75205df4b8294b1316e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
9b2f33c30b8a0b11689d4082b75ea336

SHA1
ffc8796ff6488af7a21cf275757d361ca6dbe482

SHA256
3080b01279db7e3cc283b3ff03124bcc28955b1f09ff11fed4fcb07614097425

SHA512
8cee47ad047cfd6767867f145823401f5a4435a98e5deeaa3335b15c66eb27f39c34f69da0e669680e16b73e20739a631240cf438188db4cb7a32816edb98dfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
de4e0c50dc4263181a2748c449fff6bc

SHA1
850a0fe9d4c529ae7d0dbb5bfacd1d24ebc10164

SHA256
9f1b000616e7b16411f388521f232b667109d75433554fc9b294838b834a70d8

SHA512
6051f34868442a3db0e6c9bbae0b11c2515d727b4307872628338ae801eaa69dfab89e9f566bfb19a9b344c2dcf303c8fd7612f27336eacdf845d3b70a65f008

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6cd4d8889bff81c260dfd807ebf1378e

SHA1
20ac3d9f5e92349934334930e6e94883a9e652a4

SHA256
c88a21cfab2cb9873fdd9153dbc02cd79b80d4fb660b40cad5ea56d795148f6a

SHA512
250906c7204d1fba3f0dc54aaf89c3d5f5e7335bba72b1bbcb814002a27069954befa58c1c9d9f45a248db5fdf5ad720c50d6bbc43eb9bbc43f0e611fcddd290

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a8d7c2d2c619fa548bd1a23b2e21fc51

SHA1
02fceb678692c069855459042e297a260672d838

SHA256
52ddda23af9aea06341e527e8459a030931b8b3f3de3d290a94f12d31b8eb918

SHA512
c56e67c9f1ae0352a542c4b4d42412763f7ae6d26393881ba14dc35916e587112423c458b8eff89185d99db68a3ed526f422e82814fc2a4bc1b99442b44ceb69

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
605985a32389907a32eedda4ca4e26d8

SHA1
2636923adc9cf708e76e9cb22021b069f2469bd0

SHA256
e5d33c18c5a11eb9fb9aa3dc13a19ed97472bf3ec0b186521e9dafe8c0fc6207

SHA512
b73b40065c4848f3c73bbf76b8fec84d60fe235ed0ead6a5cc7f0e8c2da17498f168b08d46b03a86ccb4334bce65388a3ef10d9e11c1d2b08ce9159c66565d79

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9006152497bf41838c9775d4cfe8a9ee

SHA1
71c67b45be1381dd51c0e1d40f8a2901622fd453

SHA256
8010d826e4a13f863fca35933d1898f00060530f3d4719ffe0c4701d738359d1

SHA512
35a7181d9ce12afc415e7bf0c06dd5dd69b8d4d16b4a55c2b2914463c0b1d827d82f6fc5591001c58842a534a0454e88bbbe2bad37d9b431dca32a52c70c0ddc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
569bd3d6be369e1f2cde893251b25410

SHA1
e9229ba495af6d630438e76fa49cccbe73b302e4

SHA256
973acb0930692c251d17bbfe7f7a11f82d80570f9c7330c2ca29d8778e2a1a7a

SHA512
cb6bb3e9a50f293097e9009052a3ba2a3c2d753363684a70c45218dc363e3baa8c57c27f8563a7c4137f5236108c3e75a42a34e374b30472c2fe4cc9fc31bb23

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
b5723bba66c26f5f0b2b05b6757b3756

SHA1
c3551cad80b9f4288b8bc4067b748204f08997c7

SHA256
4e20bc5d3ca43572ff85ae00118fa6d513ecea50076cbf14d9acb9032b3132d7

SHA512
4b029f98af1fd3590a0b53eb40157097cc9a80d58033baf49ff8fca90811d41bebe7c8e87121969ae367636cc1eae8d181a74cb85267678d49328a37eb4ba19e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c688f40539afbc582c7a469d9d0e088c

SHA1
eecabefe9d831c2c96b549037c7a97169c7e7d79

SHA256
be254cc02f5b6e33df6fb275899f019ba8d2a056ac84f5020c8cf3be5b819c8a

SHA512
29d99d9c3c8c0865fbd170459fe5059247be3de9de5bd244208c5ca8dfa42efc55b08f0f0b0261f532a19bf8a526e6615de56dfd069aecc50b2281fc5181ce4e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4fc2a7952cfbad7a57e27306177773c4

SHA1
c1ea9d9cee83a5a0aa838ca553cc5174dad3029d

SHA256
cdc4b4b97b6f1fc1f26d8094b07819bbb0873370c8784d01ebf4087a09044adf

SHA512
3e72083e1eb01417ebbf5d8fb3fc1e6e99600aa21938de006d54748de86b539c94cd09577bb7dfbcff965a5fa04b13592a458d31dee146235f23cc0f0d83c744

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
68c5c5b8aa9a26fad1f3459fecb70825

SHA1
1b67bdd65a3c55efcd86400fb4dacd5f13a5d74d

SHA256
3a37b70cab6e5df9f7d83dd8b96870cd4178f453d5acb6aa104c456b2e7e7e99

SHA512
c7766e39eca9f320dd0f65bbd4972b9e891865465cd43ba0cebf8dc34bca40265e685942949edd67174708c0573be8ecb4a6c69eec208d918a531fa8836290ba

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
90518808ea55999e810bbe2cb1dedbd8

SHA1
29ff1bdb830ff1e886e8e75bce0bc2a8ea3225c4

SHA256
ccd4b623cdc87ab3290a92fdd14d72fe4c7211b1c16ac1b1909cc5ad9b75b475

SHA512
557ea3a279c10b83e8baf1cd7bd5783ecd5d7f59258199a3e55f877be5c418e0b707daffe8c24ee03531555d69448791ff41548d6f2da1df82e4fc30c3e129f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c8395a1d59a7746b3f58819ac7dc0070

SHA1
dec5a4ce4d0387b3e277f9d0684559ab5c129ec1

SHA256
dce1550574309adaaaa24b4c66377723267f79481b7e64862e51ddeb1cd188d2

SHA512
f68ee6068e90f7682b0d00f03b3681c864c3bf11366ffdbc4d497341045a85ec4ce0be4b4de6cb845f1de6398d30b75f7874a794afe9687fd137679519d4f94f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0d8ffc35e7782d1c5c620669bec0a6dc

SHA1
7c3a9b2a166694e8151ad31c6ab8ca6a48ba4f15

SHA256
2f05d5629cac4a647af12a854abbe875265d953c14f1191df3f6351c9c480b52

SHA512
6dd98f65aef9242a49f44dadc9f400c25853d89f2246055ed5bd2f08a52f475e87366fd083fc6f0385b50f6c587db110995d77213f10efa784de846bb203f21e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
3f92d59d7228938be9bfcdddcd01af30

SHA1
4a31dd3f0cd3b5f62fba57698995e73ed352003f

SHA256
0d1e7b89f1b16b215cdc54e92fcae4f08c9025bef23269fc9004cd69d2e5c490

SHA512
9c38dbe849646a713102d57e20d6d488dfcddf265047d2041642003000f55a423b9539a1772449daaa7c64110d41149c2523be2749d36aed4aadbb58c0200409

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
564cc14fd3b3a4460540e65ed932ccaf

SHA1
2890c1db5fc4012de4d5e2f98679f8aac3fc9f9f

SHA256
b79e0f3e33ee97455dcf82d67a391429f0faf85156a2a48cc7cb50afae7077ac

SHA512
475721b781dacc2640fbb76bd4c0aaee3b74c6ea1f8bafa5ae8eb6db7d86ab843b0f16932186a91e25def78f7767fa25f7c38e56aa4cb35ab4cc4d50f6e84345

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e9978206d61aff617f352f1c436ed643

SHA1
913b5db03aa3aa2273711f3897d2b7b0a36fd52b

SHA256
5b3aaf3a7d6ef27741aba7a770ebe2a216283e7e6f65cf1e7f99925fe47e1dda

SHA512
9acda8b1125f5e6605662e7f62a0c8af12fac268153b39d9386f98143d621431752381dc0bff3ac3a05c0951d5d740a0d6f4a592fe486bf6534bec1106435b82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
7f8c08fef6b0aa5d84ee67d3d682a2b6

SHA1
158efa7141634fe22e6e437a8b69085cd1e9f03f

SHA256
4d33f69a5d1f8e3521a3dfb2fc665740ad549dc7e38ea8ef97c3fae73dfe8c1e

SHA512
60b1a88c249d00e40f5552320ca32cd92fa4b8b44c001fe500f86147d25d645a90973e579176dd1bb18e710761a27c943e1df778a4f82917026e41403c469096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
e8137de45b77ca8ecc8c97590f2f83a1

SHA1
daab9444b7fc6a67e758d2599806684f1ac31217

SHA256
af3f9afe6f597f14d828a7a32545757fda5306018b4e075bc81a29f58b39f665

SHA512
df32a625aae064058ecea20407a670a3d552ca5ea3476397bc394e2737bf05504a461d8ce0414614b7832daf2667ed027f1504075a3a811060d8fed934d3ec1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
56cb32eb5d6adfe0a3148a5c923bf7ec

SHA1
ec1aecd5dcafbf02aa1882a2f092d3c192c973fe

SHA256
3e588282b3bd96891d58fd58ccbc00e78327891f0539b0543a07b8b9d0dd6a37

SHA512
f37babe6cbb0456614c2fdba51cdf76190f7f27216a1f33c80401729ca6672f429c11cd2dcfd34b02f16bac16da8e2a43cdd8e7b71710d13ec90b8c55308b08f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
b73506b245e4df54aebb6f04161de25d

SHA1
09e67bfc1f6351db11953b62fc27ae9736f1d15c

SHA256
96dbf42ffc1fca177c1ef5b5b0fc05f17875eba5d664041c253e94b9a4982fc5

SHA512
aa4825648c55372cfca37ce42aa6de7393dd2bc840ae12d5f21554072fb9a10b02402976bb19a2a9705944059c910d1b3ebe4f55dffcc1c5a7f5ef8907a2e768

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
7949fcbc91fa03705ee68af34748feda

SHA1
3d5bd39cacd0c6d4401c3f3d237e5db33350c049

SHA256
7583f7f08d9b2d7bb56e784d688ed2e213473e542edd47896b0835a1823879cf

SHA512
a6fb5c3fa726ba0b6b1e555e355756f4e1fc8ee3b23721890d2e6f0c69735eb2c47eb72bd7ec67d3fcb202ae20e47fbee41052457d40382f3a3ac3bd0ae44bba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
33b63e0911120e55a3abbbd1f3ba38b8

SHA1
f9af1cf54a40e55b18a8794ec75431cf3089bd15

SHA256
2cde2a5fbfa848ddb82ef532878124885f498657771d51b68ec1bdb68049f28e

SHA512
ebe94d327db1c206f2f965799f306a2e7be29efe38b4211064c389708e1d84f9f4b9390135df12195e0dc66c2d2bf457fefba99b3508382102a5aeaf34e79a95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
2bbf03bcb5e030a255a7f71f4b5738b7

SHA1
68f7b252ed49d87dd0f281c139020ac56fd77861

SHA256
ad4fc951d28ba6d89d838db79be1162991ab478f053945db9885aefe7f3da9ed

SHA512
1a25817257269d454faf9fdf70aa9b05b501fa1314eb09f45e521ef6d65f6fbb4ecba70e833d855e8c4be5fa548cdaebca412feae4965dc7b66ff730e3ce93a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
bc6741f4d59a801a2688b31851eab4dd

SHA1
737569cb58016fd1b593e0e79e8b0f262f1ec52a

SHA256
12a6771db9be6dbe5e2ebbc8c16de83dd29988657acf33853d3bd1283c1d5b98

SHA512
6dd64e5149d6210fa0014731923a1c055c3d6975ec6155e39b4451cfd5d3c105d8d95d93500b918a22626f2745cadddf358bfbcc6dbf69bd734fc20cb8bc0555

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
36eedef368df37e07df21c40ae5eadae

SHA1
b3ee6e823c6129e87e0a3e4339a4c0fb263f29ac

SHA256
eca0a3293f52a46a8cece60a62467beb25b4a9ace7d56a3d2c4ad1064b996b9e

SHA512
9d20e81de30d6d3c17da9bb4c9919db94a859b66718c525d025a10be2173df154e386565a79d72832bd9d56805c097a0516a9f9f3ee6a1cb2bbad11a54655f86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ad06766eb0bd7314c5770d60ac304f02

SHA1
bbc8b756b9c5699cab83304b9c445041e34283d7

SHA256
3e3e4573b9e658406ae3b0670ef3b26e51c47978e60e7a2db7bd62ada6b32c06

SHA512
2ffde6b26b955ab7b415a111207a95cef99ce0d942d96af84bbde33f2a5c90e0c9b5eed1aa1ba61583d7d41bd446ac22da57ec0fe0e9738bdb30962ee62a3370

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
890787869161b051642aab4eb64b29cf

SHA1
e101c50d73bb8768e0a5e2240d350dda4f6cbe58

SHA256
dbb02d8ab3cddcdb8f157c43fe8b5b8530147e542fa15d3947ab080bf216ecdf

SHA512
318ed434eda864009c7c17935a85a4d3991d6380962767afed9e499e74424c7b74b7e126ad9de6f4df580234f5f6c604f2371afc0de1820204c3f48ce5558a38

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
68eeb21063b6231826b9d40aeeb6e77d

SHA1
e92b3a574d316e8c51c9a322a4715ffd12d2413a

SHA256
46dc76b837fe23d01a8dd412d517368a56f7abb8fa32b255c76ac630082727d1

SHA512
aa90140ee5fea2f9e80c6471da724366b234ba38dbcecbb2188f536d753a148318fbcbf8ef79467a45bcd84b66685c06d716f9e3abc209f6831d33f50b23e108

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
17a0042216783ebe91dd5af4ba47e6d3

SHA1
878310c3f2f6cad77affb03ad2bf11aa09b9ec8d

SHA256
176d3875edb5d1dc668a9c95e489afdd5f24e9b172d2f61c9ee2fd0e0906aa99

SHA512
70689c0c11fb6be830e20e0c2a5e6ebb3f7be135dea6b368e9283b45a124b09b3b9833255e63a7ca408260bbfc05c23f3a4d39a3e9cfefc9239d3ee770e0b95c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
f629868fe28ac7876ddfaa0c4714830b

SHA1
c3136e7c1a9fa2b55a689659e592611328ab63ed

SHA256
5c2c76e37e1e8e2238caa1709358146282a5ed1e0ef852858c76414059d5331d

SHA512
b6debaacbf8b8092f9b90c48c77bdd3ef08f576d4163a9cf132c4d7b084e011a19cd47bbb2dbc8c4576ca8ae810b36077f89267617b9f02ca39271cd9b8d46be

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
be24d31ef87e862443b561b4d3a971ad

SHA1
88faad7949dd9a91f96a8472c7d2a8e9b6170b7b

SHA256
1e47317c299a71d03acc4a9dc0be2fc2bf34072f073f1a99474360dbcd693189

SHA512
37b77d099d56003d71ce55302947b3b59a5c33dfdd0e16091fb2953a99c8ee318bc13afb2d54aafa831bd25ab4a805889e5df555d68f01750699cbd4625b68a6

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
6fd500d0b1ad544fc55a86c547564c49

SHA1
237bda7abfe51ac1e01145b33a122dc42ab4d8e1

SHA256
b3e9862ed3b6018ecffd7eaab924e2da83d39696c604d381b30d72f1dfdb6eba

SHA512
9962b90e172c65fce3bc42144625633b6922f35fa1958b503984245b00ef86a6b9e5a4528a3564de3782b6b6252b3ced3709174e8e659ef6134d460dd1fdd446

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d45628a2350537dffb1abe834e90511d

SHA1
bacb33066ad3c7ded60215a4fcc7b5eb3e6bda59

SHA256
364ac9c38879afeeb7ec1ce14da2d696b5dfc3eda22270f2083a54948809445e

SHA512
01c3851186f3dd3bc5427ee19e95f7fb71b83e9f51c5aa5921708ea664162bf738d13d55e40d9d56280aad99c2710ff9cd2f63279a55455edc00674b05ef0a30

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
88cbe27217e25b2840927e050a71ee5d

SHA1
d24f77f8eb15c7a76ec86e9150cd4dafada69526

SHA256
0724745f04aac1e8ef5a305b6ce3231773a383cea0b0fc9b4eb03eed7dcbbe98

SHA512
556126ddcec5e5ca70ded11bb5325514250adf93115d1650b652cea980ffe2c07f20ac345ba15366ffe04bec616bbd8dc4d00ab763fca430173cea12435ebb67

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
e4473aed03e25f1573739c6cd0893305

SHA1
9730e09b01b100a08a7801b5e55023e1aa9c00a2

SHA256
70ea51462c01fe6b218cff648ea3e5385f253386d4b89f247d017594b0cbcb56

SHA512
2dbbdcbd4436402ff85222fd55a4b871b7d8ac6701cdce5dd1e6d56a97e516ab9ecf14b09f7f11fe8e71ee6abcbb1875c989140a1425d7efa184100dc571cef8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
855b85e2b9c3d1ff558c1790c206aab5

SHA1
b5e59c8075f5fb60d31be4ef2f8179bfb82286e1

SHA256
1302b1f79b6e4c1271c254d37221d49f030766e48fe8558f9329af3315c8af04

SHA512
b2db110830a7c48d8245abfb55536b40fa642b0626269f2cbda96090229b7d3bbd83653513d0a691009353a025a6f95677ccc6a27e656e374298f8f627d12221

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
bcbcf2e1374398d07d035621e5e50c5f

SHA1
00283de992368fa9bf78ffdd0ea31404a73793b8

SHA256
60b65266558469679118d14fb9bc3407baa2fb7fccfb2bd9f44e90b5f4fbabc6

SHA512
30faa4feae4998ea59a9d80d983720b5f560e078b57222a40ea1e4b04686b6b4e51691622ac9d6a057a3699ab5337c13aac581d9c9024f2f3d517e219faf2e99

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b6c5d20217e236915367db571bdaabaf

SHA1
fe4c701700c02a71d36fb6c3895110912a861c5d

SHA256
2c7dda2553d22b96c71290873c1d0807c59cff4bd770aa294c4fbbf059ea3172

SHA512
5f2b680acbeb91d11246f6aaff0a997540cb8ae48916744ba5ff3be53b10dde90f31eaad4111da9124d26bcdccc877f4899ef69992757d141f77a2b4995f2aa5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
892142133fea645ae76b624cf6ff630d

SHA1
fc3c9c5a8ea2e22e3286a47b0efff56d42bfd1f8

SHA256
65e41422391bc1619529a19586c4277096284f983f17f786fec3bf90fbbc2763

SHA512
ac9c0d8fa0f45b7d3e806988caaa491ae547604c8339e7a092dad50312328dcd121dad07f755e78ae5d78b422707f2f99b3fb0f3e0a21f4e439aa7801c74dc53

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
b6b85fe7aec36e13063159f073bbece9

SHA1
e9319ab690c10b68a3acd27fd3d57fd782b32084

SHA256
98e980900e0228c8a513a418440039a25b13fc6397f8ac46d82dc0061b1cc3a9

SHA512
845e5a4efd7523949b48242bb64fdf7a996532294b08af27301c47b4b05e8c64d0a96e3d50ebf9441e9c08c65e831dd669cd22677c618293aa064b2a35eee73d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5356400648294d9a667ba25a4d438930

SHA1
43f0adb62b036bda815d53be5d347ad2c1fd2e2a

SHA256
04287362c31007695dfc5213f0b506128341bf7930789399207163ffd6bc5ae6

SHA512
77b60b3fdcdbc53fe2fbf16094c49b9dacac524103d13e5155db508bfa5692304e1b10976fc1d99473082ff5a837619e6fb20aa96b14020e7ea9ab55fe343727

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6b5279a94f83146659855819c5c08ee0

SHA1
b540be4b7e617609b987bb7e16d0bc6e41a57569

SHA256
f20b137c2af3b59dc1d112ef6f2012347a60c366ce7602d8933445d84e252932

SHA512
fd3c79a990c8c85bc459c561bdc0d244522fa0a87608635feee806c2b1f7498cd521a2b38ad4851f859637a270350f00db1fa7046f282a6138dfe3f35a959b7c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c38a196769f71c17f99e19dda71d09a3

SHA1
c696e2b769c4b2400a1bf08fc61cd7df7e4f3b3c

SHA256
47c0f3db5fc6d00735183bcad90bac08a2ea7ef25d283e470e62e74650328db3

SHA512
dc55e93ece488de29f4aebbd4764ca48c1bbd62fa3f2d189ac0cb543a599b4c7e563b1c23653de4084c1982a63d6c9fc4932fb0751ff3cb1bb7f2bc56a30db6e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d936f7c06a86922a3e93f903fa500237

SHA1
0fcfa809b08af76bd5e6838a70e780884645134d

SHA256
4b6eb3fa07ba23468a8c7fb47435dba941c2e4b7d934497ab508f50486b15c84

SHA512
8c3ed3f79bd9c214346717de6865023da1217f898abfacbc142137028c9ce48c4cbe254f76c56fca054bd9fd1fdd907fbc9cc83a293e10efffc530f56bf08711

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
207d9d66578875be51e2d8164566b7f0

SHA1
c596c2235ee40b9e5010b5b3331de377516e69d8

SHA256
9e7eed849c581ac0c212ca61c4c4b3a6a9974708e12c96cf85f0263c8b62a3d7

SHA512
a18e8974668dda1763e169e2cd9b00ca7a3bf7499913aa2c40896992fec72862e23c4397a2f1e45a8b97bbc8af89d2417c5a8b3f696278fff91829929fb987c5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
664552d163a3c2b03c1c9b317379acb6

SHA1
eef22d9161729f844ce7d7d46db6570d0dd173dd

SHA256
ab4e2b8ad9e48e9dcaaba0a30f57291e6b2e02defa990a87c3641c4b982c7ca8

SHA512
731fe71ca7103a93cb176359b04168b745284f6c9ad83afc0ac91bb6c58c6e9a79470c8851d41e82add2e536e50db4b664d1ac45cd25f91276ae063562b40fc1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
40cef2a55c6a40845ec71692cf946ac0

SHA1
574f1983bad447de44953a24921bcdae1c1a2ba9

SHA256
32ca3ebac63090dca3e0bd41e29a751e370d9b3bf48296894235b9b67ebb3192

SHA512
ae7d343c17cdd68e779765ff8fd7d47659a3929c5ea9e8bcbba16b94e722649493b6f133838a40e95435b4a15064bc88faefda8bdf327875b8bf6515ac0dc7d0

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c022fb3513d44d398ef098e106bbd881

SHA1
0581f8c6cbfc873a7b7e0ba296cd004c22f36066

SHA256
2da0ebb5fe6ad8d12b60232321d7995a9a6ae95f48d6bbd40c7099498ccf24c6

SHA512
4aadc50fbfe2d33eb643aea698ec2167190ed7aa1f48a34ed6a990505d188706e28c7ffd9ae20936b6f5b40a294334c7ba5001d5a57c62aafd8f8a881667db7d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6344992548b87a7b6eeaea0df7940590

SHA1
2276e3aded7ad9e98755b7cd409c49009e90dbe4

SHA256
1bb3af89bda60f4a808b149e0b83430be3aaa825d0b3f662025e0632acc11664

SHA512
c71f7c6afb99257498699add50495e0537493414e0cf205aed3d61177ea59a4417ca966fef55f7723adc68bc3b8775fff674fdbd2667e472daea94c0a5395915

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
4a6b4ba27c3ec5a0a03cfc6f5f70417b

SHA1
d9b28b62e8a9ef17f0b5671b16690b645186c1d5

SHA256
05c4088aed1fd0d6df45ddf0e4e488911019c14d3cb51c5dbd5864941422ba2e

SHA512
f1398f5c65b15765f3077e36e4c4682a3eaaca468a354bb0943c44d1b961b820b1f73fd10f5f705150644a87e1672fd4ea46660f595eb2f1f3b7655fece059a4

Download Submit
memory/728-577-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/728-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1228-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1228-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1496-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1496-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1496-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1496-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1976-129-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1976-240-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2140-569-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2140-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2140-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2500-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2852-81-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2852-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2852-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2852-75-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2852-85-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/2900-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2900-576-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2936-575-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2936-241-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3068-571-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3068-217-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3552-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3552-435-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3568-570-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3568-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3732-216-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3732-113-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3932-572-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3932-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4024-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4024-90-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4024-201-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4116-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4116-202-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4216-6-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4216-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4216-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/4216-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4216-73-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/4436-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4436-13-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4436-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4436-19-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/4484-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4484-33-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4484-116-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4484-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4484-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4716-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4716-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4716-48-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4716-168-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4728-480-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4728-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4744-566-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4744-179-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4920-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4920-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4920-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4920-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/4920-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download