0084e14ad319f3070a97cbe642a771a580aede0e904714fe533ee9ea0fc25dea

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 15:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01af7d0a498c0403775c3071d3a66940N.exe
Size

712KB
MD5

01af7d0a498c0403775c3071d3a66940
SHA1

c858158436d236ba0f8a3a21dc6d96026b72c485
SHA256

0084e14ad319f3070a97cbe642a771a580aede0e904714fe533ee9ea0fc25dea
SHA512

3eab77c041e8cb006e37a265a9dd29c3d85c6a5263b5b34f41fbcc17a77d1fc889124f762b98510fec13b1fd7bbf781efd050f1fc540b9883566f37001d3523c
SSDEEP

12288:jtOw6BanIFjKN75dLrm+lLC8VwoDOi65D00gpZExy7FwHET2WiKjqII:x6BzFmR5dLrm+08VwjfSpZFwkTfiKjqD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3172	alg.exe
4792	DiagnosticsHub.StandardCollector.Service.exe
2028	fxssvc.exe
3436	elevation_service.exe
4664	elevation_service.exe
4036	maintenanceservice.exe
2716	msdtc.exe
864	OSE.EXE
1356	PerceptionSimulationService.exe
3704	perfhost.exe
4564	locator.exe
3756	SensorDataService.exe
3624	snmptrap.exe
2144	spectrum.exe
872	ssh-agent.exe
1604	TieringEngineService.exe
4456	AgentService.exe
4692	vds.exe
2724	vssvc.exe
2376	wbengine.exe
2456	WmiApSrv.exe
924	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\locator.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\238bc487a29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	01af7d0a498c0403775c3071d3a66940N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9F0045F-21F2-4700-8EFC-E6B49ABA2A8A}\chrome_installer.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	01af7d0a498c0403775c3071d3a66940N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01af7d0a498c0403775c3071d3a66940N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000682402498edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef1f1f2498edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082aa092498edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000764f6c2398edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005f86c42398edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000535cfb2398edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000011eaa72398edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ea6662498edda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5dedd2498edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe
5028	01af7d0a498c0403775c3071d3a66940N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeAuditPrivilege	2028	fxssvc.exe
Token: SeRestorePrivilege	1604	TieringEngineService.exe
Token: SeManageVolumePrivilege	1604	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4456	AgentService.exe
Token: SeBackupPrivilege	2724	vssvc.exe
Token: SeRestorePrivilege	2724	vssvc.exe
Token: SeAuditPrivilege	2724	vssvc.exe
Token: SeBackupPrivilege	2376	wbengine.exe
Token: SeRestorePrivilege	2376	wbengine.exe
Token: SeSecurityPrivilege	2376	wbengine.exe
Token: 33	924	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	924	SearchIndexer.exe
Token: SeDebugPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeDebugPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeDebugPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeDebugPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeDebugPrivilege	5028	01af7d0a498c0403775c3071d3a66940N.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe
Token: SeDebugPrivilege	3172	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 924 wrote to memory of 2684	924	SearchIndexer.exe	113
PID 924 wrote to memory of 2684	924	SearchIndexer.exe	113
PID 924 wrote to memory of 3292	924	SearchIndexer.exe	114
PID 924 wrote to memory of 3292	924	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\01af7d0a498c0403775c3071d3a66940N.exe
"C:\Users\Admin\AppData\Local\Temp\01af7d0a498c0403775c3071d3a66940N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4792

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3652

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4036

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2716

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:864

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4564

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3756

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2144

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4692

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2724

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b6324733d1dfb376e29ced08a601874f

SHA1
55e911fc14afce8add183878e12ca6cda9345879

SHA256
ad661ee7d17d7b1edb2b619491bbdea2b960c99809bb09d99277df2945736c5f

SHA512
507e407da3057124601c81663828cdbe5e71ae1f15fc20b9403d477dc284ce2b36fda4c454d51f2b101a40778dee3be7ab97aff4bb1fabdef64132e410d2298c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
784795aa2bf3e7291ce546ab9c388c5f

SHA1
ee59997c1cd0951119c0f95845fab4ae571cba70

SHA256
8720597354a6c709ef76f7d1a8cec14b06bf593e4d9c0abca143cdb51d5dd465

SHA512
8758382b666684c25ec06e872a379b3857b5e2fed0310af9a03a6656d8ffe5f9737cc2ba377fe701be24e9b531ed1d954d0f924f2ca566202bc172c7d295fc16

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
66389bcf483b994e096c02ace6de5f15

SHA1
f98428d7dd90a48a01688057cd01c35f8533fc65

SHA256
d0d594294ca7be7984862ae0f7189e40b9fa1636470362edd58a22e967f9e8c8

SHA512
24050a27f9fdc672f87ec50fb177eebe54ab1f18ea68ac0238190e05d292245038932ee60b61fce261903a2539c2166a5e750941a5b2fa2ec8e1faeb82773857

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f7531ef22f55bd17aefc7dfca9f43485

SHA1
1e8ee951d09172988a049803520a97dd16f0f1e8

SHA256
6eaa0e20b06e2a38c28b25888b517392e359dad7d03288e88977f3aad189a8d3

SHA512
73da1f9d1a240bc54eb0bfcf06285627f7e2c947df375aa565a4d5a92c6c70f4a2d6e97dfe7ef1a206711f2c279b1fbeeb263302e5a9ef1966e5c34ecd705abf

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c32d36d2c32144bfd6d140da25ffc812

SHA1
0a010ca40aff8030636705c78a67bfedd4737889

SHA256
6e25788e3da914baae6078584ed496521f14dfc5f4ac0ed6064c957771fdcbb1

SHA512
1414b87b94cd8cb47cd523661444c82eb8a31e772da33b59db4877a0263a0b0343cb9128b9dcb96ee96fd88e00acdedf900aca92585edc56b88c48de6f8163af

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c1a84b5d8951497cb2d72f82cdd9d22d

SHA1
c8ec85f85b76cbaff6c2813e10db677f0d5fa7ff

SHA256
42e6f60ea25f9562502e1f96528edf4462c9c203d74469cd14d94a20675725e1

SHA512
975da84aac4999682b3eebb1bf507c1e724b576862c427c0661765eddf2278ef8f388a49b270d82b82a2a58d6055d813ea6d8c6ad466e3529131b140e55a5d76

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
937b4be3f8d978b7077d758502443979

SHA1
fef139e40249ab2b1d94c8671484127920715ed8

SHA256
9e6b69189b1f789bce382b812448debb0dc4ec0a905925f49590174c0a6ded07

SHA512
596cbc46909f5265e9d3bd72b0c7ca7e0bc48d87fb0b933fff9273e55ad2df19c1882c5c81717c0fd4ac085aab684ed1bd7b357e3fc302ebe32494f5e50a436e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
1f38d831fe3b31791c0582118adfcc4d

SHA1
cd1f28238737522f0a514433d7e8e319949e21bc

SHA256
8472cffc65230008356f308b443ed82d355560f142df531038bf144dfffe3b83

SHA512
1ba23d9c999f45f4aaa08345863209c063f3645a60100c3aea27089c93b06142d1d350821490a83ef30b865921bb4237f498a108fbf1d92312245a0beec1411a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
54894a27673e905d3503f9bd0ba3f47d

SHA1
20df0b608ad3d5f4933df3ead71307eeeb1b3958

SHA256
a2b7e26562e67ab0e948e7cb3f63b59afbb4f70ebe6b6e659e13269fae243c16

SHA512
c2eb99aef2915c4bcfb6e5e7b5b9c31fce35d6faf6ac56093805921493eea3e90731db25a8c367d06eadf887341f47444b088e66e0509a440292bc7c542ca3b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0b809f5d0aa0bcb98f9509bf4d16a621

SHA1
1184a243931c7087d4de0d8cee83361cc81269c5

SHA256
1b3a0e42e5e925c12df3dcb9e365130edc846dca826d7fd71e4a9021f4092e41

SHA512
3a36906a08924044602775615a4e7322883e8ec8859311e47ef89c9d3d1f3d3ff83a053c0a0a11e6b543ae1f78cddf8e5495ea46b0bf24bc4f175a09c209a057

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fcf684241bacef8b33384f0e7df363bf

SHA1
8803395d9b5c0908025ddafc4874ae4cb1c8f470

SHA256
b358b1b44ee1557645ee82fdfd00afa34a9d609a7c41f52269175d0de84c74c0

SHA512
399b152e281007742d0c2ce40dd861202217f72ca607260830e1cf79114f9f3f18d6db407a247b51989b3bf969f8b9f63bbf6f2c51be8b2f1f36875fa5002221

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
7c15a67efb3110f8c890c751de3f6a3e

SHA1
0356fb1ff806d086f2aa21e82f8efebfdf8e3838

SHA256
e61d370b626f3a4c54bfd417947ec1ff3d83dd70a03c091db6f66b60b71cb4e2

SHA512
980bed4b43c919d1208368543c68bf68cbe72a1665dd91b6e5fb717920c03892b6fa612978f420fec1bd5734611270e451ab85773a6a45bf90b5e49e3db6c926

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
3c4aa5ce77a6020252be475b36f234af

SHA1
9bf1c785177a27aa06ddae7447c8db642197adbb

SHA256
fcf31e91c2d0b8bbd134d9973ba5e8dbd51a45f0cd18c4665f8e84d64285741c

SHA512
6b4db5ab0dbc714086c9e9e118258219470837d7523fd3731704ef456aef03d4ba6375d471fd914440e1f3dba223ca7eabfc71ded661e4f30e84dd928d0be5d6

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8838ae47313f30e368149cb519f87143

SHA1
a05c806eaf8ea6cf9a3fae9f45bd91c08c49c0e2

SHA256
be3cd7b054f8b37dfc653badb72272a45212a9246669fabb21433ef1bb366c08

SHA512
ee75966be47b2b6be2a84b02f5245434908ee50e00f13c28c34a7b9a652ebc804fdd6369022869ef6a04caf61a204f0fe7c29166e787996b602ed2786c0b5b1e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
300d5e3be4bbae29e2aceff69f5941d1

SHA1
51ebec9dc5ac8a7e2fb96be64a4c8f96f6028a2f

SHA256
226d830f3ba8351fa49be7121b65c456cb78a4563ec0b71acbaf0e0e2b724784

SHA512
9d0922cbf02d1a7d2baba823edbed6d6135040d8d4965e187574fa69f471612bfb48ce10f26997849a65990e9db88b55ddbc51e1d9e5e77538c6799bfb6572f5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
29a2609f3f249daecf0c372bab038cfe

SHA1
e7a90d8487668d04e93649ef55fee52310d01e7c

SHA256
0cc8e2d866daad3762ce057a6a1ae3992c09f472792c03d269720c3d5cae3baf

SHA512
de35be62291f36f11dc270567aac28ec75fb49006c8bff91ae3c2d90dbecab3741dc55cbf871bf40fe4b2497ac1bff2b95a58f1ff32acafb272dd1f7c3d826da

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
450573793f0a4065bac7727f65416c8f

SHA1
5b955dde0f7dc38aca5469c83d5452402a965e01

SHA256
476bed0845f0c2691334abe84cd89cfef7bb0e549b4a0646468d36f472517224

SHA512
869f61f9cdd690ddfbc6c48d8cbf46c2b710464192dbf78be23615b09016dac9cfcd33e1baabaa9420b7d7cd87ecd173a476398b1b273e054cb7afd7785f7d30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
4092c58f7840a24d9c88460ea38b5af4

SHA1
24a59b655b188f683e2bce610ead3d248de17dee

SHA256
d5defab5fd089b14a0d856cc8514cf383ae7e64945e04219151d65b7e4b1dbcd

SHA512
6cdb06df46e43420058e899a1c5517d40cd8115fb1f553a2ddfad5d5d580f800e2f3f2dc1acca5685e3b60c6d9f330d62730961eabe68bbc3802bf969c762242

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
115aec7031f607eab5e980b8acc114d0

SHA1
123a3ca110f1629e1f73c3bde574f3841475137b

SHA256
4259644efae023444fcdc5ae5e3c826d428de5f6fec741f65038a77b0f5a71cf

SHA512
78f0b7ff35edbeb3df4dfbe0ca236d9fd64f31b7799250ee28133cf924d551c1242b7d659831f21b85e7ca7acb309af5d5d66ff30c2e41269eacad9c04f81865

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0769158c5e07c31a877eeb122eb95461

SHA1
3c16892420e276e2a7fe4d9a6f49f168206f6585

SHA256
ed482b925991fa490a65abbcde718d30082729e0fb7ae50f58835a82aebf0275

SHA512
103f0e7239d22b1973ccd591fe2c1e591df2d401bbf65941e34bf912cfe59ea651947a327bd3138f331b409ca3f7f5d960d7c56247696706c4c01fe2e398e5da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ab023aca157d4b6319210364723d4834

SHA1
1c680d2bce2946a854ea0ee608e87de8ed822ad2

SHA256
78013af9d061c0f2700eaf43acaefbc6456a4c2b329364b05a2150a74a88f3cd

SHA512
80c2fce3b04ec55eb16b3e19cfefbbba5a4e427544685c136627f72400001eb10d402c7ccd66feddf6914997be9de216254a38ed696b7a248ca3f61a368736aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e8ef963a0b45506d21b50650c6f20655

SHA1
a96334484740d78d2cd140ee3dfb799ef941e96b

SHA256
714c0af072771c40c09eaab588c4636b4c0e1607f7acb26f22cd7ed8c2ab2332

SHA512
a428a8fd0168e851695ea13e6892e32c922c1f9763ed3c41bd5c332507a5b1f9cd0fae45baa139124ace54c3c6162055c3a57c5681e7ca6e3c00d48b82951ae2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
03feb8d58fa38abd1e18dd962c9705d7

SHA1
7d62cef80553f8152ebbf72d5b5c7b7df0046812

SHA256
1ecac1d6e5928ead00fec365e3dd7f3edd79f16272dbb5dae5a361843fa0a4eb

SHA512
8c5c9ddd8a95960cbc1fe5c022422ad55381fc9dea0dbd2637fd58c8e5f18153c1cb3d4bbb5873b4e79282ecbfadfd5a7ba6a2fe809947c9656fecbb567625dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
6ea0f0fd85d0aac78f67763dd27a921e

SHA1
24ffb203675db9d4c05655435e2e9aa46b725f1b

SHA256
c86f967f4fe2444aa96c985f70961bbd0f90a7d4859f407794c1fc6f9ebce872

SHA512
4203f0e1c8fb8590d37b0e122e8d07da7790960ddfdf10df71142f57c75a6f4284b3f641f826554d6807e0d72ed5c6111b53d140a65ba8d3e22f24e236e24bbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
48fddf4574d656ec04dc9e757096e350

SHA1
a50d2d789d99ba55628116f2a0caf9607680cff6

SHA256
36ba06448b37f707cfbb8a9b59657ff88a4680cf2c35fc10c20da26f38369f52

SHA512
9365121b796c00a2bebea764b22f495a98f0b49f62bfbe2a0fbd1caca3e64827c2bc9539b0825cfdae945356f982491513c11cb6a28d14629387835e1109d091

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ad8461bcbade559ac49037e74a4074e2

SHA1
e2458c750124ffb1a21cc3e63f6370fdd4e9839b

SHA256
a6e04503bb2b3138009b7d3af2ba2c5630e6880287c21a465bd8c2faa2e71d28

SHA512
57361a9af78dbf3ccc51aec60544a78e75ffbadd98da4ffbdf161f51953cea4bdd82e24c5cac7134a944b88a8df1f1a1c2983d4e2477b2a46392a99fc987118c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0a0dac99e0d35edce80114ff62674c85

SHA1
cb98b787095d5b3eae8bc3c1ab00df5921dd032e

SHA256
15ea23197acac17062fa31cf38a8912dd40a235da7eb41bead74b3d07539054f

SHA512
d31320d6dd20ee17a517682fe078ba39fdb3bc50df713a2370f7c65973f6353617c975682e62c4754ed7e100f04ed582ffb0d71f0aaf931078e516f7a86495d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
89e6740a359a02a31ac5ddf6ee23ab7a

SHA1
068a4dd6dc5477453be508c87d5171847cc4aeaa

SHA256
3d470e4edc350c4f421db5f9300da33c0828ca9ce80494590ac42d3b76be3881

SHA512
6eb8e9a0d5b0377e0f8df86e2c2b20bdd25170b942baf30242be2868123aa591592f2f695a391a159554046cc33a3de90bf65923b5ae845bc89c251afa2b4667

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
45d3a22aeaf460a53c995713c1b7dd9b

SHA1
d5e3f5b7873058d6309a389188d1b3d8dcc25d7e

SHA256
b02d4b004fa9654ba617a825af788bb547a7708bbae3d908121482d26db33902

SHA512
68ae479e2b258239b75e1bc561ae7ae05e2d5740eaa542f7d1ee774a24e4042a1080d456112187f95534831ff8e6f1f3a6e55132fa0f31185b4f9acdd392ed9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
212c93a720d5f7026c31c3714f4455b8

SHA1
eaa0d465f09c4e09680ebe0c3da296cf5ad9cb33

SHA256
3c31c9ebcf22b908aa7d52e292493139f55480fbf35d52d06bbfd8c7ab162ca1

SHA512
78039e0d5ef305f9f5c33e4e83725b06400764e0cf066723a8eb1bfa7e26d972120772ee1aaf0fe11e65401c7a643af1b4818f0f3cb40598097e1467e756f1e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2ef149ecad5b0ade814345743038eb2c

SHA1
0c686459c923bca5a5995d681455e8fe07f49af4

SHA256
605b9ef6e0f40dff7cb7166f74270f3df2a2f21e78c253fe774da08f98f637da

SHA512
8abbde10b3add9d5ca0953375117a7f34cb1bf13d4651b546b6509f0f3d32f6d36ed726bd619c2d1239f43bf5792d2efab4b325b133a7ac486eb39d0e4c38fd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
00a5444e21cef15dbb98adff04ba11da

SHA1
815d8c754310f47a7147fd2027eb21be442dd82f

SHA256
cc6c0ddbf46fb0423240c87ee4f4c2793ef732fff33b5ceab045f27e23895e84

SHA512
03f39f5e2e96df261db3216eacd3f2362ed8fc9c30a66c4314e65e0f637c375a28fb491f52661a529d4091221a92ae7fa59868488844c1abda465d81638ce004

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
9b6e7d3308791a51a8cc779feb746b69

SHA1
94a0975c4be64a66553f1016d1b897be36d7bf46

SHA256
35e115e59da795647b57a67ac0611e10f49580a2f44ea8b10ef026dd23e455e5

SHA512
e99d4c43251e10d07ecd017129217a498fff2b060c88ba8d1ce33e5a450d44789ab6cf5cf80d2a3b6d0322b0ef2147a2fa957b449bf5b385288f1cb6e859fca2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
26acdf52cb9806f3b8f9131dc90771c4

SHA1
286e2cf34c20a7b85c98e8df68dcbe5f549736ab

SHA256
4d6da8cb57c481560641205919e6b621dc08a3ec6428654465805a7ad028a4fa

SHA512
8f3a27f51cc327b3b59e3cd1bacb6d6d2d7a197b6fad99b6b3e12ddc2b79d520305e69f5df1cda59a6fa8f0098e48721f0b4603f65c85add78a2d174fd2986c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
4d0ee1bc332868a296b491ddb870562b

SHA1
a743ef042c6d2af1bdf893582a77771ddc95c562

SHA256
3ce64623024b165c06ebd68cbbfe90338fb96dc676d2542b63d395a03060a96e

SHA512
e01e1402b274602150dfef66e292834aceb0ad0b9f47f692e306aa8f98d88265bd4be1bb0009cd3ac3221512b33b43ecfbc1470afec7d1e432884df3f02c158e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d8c4a05a31f1ff4a825c590a66e339fa

SHA1
acd896f4d46bf06247541bde7ad3b984918e8bec

SHA256
d641df0f35f8897b3605224a1d8567bc2549d4e6c6d5080437716e5a7a5a2b9b

SHA512
6be8a52654e1993b01756ae8c09f272193d28c26350e0bde1cbed06dc399207b9535543fd642fdc42651ddd4da8df7af51d1857ddac611a1570be9595bb5b3ff

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
72d23e00582c759792c00eb15c038d72

SHA1
4efd5d2c12fc0ee3b32070cca672d8c75be0c6fd

SHA256
eab91d1673284ed921a42c6c9c382da9f218adcb096a4f5a1f41b8ce4cb05f19

SHA512
1e0f98dda6e4ebc16c6ac1e44032b2572d4a0ca71fad42bcfc7f186a2416ec64b9d9cc828695f9444e76de6c65c6e7f50707599ec4896cb9c58cd5f68b1b48c6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e634324a0f2c500faae1054183fa515e

SHA1
64dcc21304518f4ac98c65c480ba89c26cbc7a4f

SHA256
2931692048b1054b96bc0e7e75211a041657ec39556546e2f6d12295696d3287

SHA512
d69fb2355f3a03d9be4ca2766aa93e609c9011701186e0780244e7fb12090bef30e33cb20daf5cc6c1de08a3df67f273805f444403727a59576438f1ad0dd166

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3aa4dfdc4c1bf68e7c43b7b33b62a4bb

SHA1
18883ba25c3ab7bd55201bf69b075d773f82dc5b

SHA256
4ed36c4189110f9f4b682032e6a1d6d27387591fd50cae22fd28b5f143d9ec4d

SHA512
b672658d7ca6ecca581ea599984eb77b67cf9acf7547a0bd810e9c49cef86fb16f91ea893637b1d4e5419f904f0f2a5d6b6dcac389340166e559f1ed8dacde6b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fa0c7cf88819056f008dfc6beae1aef0

SHA1
2b200f3bc628e73fdd1c47a3c4b8f055c842e1cb

SHA256
6d74f870ce314dc14f46acf1333470d339f33cc1586eb3ab89285f07fa0542c3

SHA512
7c353c3db2fbad6c3c1562d6e99ad05ae75eff299b6ac8d73c8aa838fbc5be9e4590d777640341d73d04e60249371efcadfd7fda8906921e802056a31a36a637

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f39f2aca480f82bbc4a23abbd6d1de2b

SHA1
e971f08be7d3f382818b577016bb48eb19b8967c

SHA256
1f0785f040ead44f51a971d36763499d42d36acd439eba2367e2c008a9b1e311

SHA512
ad77d16052ed6c41b73e415d12e6f55c8cd9edad11054cc38c5f8119058850f1dabc136b43fb89fb244bd5234e67c9ddf112f498df257c0fe342c77a0f17b9f5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2d51e44c65933417d122b0050edfe6de

SHA1
b0891ea2b3f3c6c730c446ae6cb7952f9802eaff

SHA256
a7b87c4903f6faaefe3f8bb3890818324efd4ff55b0e27adba6ad6edd56b34d5

SHA512
e95b3d0f83b3263191dd3570236b262b0ec064e0cf85b7c0a0058dbf029d1a955d4cf8259eb08ab5fcbcdd0aea2f5f2fe465e683c8244e2ffd3e2c8e7d3be352

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d6bac2a4ce73fff60b27be46ed0e7e83

SHA1
f3fca47dacde5aca6af679d872b6ff4555c7464e

SHA256
f604ca30d5ee723d0efff6d43f9b2d887164f019e78f2918237d1abcc9fc8a90

SHA512
98f195d168fa01118977859ac630133c0501a39e35907433757bd13efe3ccce8c5c2bda4df7e383df33af54d716ef143bd7b0eae83109b60a7be05a994861261

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d27b2648bbd4db4e0087db280645540f

SHA1
5ef7a4bbc386ce46e8d43059d0219cf77d88cab4

SHA256
c013c25b499e194af3fb37376cc6d60c39ec01251cd170994b5b12641f036d5e

SHA512
75a0de5765f4a9eea7332947e5d17dc75f5573a560ed2bc7465ec8bc099a5cfe4def8b30df6d4f78f49b0cf0c19a58237a565985403632bd15ee1d83940d472e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
a9aa3d5e91c1bc9e3645f7cceec58a61

SHA1
e1c2f806b2cdf64bf068f0060ba12fdc4b7fbe84

SHA256
ab7f4ef37ffd8a7357c4c0949e8f5a67b8f75df827d31c5c65ac80e041b31cf4

SHA512
b7f1097007a6fac217df79b4c6b93a316f1ddd710d3ec7f1ee39632f1e9a2a551ba84921e700f747a6c02e58d6189864f6efdad3f4ef733f6a2f38b9d99b80c8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
66852ae63afc7b2ccb4cc47a6cab3469

SHA1
f237cbcade866cd8661987d0a68c876994042c54

SHA256
597883a95c4ef452c46e9a44d91e97c0a1367f8fe84dad5a42e14cf78b9f9fdd

SHA512
8ac3bbfdac2ac1db71d6d39319b8e4f10c8541c0add1cfc5c94ea400a030c75fad8cbfbe5f2bd26de36dbef6f95db12a0247a1ae85a5c2237afbfe12e2c85bdc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bead472abaca3b9ada861e8d44f5eb30

SHA1
7a55adc1792622ab2366ba455aaa91f2374a9dde

SHA256
b697e8e7920f3fbddc9a4a4464c287fc688b7afb46c1b7bd5536cdb435f38598

SHA512
d67946e6f52081d3445931f1886a489c6facabfa1ea4a4fb31c036c22aad9267b04329cd5896315d9a00417976edc36ec74d2af474694640ef846a3da49f5b97

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1e2278e42c4320e3b3072ded58582415

SHA1
0a64ca3913a131b84a761bcc51caadeb04e77d04

SHA256
8ff119ac8ed192b6ce10cbb0276d8ead20d223c47a7615d754c9b0fd99bafd4e

SHA512
6f587c10014b5153cd2c103813cb9c98132c010d6724f39d477e1e8e41658b1805f4ad95bb82cb4d8af4b16890ade3bd43e1e4d09190d4eb222b60cd8bc50ac4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9575e2ff7bb971d3c43bb674aed202b7

SHA1
1288b24e729b0f3485dd6f3f81cf6c863c34e75e

SHA256
3ee0a4ea519685456dca0cd4e4e511683bdd703e2304e84bed0799b0e586402d

SHA512
1e608a4b7530f5ac17f2a88784de1a927d0cfdfdc88aa3db0ee7365939c137194613900c0fd6adf54185f0d3486b1a5af253d19d0e7fe39084744be1a7198426

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
32b72dae7b8dba49fe9c6561058c7cff

SHA1
e3bd525305a7288e7fea3829744e97cc13711126

SHA256
05db4aca70fb06b3093cbc4ab06aef7198e19dc7abe6ea2c244290dd99894035

SHA512
b6325063bd9f87e54e2b9d58e0a477cf4f4d46fe62e0294448980294c494ddeae136e6e034602f096e1e40d88725b1e523349a786aed05d6eae9181016f94b92

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b3961c0afced717e2bd89f254618efed

SHA1
7063a0ca46ed41d4fbb47ce634a7edfe7778f5ee

SHA256
30b5d28fac7cfaccd5bab83613602082669dc056a45088611ead6f7e746b24bb

SHA512
fa70f2da87682d670cafddcb6c3a1c687f738ba92fcfd49d69f1ec39ca4fdcf711d0e4e7a827dd4ad4fa7f58d5a359656e870cefd7b984c43d27c18cb9a7b775

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ce092b5838b47b0532de3c56c572c8e0

SHA1
dbff125e271875fe6e0a50d0d7c3c98c5b922d45

SHA256
845c888d3dbd359fa937748a207cc10e8da8d8706bdf0f608f7eba62ac1495d7

SHA512
7c99005610e6b08506ed8f144fdd64f5a4f82c163d7e33e1d39424db826ea27401250cbe2fecc1bf6f554851b3e98b9c46fd1d02e8c27210915fc980f6fd4a48

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b2357ba6d66d5692101222d1fe547de5

SHA1
4843a57f44dd0f8f3b2a109c6318d189f24c451b

SHA256
03bb60f5f7365fa5cba2ef7aed7510d1477d5065746dbb1c6d669097094bf188

SHA512
032177a3206635ca5902bc674517344af0952b53af50310e1b0931a2b59339fb00670dae8c1e7e5d9dfb901ba9e0c535d690c9482a313a79617523a65cbb8cd8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
306a4629ab377ffaa3a20650554012f0

SHA1
39f0c743d0507c3baed2de38a00f0cdc8d9df4a6

SHA256
cbf868b9e66f78c6029d2289fa028dbab361b4daba989936cce828df4bda0164

SHA512
a11309e7be1022bc3bea26ad022965f441ca05751901b30d2e325fbe84d3de9f17347392d636592a0be349127d80ba9296872d4d2859e1fd804c7095813170d4

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
76d27190b2ba987ed4e8907496127b82

SHA1
2cba3f7e5a26e4bc5ff87be44da65da2f9b698d4

SHA256
4f8d68ec737f0682070ff81422a169a789a4f44cbdf1f127d827530efa032fcf

SHA512
2ab9c73c5b8334fd0f7cdfac93636183f441842ff071da1de9f2dccc4da12dee278d3436b264a25db87c6e2a5b75ff00109b6d36ad745cbf59b126c005024e23

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
051bcf474507be35625c4947dcf38cb8

SHA1
23c49d5437c686abe82ef8f384cb6f05508ff40f

SHA256
110648edec685fcace5fa497727499acb1c6739d7b2d716225c3754cc982c89e

SHA512
0c0b90ac15e91959e6cc2bd82f473b4b8ebc969bc205faecf25b48eea7e12f0ed5d60612ba46121524a4888058e1048bae6d4c44f6bb644d16aa4ad386e10f11

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
3f034acbf18e5c221e497a6158acb4c0

SHA1
0bd6820fe9ece658b050a83f842da1918fb0d381

SHA256
674ba32b29e4455bdb2b443be6bdea6802c499a2ca7e339d8b1519f57ac1ecf1

SHA512
b93acf32dff5e9f08661d408eecb84b24b93605f6d797961a94a151a717532331b56388d3d0b52a683bc6170ddac6aef8e8d88206d3825b995ce86f6f2dde273

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
f94e85e67c8783eb57914bab36be8a21

SHA1
76be225ede6606f5e649048474155cb89e4ca0c9

SHA256
e7bb6a175a58277f07c36c54bd900c7df559103da170debf4c9843884519fd3d

SHA512
76b639ac9ca2e310fbc1f38321a83c8a86dbc61c871bc3e6672ce35c4f291f0b872904879bd8b74723efe44c9d1ba2a87dab9dcaf06ae5e6183f3f773dff3f36

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7505785cf6775a6d148c009bd2abb2cd

SHA1
c53c8acb697ac6b105999e75a1ce7cfe6a7a7cd8

SHA256
38e1e2e1587e5d408647bc84640cbe67163296065a8928167adc9c161eaac77c

SHA512
93d3e0c80e4643ec91b3aa5a72aa229933a60870a11daaa669adaecc6ba0bb1a42789df699f5e96de9b768ae1d3cc589b00063b99a2fc53e47aa8ea7d2e87590

Download Submit
memory/864-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/872-620-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/872-193-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/924-269-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/924-633-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1356-155-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1604-624-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1604-196-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2028-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2028-48-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2028-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2028-45-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2028-36-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/2144-179-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2144-582-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2376-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2376-630-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2456-265-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2456-632-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2716-100-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2716-90-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2724-629-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2724-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3172-142-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3172-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3172-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3172-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3436-52-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/3436-58-0x0000000000DE0000-0x0000000000E40000-memory.dmp

Filesize
384KB

Download
memory/3436-207-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3436-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3624-465-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3624-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3704-157-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3756-169-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3756-623-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3756-264-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4036-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4036-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4036-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4036-75-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4036-81-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4456-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4456-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4564-158-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4664-231-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4664-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4664-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4664-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4692-626-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4692-232-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4792-24-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4792-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4792-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4792-170-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5028-0-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5028-74-0x0000000000400000-0x0000000000584000-memory.dmp

Filesize
1.5MB

Download
memory/5028-6-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download
memory/5028-1-0x0000000002440000-0x00000000024A6000-memory.dmp

Filesize
408KB

Download