28aaef77590b449038258f3fd0fe238433bc56077f61e17e758a581688123bee

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1593bee0529243ba0e44b99e478aaa0N.exe
Size

1.5MB
MD5

d1593bee0529243ba0e44b99e478aaa0
SHA1

ce5a5c0ef55fe767dd56d153c9ef5eb26d122487
SHA256

28aaef77590b449038258f3fd0fe238433bc56077f61e17e758a581688123bee
SHA512

c881514b32bf50a74fac117e66b116ce85aee5dd7b88531cba2a0663b6607ce664250729881158d95fcd3af219007f47e8110a0aa84d1a1e843d69c55c2d780f
SSDEEP

24576:FN8NDFKYmKOF0zr31JwAlcR3QC0OXxc0H:FNgDUYmvFur31yAipQCtXxc0H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4344	alg.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
3028	fxssvc.exe
3652	elevation_service.exe
2648	elevation_service.exe
1172	maintenanceservice.exe
444	msdtc.exe
4088	OSE.EXE
5096	PerceptionSimulationService.exe
4932	perfhost.exe
3472	locator.exe
1768	SensorDataService.exe
4468	snmptrap.exe
2600	spectrum.exe
1592	ssh-agent.exe
5092	TieringEngineService.exe
1060	AgentService.exe
404	vds.exe
2008	vssvc.exe
2912	wbengine.exe
3332	WmiApSrv.exe
4952	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\System32\vds.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\86089287696f5a03.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	d1593bee0529243ba0e44b99e478aaa0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d1593bee0529243ba0e44b99e478aaa0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d1593bee0529243ba0e44b99e478aaa0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d63fed7cf8edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c855875f8edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f4a5d75f8edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024235675f8edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038d54775f8edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c855875f8edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009e43907cf8edda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ed05b7cf8edda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe
1868	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4908	d1593bee0529243ba0e44b99e478aaa0N.exe
Token: SeAuditPrivilege	3028	fxssvc.exe
Token: SeRestorePrivilege	5092	TieringEngineService.exe
Token: SeManageVolumePrivilege	5092	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1060	AgentService.exe
Token: SeBackupPrivilege	2008	vssvc.exe
Token: SeRestorePrivilege	2008	vssvc.exe
Token: SeAuditPrivilege	2008	vssvc.exe
Token: SeBackupPrivilege	2912	wbengine.exe
Token: SeRestorePrivilege	2912	wbengine.exe
Token: SeSecurityPrivilege	2912	wbengine.exe
Token: 33	4952	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4952	SearchIndexer.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	4344	alg.exe
Token: SeDebugPrivilege	1868	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2108	4952	SearchIndexer.exe	113
PID 4952 wrote to memory of 2108	4952	SearchIndexer.exe	113
PID 4952 wrote to memory of 3348	4952	SearchIndexer.exe	114
PID 4952 wrote to memory of 3348	4952	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d1593bee0529243ba0e44b99e478aaa0N.exe
"C:\Users\Admin\AppData\Local\Temp\d1593bee0529243ba0e44b99e478aaa0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4344

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5108

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3652

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:444

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4088

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4932

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1768

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2912

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3332

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4952
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2108
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d7960913396920370ead8116da41bb63

SHA1
168c390fdf51b9e2492699d1803530d94c56e9bd

SHA256
68cd17892a4959038a108312c0cdfd69c1cfdcb3ee23f90826621f2e78b97c1f

SHA512
55a790cda47b29178f6c4fafb8610a3d1f435b6e92d24b2f7560855dc56833e326cbb6b0b890aa7856df2e31dfe8656dce659ce668b8b846d2b851c96affcf90

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
643dea89e43b8177ebada8dd8b83cc7a

SHA1
a854b1110fb912bebe6285d1e839aa70af0cd9da

SHA256
01b5c718be3296004a36581ce659dea01b1d2499ad3082c29ab79f9baef61b96

SHA512
04f40e4bc3e2f2f0d790c805ea6b760a7a74e9a9cb306b89f7bf824e145bfe31e8d60a4c491f37bd911e0b79b347dd6af0d3926146cf662cf35522ea2d9f905d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
2795d74e1227e65e17e2413112144e42

SHA1
2b360e2149a021f9a9008b9277a26f3ebe0a8dde

SHA256
5120162e5d449ef7476c024823989c7ff3e059944a46daa797dc1cf20d86406d

SHA512
3aba754b4c3d9f32a9556f08bc5f59efeba0d54e8bafba584573ec30bbcf4bef3f447d4c8c36b22ebe8617600fd6f0f8fbb5ab3685ae04b4712f7920988e58ce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
06c35929d936145a6e8f9a5562093dc8

SHA1
969a3ec3b212b1d202421b6267292b08925535ca

SHA256
854b4cf894c69e1d37732054a2a53b0007da53bc186e31867536c039823e4578

SHA512
3a3cd47d6b8346e9666fd71c8d91b5bc7410b6edb7349e334b1bbf9881e6693cd2c28d12710025b0ac63df62c5c522e25dc8a64af79adc472a89e8bd6de2a862

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3b91e0659bd6d3eca055b42a1944cba0

SHA1
6e2aee76adb61474c9ad7641abd4baebc4ad0e1a

SHA256
8946d969388b309d852148eb349b0d18f7e107a6ea4a18ad3e85b9727905e476

SHA512
73b5b76d0f4052b620e0a0dfd88392c229fdea3a4b5c9d9acc6d6333b5b9cb060b4755f5d2d606be94f8593a6975a4283bb706b3326147c1b09805d6597f3d34

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
74c7c757ec54502563dca030ca82bcf2

SHA1
8c1078635e31b95ad1dcf9adf00f7ff4358ff6af

SHA256
6bebc5ad937e5f3e74ce79d98c26fe35a0b3962fccf5c9700b93e4df88279ef7

SHA512
c03dec4b88c479429d70fcfe66c50e745f71cfbb1fb23801fbbf8677ae7ba0eeb8598be42a24e06f9889f11c9617985d7f23d0ab7613cc9d277770abed7b8118

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4ab298e279598089714c106551688e6f

SHA1
75aadee0fa129686b2ef14edce3cbc8d04f33ff1

SHA256
92e4404cb93808b242b6afa0bce940afbb99c5312adf8c32c0e3b1b615094d81

SHA512
9f05a9e28146fd47fb3cb05117c888bfe0b4f8be3669a68175d4c563705c808d7cf45378f541e5e53cc3575d62faa10661e2cc33a40afa7db3d1db1134b80516

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3dc8f9e8764dcdde4d90f7b9e837584b

SHA1
c12fea7e2573f46e313a523cfa88b361d1c557aa

SHA256
ec98595e5ffa72d18aabc759aebbf6b043c5cc400fa4e57284a9911ccc7e689c

SHA512
56b54b9f6493248726922b15aed4bf2be2d77aa2be0abbbebb06c78303d91c9480644a295206c117e46ea9ba68b75d4bbb104d4c66e919c009502771dbd2f358

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6d0cc121eeed83c86792bdd42abd3d8c

SHA1
036932a504862d90962ba9d5972b120663549e18

SHA256
de41a1ff800f06dbfbf1d0f2b76f8f616416e404892a77ef7a3158efce3dedc7

SHA512
338a4fd59b5d555c3650def4417ed81cd28bbef32072fd3e53a46125619dc13c265b4e58eae37adbcddc84efdb295ec34f48fbc097826865d63c4f8b99341cfe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
0995e83f4a64390471ac1899574e13a1

SHA1
2e116aaac175ea4a20e55b984c5c8254c6ed0df5

SHA256
c5faf886692fc42c5a2c5c9ddf4d0e8fadfab2dfaa3d7b07a85a0a5c6e8ea502

SHA512
434f8fc9685dcde6596309998a6d4fc0d85bd445cf6c7a46758355dc037abfa1033dfbc6cbeae6ea6f816d5c08ead2964405829e5a69ea3109c9be83a61a7023

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1fbaae2f45bc3d1725ea67626e735db7

SHA1
dc71f47dae8f3a7493f821941d06228ca0577085

SHA256
fde9ba5c2f9c3f8c9f6d47ea2968aa17053aa6584439106433746db79d6d6843

SHA512
30e96a1ed2bf198493f2fb854df837c4d66831d7433450f00bd97203c5f12d8c76a76d214e6afdaaf9d6d0ed8d523db46b47066f2feac98723809c5cd5c5f4e0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
29362fcae98a9a747632a6ce517a2944

SHA1
c8b96e5a300dc0f2f74d0dbf3bd61bfc6c20b108

SHA256
90091cd2dea6cfd3b02999e661b186fa0eff93d2a7429b9a177073bb006fe2d8

SHA512
79f5c0ca3b62f3c0d336daa6dfae0ffd7e50ec69517bd0b5cb9fc7334a41aff82456677ab91ec6e81d0620368d48e1a41dbf8576cccf13d61cd66d9c846c4e31

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
e5f3c796cd01941588da53cfd437e03f

SHA1
4495c436dec64e4017fd68b3dff23d04101e24ee

SHA256
e053f9ff69b652efae5a230782d470c5aae278e390a4390cc789078dd54b704b

SHA512
ede750786113cb8ae9c9c1107e87aa6797584214cf0b42f344580ec426a03b0636123970c45e30988c740528cf4071222ea7c35501ff2b6d56ec8f9ecaee622c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
5094c3e81d041d840162e944b4580020

SHA1
a0bb100920e894f05ff17de97f335b246aebc110

SHA256
27e11a2be5f84afca7b1abcc4161c61d590526cac637932e46d53b9ea350ab06

SHA512
0e267baab8bef8d1cc5e313abe91a69690d9df52ea069d00f5bf7e81a1b5ac51f9ebc3e0375b225bd2bf40f2c324846e4901b69938732bc7048dd6af860ab936

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
1c839280db595ca77a0b6414e4a80c65

SHA1
f1349fcdd44dc5bdc486a44b6281f6fd2711c9c1

SHA256
aab713a798a317b0a7d5f2329367e80a7580e0adf7023600f31cff1ebf408713

SHA512
1788aadf46b22aae17f6225eac568c2cac6c986996e157bb08bc8cb33499af06668a051e76e65410fc026e4547f2db299b45967f5758d4539cf212be5fb91b5c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3340431b732b1b752e0f1b4dc7414778

SHA1
f0e0b3c3598bbedd261e7f339b2720058b05d302

SHA256
4951aa303fcff8189688a08f383f6095a0cdbf7c4c192f271dbb9310a0ee0eb2

SHA512
1ebae86e13b5a2fdcfa2d95f5491e805b5c452b86a6b7cb47136bf0323975332fb4b412b336a57d7ca2649cc5468daebb5e425ce6c4ba1c08b105e10d3900e61

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
55138c8c43400157df737fe51bcb08b2

SHA1
c2e889d48bcf40598e694c2386f60f5ba530acc6

SHA256
299f76e21270bf6f8362d1bcc08bc7af2eaf53140290c33eac015003e733eb4a

SHA512
242383fae9714d03882dfb6e8f9a38084d15f4609c8e621a91e3ef99fe3843b04c48749eeb8232403c593f75ff25d4f78ce664d3b0d0d264350098fafbf54637

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
530a551cc72fe8c337314e7da602a502

SHA1
179e627c0e267d062c9adb62a4bd033a60d78e3f

SHA256
3cca9972fca85b71cfa21f61c468fecb0e97daf03588d70d773156ea4c274dc7

SHA512
95f2c3f1ee7819b3ec90a8e3d01f1cc9ea1dd7d5a1619e676c659ce3748335a7066de9b8afcb2461aec2c66300cc7f2fe2b711a9d8c41bbe17a3b680c763086b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
eb29b8f05c78671c03a8218ba59ea91c

SHA1
ee66500df3d56d85bf6e907cd8a431acea4ecdf6

SHA256
e86819363855254d926cf72430df6a92152ffe836d3a26cf13f6a3070ea7d0ce

SHA512
0a0f4ebe7f766b0e90158b8304d3e9cda3f0e438e31cedb87508b51ae4317354fe472cf756df41f280fc350c9831afee84f3f97509d32358c876304a33949bc6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
c24f47c0112813ebab26e603b1080096

SHA1
194cba9e09b79e753b616b3ae9addffc5bd42a11

SHA256
5d0e627eae3473b7430bb9457b566e587e9e27935a7e09a46dc34bfd0aaea14e

SHA512
e2533982f63a8f5ce39977b2ecc488bd35b67c224894c23bf40367c22a825651c117f7a928d833ea538007ce235f88473c21759cccb5b788c8e70ce111aa6c79

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
905626915f605190a1b323cfdfa34db9

SHA1
03b666599c01e4949b98b8a60c3b2f2363909a89

SHA256
c694be14696b7b086be3d2f4afd23a702a1525f6ab190800c6cee826a22ac3cd

SHA512
6668c15b393fc554596a8a1b971cb52159da137066159234c0f4109cc399cd3e4c159873ab206d35ae1bc1c645949760b4b119f856380671a00107ddb031444c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
618698d9956056a0eb2959aec735a266

SHA1
01dce9166a4d27050e302b4742adb7f8e7b38a47

SHA256
8b19dea15637fba479f1a22b1f0c5c26f31ea4b017c43c1f9ef7d8727294a1bf

SHA512
23d676fea5a99c61958655c9b15890ae03fdc24c6533d77f1b5cb60daeb0989b99d62daa254606c8e71ae18ca12f860908faa7e182715e65a704dfc13c80ce03

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
9c01eee7e6487b1d3680023ecb8f962c

SHA1
fd0519ac2fcd8358fa6fecf09ae079e223aa1b6b

SHA256
86051a84b0feea1ff67beb541f4e760ae1a0ab2243ed6f1f865648815040490f

SHA512
64116b85681448719c4ce4ed7cda317b443e12d55529a97c758e403468bcfb42ef629f3a3a6339876fa6d94d72d5aa53638e3ba3024666d59f18e101fc01c1be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
31bbfb504c3c2cba1072bcce6ef2bbd8

SHA1
bb1d73215d9e67f229f3b4c6ff0048a685434654

SHA256
80fb1cf2c71c6de4e1bfc666e64f436c733ef0762bc742a48de3b1c7fc64b415

SHA512
7ce85d3b5aa3faebbfd9f804abff45adef64712b7a3218353eb9405d7a7f24ff85e5c5dfaaa9ff4963b7deccee1f5114377aecf0d9bfe648f310039d4db80740

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
7092b4878cfec213f70025a36af6b0d6

SHA1
cbe7fc88ed2d64cb9b8075498dd7b69c99debc2b

SHA256
91a388f032ccf87f7a170cb2fb5b073c1228426d3c886548076075a5914ec224

SHA512
88d5d6022962c1dfb09326601ea47101804fe4744830619283aa328f9ee06667220f7a04eb727b88437de798884f89a5f97e7a250cda7d424bb91261c6d6c883

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
159dd6a2aa2cc9a7b2121ff492ee6804

SHA1
1487f73ab61cd4e8915e79c634a205cbaccfd496

SHA256
65f549d68513caf8953d0df153d70aaa59cb3759e426c5b0d7386aba076fc79d

SHA512
44ef2171e2b3fe63eb3b8dfb73d775e1b985815d1be1806e0253b846465d4f9ae5de9042a8d6a9dd32e64f2c449570b87d6497295e897b9b12cc53d10ae5bf5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0b9ae0a3059eb87e01a557207a02a5c3

SHA1
a54926939785bf1a5b62e01baad13ea97c658fed

SHA256
17d9ef311bdfca3e60ef1c84ded6f65e6784643cc13ff8e7048ad415e1228238

SHA512
e6cdf62eef96a74122eb6091dd448a4deb1d6ca9fe78269789ca013eda0c87ff78eb380570dbae36480cc32dfc62875893666687eb9579d6cb5a25d689990fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
e0a09c5761b3959b9b3ee4b287db1cce

SHA1
b2ccb6b248137f767c3f0b06d47bae7e556c1018

SHA256
813ae6d7642c43bb69662e56399da5799cdbdd9b3022de4ab846edf577e570fc

SHA512
d8a3619cba319b583b4afb0c3b978aefbd5483ea1b8ef440cb4543ca31e3fc2c28e9cedc07cc60cdfd74961342376055d49b3fa22a7a01d48aeaa57a711e5164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
c0db77013a7b13f426e66e89b62f862d

SHA1
5f365d06c824672da8664dace3a70535f31badf7

SHA256
6432db77153cbeac3442427641ac97dc078f3b74706144c675b2563e41282589

SHA512
d31bacffbf5c93995dc469c82d69cb4994c62a7e13bc4cd04a3468eb18146268d09c9d764b959b0606284e137e620135b7ec2d8ea22e4b420244ca9180afdc1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
85372c5865d9ea0fd7c58aa6a357d161

SHA1
a78b897511b643a7045650e0770752938356b3cf

SHA256
c0ff6a52255242ce39d53727789a49e63d61d59eaf1ecb060ab88e1e86c287e0

SHA512
38bb67ab8eddf30cbd93e80caedbe3b61d5967a6657248ab29f1c3204fb25e05953d8c13686e61941c63972c88c28dd8b5d1b9471b830a10a5bddc3b147955ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
f9bffc53b753ee93a095cc581888cd3b

SHA1
7720dfe7e9bea4ab76855a44137755892d984dd4

SHA256
938e75a1ebfae7ba750f8bd85b78284d8f2f4d3fdfae89e0d810c419e85daa86

SHA512
e23fb4c531a0e877c6ec48be7c925ee0a762081d3d7438c36cf1d180edd01346db90bbc36fa55d6a172dbb24b11dad7e9f4afddf959e818e8328a143821f1b86

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
41f8ae59665ff2b650a18899328e3368

SHA1
6d0b4a0ec1d7a18fd61755f66926535fcf49659d

SHA256
51bd7f8f2fac69d15aafd5014908169f0fb7e76e879d4301deaba56ae9e73605

SHA512
34111955a03593ceadaaa80f7aff1cfc099e3cc590b20ba8826b66c10a1953f0ef198ac3fab4980f4627bd1abb07efbfc929b4fc8df1f08d3363e32491e182cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
301e1d029f2b21d26ab1739b811475e5

SHA1
672c7f94f19f291d3cc37d5c623d1cc8c4d13f48

SHA256
0aaf67c434b2409871239f20877181d186a64319a646de4f5360ae9d5b582fff

SHA512
b9550f8c98a5686641aaf596461ad5251de1bebf55661b83607f6701c643ea00e6adfaf98b9f50cdb92673aad86ccdaa50f4720a128c2d3f80f04966e2495beb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
56cf29257f55b451b54b0b9c07da20a7

SHA1
0abadbc529dc5e8b9277dc4b290969a4ac38903e

SHA256
18657f229664009629328d01d61702996f0fc955dec3e1e49f4db212473d83d5

SHA512
8986e25db8e9a88c2845151beb1d5ea368e88536c1a3e332a1204ab9790c89f582ea9d03f94485c0bc03c5dd08c865ff88fd4e47a17f385782b95ba61d7a9307

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
94d14a91948ad2c911e86978a96e54c2

SHA1
6c07acfa7da02bb1fb7c3875095e37169d1a6f88

SHA256
73419785791e8b2a0ab82b97069a402426b00c098a30eab191272e652ce0774a

SHA512
02e4a74ee59c343dd007a365ee68104ce787ca3307be11b79825b8ddfe8885523b7932ea1a4157edc2fdf3e01b562f8590dac3eb937c6d3beec8895089816b87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
df917f522dba2678b3d9e2685e39b7f4

SHA1
b0c6ce24685ab45b1e147c9eaf9e50cd73960e3e

SHA256
c1a403fc691b234464e249e6064938ca966d7ef13ca06ed1ec6a8e591605b4bf

SHA512
29c6d537259c952409a7242ca1569900050e68ae1a2f30d2b84c5bdf67688bf80ed175b6adb0160ca7dcc92b8a46ccb95d0378987a3d204d3c64ade88f87674c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
cda5b285b16b2ccb86ea5428153f0058

SHA1
6da06800b6f768b5ae6efb8a1936d33d946d2a54

SHA256
4f54c5b469bfc6e70b168af87ad5ef5e1b8a35880364cd68ab2d66feff3d282c

SHA512
ac688ffdbf0596b2350a2b2a211884c6b89350b6df32334587af1cab87239631013189a63280d0ea04d8c822e1c2309194e0269e67380f01b3035f9f927867e1

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
264f4f0548ffa30151cf130a3d480c8c

SHA1
bb725ebc713e542ebdfa283833831a35f3b9be0c

SHA256
5003c89c4b486682f64a5c7fa41e668631ad44548b4711d4be0e5a1244b6c25c

SHA512
4ba578656d6515310b0bad8234928bdf5f3caddde589b24f9f9fc63c05fb9ccc2e59ac03774ab1acc497781a593140e920605e17235f7636ed0287382690973a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
c7efd1bceaaf8411acccdcd0378d571e

SHA1
387405679aff5d36e2951510ce7f3f6b1114cbde

SHA256
6362eaaf94fae2485dedfa3c81265eb9daf27c972d8a41f5300c548419059e60

SHA512
e2feb134a4f7acf5719bb1bec2d2dd63edd1ff3163854cb27b73e68403d42fb52aef0f988c4ebaec5f8976bf290b39d1ee18e2a57f377c36e1d4b73680b8e29e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
9e12d81f0707cc6a67f15ca6544a65b8

SHA1
a8d99569dd9e911dcf803e3b80c5388952b4c5a8

SHA256
159660e8f90f74d1010e8845a76884581575f33a7e452b55052266eb9b9ca98f

SHA512
85b0f99d9b978acd4f3ae8a1b5971febac8675b7ee08ff95889c0ccdc3a2c3d6ca0e32cee5b9b173f51f5f5ca86915bbcaa8558b48e7e87a565180ba1eb943ba

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5254e48225d359c7694358ac05ed4a0a

SHA1
a5258403bfaf8ec60819ffb1a898cf9aff0cfba9

SHA256
acbb3caacb45c7a77a676a6313eef0f667b99c024de347dd95e64e0ad2d31521

SHA512
233b86a90cca9c9725cb446996a3809a9f75e5b38e0080119166b8273e07f05e1513743680e5463e74bcef6dec8563d20a9332ce976dd46032521aab7183ea42

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
5674318e790bd1747d9a11d19041ee69

SHA1
8f0117cb30c16ea8fb54731909202a669aa813b5

SHA256
05f488159c6be10d0128886f055897ee6c0e0cdb9698f7ce95366442609f3b2f

SHA512
be7136968724a233ceb45dc30ba28b99ceb010aaa303ce698d80a3d9b96251a6ad5569a31265a18afe1c5dea4520c4f8cd81cb4b3a63d3943a73993ea06ba3a1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f2f0a5f0cdebbdf51915feea8568cb77

SHA1
00c0ea0f38b5be90776bf0409a5ad54f9056a28f

SHA256
6be75f21bdf0edf52e3e68b9c0d511fdb88ec838d25cd71e949e18cdd71e7dfb

SHA512
b8732633121f32610973140373b35b0e10b4f9828eaa603ee902332a1464043cc99826785964d1caa6feb04ccb0194bdf64b0fc0917af389afb3b40e93fcb376

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
c5648badf481c0ac9275b183cbc4126f

SHA1
2caea844b67d266730ca71088aefde7d733323cc

SHA256
2b07d01e224c490784b301e453524a382a988906050113f95180b2985901dc4a

SHA512
275e8fed3bab8d80eaed6792ab254c1d0b008689d60e5f9a343466fc41090db26b768016723e1183213c2542ccd6b537ec1edb66c4be8c477ce9c163c0768d37

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
9a4f39d52c4b5cc35dc07802d58e1e42

SHA1
9801c49c0989ef71c4988d17d0677c58de45cfdc

SHA256
37498bcba6dbec13c36bfdc639ea2de24d80860a422d78f4b635ec137a53430e

SHA512
88c10d2c46df6329023ae6f5ab8bfac8a894277811c7e926519564a2ec55368874aeeddc839379d6fcbb6b35073cef6880ac77e8b79a17811d0449ef3f3bf5fc

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
21707dc431e8b81efa89294bd103d5d2

SHA1
a57510caba996c61b4e3079417319e65c7298333

SHA256
dc55e272b7c5fa5e1e5052a3b6071f10f94851c82dc39f08b79948a6b9452ca0

SHA512
9dfd76b6defb0232a4162089a0b2da8c4e2f0a316896828eaba2b3723524dd15aba4fe41a6fbce3c9ab1d6ad098d337fbb06a3560e412e047433aa63848b4188

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a5e7c1e81e438d1c1e5e09e2492ab6e5

SHA1
7eb9be894e24f1c8e7fd96a5b60436e131193d15

SHA256
bb39b9e1d6b03e751deb736e5ab5d12db23bd93fa0af131e1cc5b4cb6128325f

SHA512
6f90e946f8ec2cb289b19af2f566f0da86cc38808691dc11be5aeec1265b0658068879fd9f44787c95b140d794a0b4eead3dfa264b9d1e517d8a96deae278386

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1f3b6933c6cd7da5c71ef1908b61c35a

SHA1
dd9311df54f5a8c9740f5ff2084522e022c6f952

SHA256
a80472354d8e251ca332ef7048f62c170605d58966c0ae87b3a5634d20a52fc2

SHA512
818d13386015574435a948aeb96b45f994fc92fcd6757a0c770022e08c10d91f4eacde906c44d2a213395bcf1aa02a10e94382173cafaec41324a400fd4331d7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
4994859912e374a2afdb180cc44e4d4e

SHA1
1ab9df1f1ef3e1a6aa0ce6ec501a648e2342a6a5

SHA256
1277ab3880573b58092b9d168a49ab4c1d62803dab5f7a4d746eb7e3bcba91dd

SHA512
03d4b16a82649df0456b300cb00411622adbde7cbc0a39d6a81a6f440ad9fe8b7d8e03190e2e94c8fcfe085cbfe44f901feb10317a5fae43eb2c5eecb3383b63

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
8d1e95717778d6ca4c000e9c743b9dbb

SHA1
cfcab7685451e38dde0dcd0f7bbc8641a09fdd90

SHA256
ab604ec27dd110839c4bd33872ec5ba2b242c775b68d561c733bc1e9b523fa3e

SHA512
3e86c6125fcddb9d9f32d39bb67dc7e54de8f37148b304ae3918cc812faaa7bb5d56db06863df0abfd2933f6b165202670089df3525a0049beb5c559800b68cf

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f30e6a54f3b846bbca090c412f2fa07a

SHA1
a744aa7834ce2620559f47b4cccfc28d17e5883b

SHA256
90886637a06a91ebffd6c90eade378274166ba6305a399d451b4a7f894cf41df

SHA512
6473d7bad775b317803658e74fe38df7bfcad821d239cd30c0d64819b501ef00f615dbde05114878d78016ea9fea1cbb76716160e7866b7f1791ee285cfcc205

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
780801c33d0b0dce7fefc21dd4dc62e1

SHA1
2fc40163605eca0c8dfb5924679d49f123489bd7

SHA256
ab9011c90d70576d58ed57dd7fdfde8e4f91b7ba6afc5eb3c8b6a2826b5b7611

SHA512
0af684b5871c2dc432cd303e72f1dae742c39f8bbef0aebc92fc8048891c6b54f115b63b8ac99bb619775c25862e23c2e20877a01141be377f9777b0ce2fef14

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
807ac8858909b96c8b53f9ebe11d6ee4

SHA1
d24b3c654161cf2ff49bac1266540eae025d1a79

SHA256
b9b458e88d404f5f858e397cc7e4e088729196ae9f608f4dc8eee479394307c7

SHA512
1dbc7d1a1e812cf4be97f85b5a07e3ad00aacae0909fc3cdb380dde5126ef8930cbd0da17312847404a1feda3be456d687fb50f3135c595f325d4d19deb84173

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fdbafca83c669c6cd124b79218ce3b79

SHA1
150d1aae820546e40f7f7aa9a4c80d5dadbe74cc

SHA256
b6b9779eea7142f60e401a27ab4e0a48702bde1b50c1c20c4dfbcd21ff72461e

SHA512
6d70b208882a4c228e9057099ccf2d56ff63172925f84980d30dc9eb70622058d84d2444b990edf5a2a91817525192a194c9f5a3796617937df607f879efd974

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
090e350fa30e423f6ebcbcf6218e2b69

SHA1
bd9aeaa0a285abbcebde1e1ead1699fc2a46a8fc

SHA256
64015a504f2dcd2d63be22cba9207e004c497a00189992c4df99b621a2a68568

SHA512
600d570ce6df2f77b15b64618247925553437e8d288c9ee29a96df8b7100e5f652f485ed2c7d78285b8b68b24d1d1a878d1ebbd17871d83dd23e9d79956efa05

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
d69b3ec15943aadac3cce63e71f8f424

SHA1
a80ebaf3395d7a8ec1e2f9d4cb84ade4f5b3bc5c

SHA256
e1e3aed2de5306158714482a5e52988967babcd1b1e3ed2bd388afd9bf4adf0b

SHA512
c345ab27bc68e7900a739c3cf94b9c7747ed202a09255978ea3229ca3a7b2e7276e74459d1efe4ff58be54ab88a2a7cb38fb690242469aa9525ad1ed7377d294

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
f77a6a8bd249c3322dcd3fb69e92573f

SHA1
6cc1a798033b4d539818275424adcdc4867d633b

SHA256
e8c6401350e3a0bc6aa70142b0fb4b9e4e150a6d7c79dec3cca270e67706de76

SHA512
28ee68b3ba3eccab31abf1f6107a40e3a4aa99b4ccec4e0dcc4e562490573cb5b662017956d9ddb7ce2c5d3cda1b57ae940b0f30ae808b3eeb2d23a7370a7e01

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ebc6c90ff29b6f6ac22b1d64449a9b7a

SHA1
7d35eaf52acd10122b970e7c8a7614c0b174656d

SHA256
7971d81625d3e995ecf0ecbce7c213329716ea098b1dd42c6e0e4cdb598a97be

SHA512
819d2f5a7b00e6e6984aef9a45e7031931403c2dabec8443c79d89b15445be174f19edebecdf7f2e671ff9e6cc692f05a282e2115edf7531d8f524eb32c4cc55

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
bfa4d8d00969355fa68737e425c17697

SHA1
342e4efd1d44bd2761a7871cfc2fe5948cad8d0a

SHA256
c2305b8824b21074ad41348862d224fbe29420744359f26fdea3791952df5edb

SHA512
4f53049ff1010a2938c54e36fecf8f53c42fc1c7514c4958215ad63fc2f2b5aec8d4348612959eabdae2e7ea79cdebde55714df2a466607398e56e5e09cd8feb

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
dfd2bb8ac138c2fd3673de3a5b737167

SHA1
a7750f756d1f3a54ed77013760038f1c631aa093

SHA256
0acc39a37eecb96d6a1544289bf953d9a78a29035b11c3782778780dcdfaf6a8

SHA512
0a6b1b57f3f576ed5fdace60248e0064705b638477b2ec248614d0923a725bec3319a2d5ae3600a8e25a1753debed6adb4b7efb3d1de4e0b9fcebc9a48a9dc49

Download Submit
memory/404-591-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/404-234-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/444-92-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/444-210-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/444-93-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/1060-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1060-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1172-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1172-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1172-86-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/1172-88-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1172-76-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1592-188-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1592-539-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1768-536-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1768-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1768-159-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1868-34-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1868-118-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/1868-25-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1868-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2008-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2008-592-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2600-175-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2600-538-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2648-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2648-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2648-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2648-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2912-595-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2912-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3028-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3028-46-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3028-60-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3028-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3028-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3028-44-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3332-596-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3332-281-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/3472-149-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3472-269-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3652-51-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/3652-174-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3652-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3652-57-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/4088-225-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4088-112-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4344-91-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4344-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4344-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4344-19-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4468-510-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4468-163-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4908-379-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4908-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4908-6-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/4908-75-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/4908-1-0x0000000000AA0000-0x0000000000B07000-memory.dmp

Filesize
412KB

Download
memory/4932-249-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4932-138-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4952-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4952-597-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5092-207-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5092-540-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/5096-237-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5096-119-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download