remcos | 6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 01:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
Size

3.7MB
MD5

8873846b9663e1fb72778a220667c010
SHA1

1a10dc17e957cb85d9ccdde65f262077d438b68d
SHA256

6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9
SHA512

85fdab0152ea521e9d366358c1d19a0e65673ca1121736d8cbc5013d69b5dbb465de7afe10e6bfc1a24bfd6f50c5549aecbb94ec0a2c93a98ab6585e39d035f8
SSDEEP

49152:IrasJSuxF9rdUbJ2wMt7QjKuBQucLjaVd1JScFItNYUy3U9ATAP9nPLM8wFVEkb7:WxD6vJw3YUSHAPa9fn4c1d/prj

Score

10^/10

remcos remotehost discovery rat spyware stealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

23.95.235.18:2557

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-E0JKXE
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Executes dropped EXE 22 IoCs

pid	Process
4960	alg.exe
1720	DiagnosticsHub.StandardCollector.Service.exe
4560	fxssvc.exe
4680	elevation_service.exe
2992	elevation_service.exe
4676	maintenanceservice.exe
4348	msdtc.exe
3516	OSE.EXE
4468	PerceptionSimulationService.exe
1276	perfhost.exe
5104	locator.exe
2512	SensorDataService.exe
3532	snmptrap.exe
3356	spectrum.exe
404	ssh-agent.exe
3372	TieringEngineService.exe
4920	AgentService.exe
3800	vds.exe
5048	vssvc.exe
2680	wbengine.exe
4024	WmiApSrv.exe
3632	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	regasm.exe
File opened for modification	C:\Windows\system32\spectrum.exe	regasm.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	regasm.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	regasm.exe
File opened for modification	C:\Windows\System32\vds.exe	regasm.exe
File opened for modification	C:\Windows\system32\vssvc.exe	regasm.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	regasm.exe
File opened for modification	C:\Windows\System32\msdtc.exe	regasm.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	regasm.exe
File opened for modification	C:\Windows\system32\locator.exe	regasm.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	regasm.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7b7b5dc726e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	regasm.exe
File opened for modification	C:\Windows\system32\dllhost.exe	regasm.exe
File opened for modification	C:\Windows\system32\wbengine.exe	regasm.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	regasm.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	regasm.exe
File opened for modification	C:\Windows\system32\AgentService.exe	regasm.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	regasm.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	regasm.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	regasm.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	regasm.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	regasm.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1168 set thread context of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	regasm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	regasm.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	regasm.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	regasm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	regasm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	regasm.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	regasm.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	regasm.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	regasm.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	regasm.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	regasm.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regasm.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ed7c3a8143f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000416768143f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000188e4d8143f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe
3948	regasm.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
Token: SeTakeOwnershipPrivilege	3948	regasm.exe
Token: SeAuditPrivilege	4560	fxssvc.exe
Token: SeRestorePrivilege	3372	TieringEngineService.exe
Token: SeManageVolumePrivilege	3372	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4920	AgentService.exe
Token: SeBackupPrivilege	5048	vssvc.exe
Token: SeRestorePrivilege	5048	vssvc.exe
Token: SeAuditPrivilege	5048	vssvc.exe
Token: SeBackupPrivilege	2680	wbengine.exe
Token: SeRestorePrivilege	2680	wbengine.exe
Token: SeSecurityPrivilege	2680	wbengine.exe
Token: 33	3632	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3632	SearchIndexer.exe
Token: SeDebugPrivilege	3948	regasm.exe
Token: SeDebugPrivilege	3948	regasm.exe
Token: SeDebugPrivilege	3948	regasm.exe
Token: SeDebugPrivilege	3948	regasm.exe
Token: SeDebugPrivilege	3948	regasm.exe
Token: SeDebugPrivilege	4960	alg.exe
Token: SeDebugPrivilege	4960	alg.exe
Token: SeDebugPrivilege	4960	alg.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 1168 wrote to memory of 3948	1168	6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe	86
PID 3632 wrote to memory of 3868	3632	SearchIndexer.exe	115
PID 3632 wrote to memory of 3868	3632	SearchIndexer.exe	115
PID 3632 wrote to memory of 1564	3632	SearchIndexer.exe	116
PID 3632 wrote to memory of 1564	3632	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe
"C:\Users\Admin\AppData\Local\Temp\6012722bb5136e7dfcc33763ccd5ec5c2024a1904f928c5c75b8160b13b6ecc9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3948

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4340

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2992

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1276

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2512

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3356

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4772

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3372

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2680

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4024

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3868
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6b8ac16ee2095a4795518eb30a3dca28

SHA1
c1201e1a8235f9eaef35e13a74b0ee8b642db4a6

SHA256
83d9648c7acab869c39d6de2f8a3455b318a9f9454eb0e47b88dc80568e5b24d

SHA512
55901089d401bc348f4b23799a38212dfd24726e2c6820ff9c79640b0cbe22ff18e930ba6f1283ab7cb6493bd829ef9c525b4c4de84ce483a6498e3cc9183301

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
16a9a2ba2b3201c16b5303e3f28d14ce

SHA1
6bbe8e9ffe43de9a0d605bb41e900832c3589dbc

SHA256
0c1b2de2bbe104bf61e58dcf7c94ff23b7ca7039dcba445ac21615892d608f2a

SHA512
4819bfdd7415043d29312fff4447916351aa08c2b9044375a2d451dcb16597e4bce174f389e002591447aee31ed93dfac834301b43e327de9e69bebe0c21a88a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
b6b2366b2c3dcbc378db7c86bd0ad5e7

SHA1
28d33c1848989ef3653b6e2de36a4cd5a4875db9

SHA256
1562a8567af546ae141f40899a8fd0fd123746b6246cd67d1da864aa5340a443

SHA512
b86e880b0c7446b35cac0609566af6e7ec04aca188b361340580733a481d2724f3f2045d4bc31addf61335d1a462d7f73eaf5caca35c81bebb99c3a309b2aec5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bf58a4f7cf046cc6446a89cafbb79b93

SHA1
7ede1896f2c8cb464b255ab81257406c267e94c0

SHA256
a682c87991cfdb9472a14e193dce79c34eeaa0dbadd5f6e0ce459b2e5e0dd567

SHA512
a778b27dff46494800155e4abb5b5f7b1aa82e72d76406a19ce4e0266aad1d1a8a1bf07af0836dc0930f8768f084de3afab473f0279234c1be3d55c4264d455b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7f3d0150e8b0ca93b621db083b0ccdaa

SHA1
9325f22353c93cd05d7217a90d7f96fc9191fd76

SHA256
ef6ae45a53d3977871be13c0a8c791cf89fd130e1b4e228b4babc23f4d7dff0a

SHA512
4486dfb3207f1bf0bd5560f5c5b3e871e94ef908bff75743489008e175f9d08262712f0aeff7234a2e7230738a578bbed38318790960f3623d676f7dbead53da

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6ca4d20f8358e0c271228ab86a95d448

SHA1
29345f6c984ddd3e90ec28622983dfef175260df

SHA256
2329b66a3d132f72b943c3e160531fbf878a5994ed2413a9dd6d01b986466c60

SHA512
51f2c6704dc8630f38cf42f96caebf39272b70d237c84e9e6d9ffe9cd916b8b009d82de3067e60b434923660a2b1ccb98cefcf3a839cdbcfc0ef86c6c88202b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
9be03d6a0a05ede3568496a15d012770

SHA1
f27ffd5c9fcbe4ca2baf590318f489ffdee9352f

SHA256
35585547367d3d62378792b7cc62e58db038041970474226491a0f94b92914ae

SHA512
7a57c1f245a13b523abb41711d42b91734d8af0ad7587c0eb40666964b588beb80f23d811444ced16e9a3841febf2fca9c02ab28c9926058ee4af355347c836a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
91ade0b43f5a1c7026f9b1369796b174

SHA1
02d264a349d92c3ba8422660a6085ab8fff1ba5b

SHA256
a257b44827c0b691fab07ace8dac9aa7a65631e89582cc243d71e727c76b0a38

SHA512
ace89d55c5cd53b8d6c309e8a9d23fbc43e8dca5073ff3616f0fcb0a5948d0b917510d295491dda7c8073978b3be0a81fc587ae09d04f5fa381c9cc31a30ca93

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
bab1f5c5e493b8fc79650f27441e1f75

SHA1
83108446677f0b7159515a34de18070b1ec36f77

SHA256
2bf0bd2c4c788969bc5eafda3f01cc1d0f8e66728c247e3b9527e455082066fd

SHA512
9c1b5ea8910efc089e8d515168379f075e13b7f83fe2b9b6bebd58dc7a3cd0d1224a56997399917a5f5d73b81080a82c759e265f3bd41f45f71c828ecac06715

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
55ad6089e46d860bf56850fe9f670080

SHA1
e62847110dd9ae41269e09fe3772cbd3be34e1e2

SHA256
bb439ad5a1488d8c3870c27bf2b376b0d3aa8924811e051bc51a407716b2ebbb

SHA512
ce613914de63075f451ce746a302099a2f8196ac6b8359f2505fe4b3b97cef114494bb5de7e7072c36a934342b0c471cdf6e46605d4a2817b6adc3ddd501b5b8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
d63b6d2b7648e5bb323ae244436fd8f1

SHA1
a20f065b2d5e7acc4d4122f4b6f4df27e45a6fc7

SHA256
032bdf5c23e6517fdd6802d52aa6c3771daf8101db73ab0c9145a498106a3e19

SHA512
1a5e0f96d27c50a56b72dd24175a200acde10e24a98bf96fb935a08371d1c860367b0cc7a2ce680c59e2f09013a3713391d5a93d33ef36460e84f9fd31dd36d9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
845cfa6958c07006a3d0cb755147342b

SHA1
5b0f8db1156bfc03dafc42ea72d5a4cabc2c4a4e

SHA256
5290ca7f965acb5f786c3cd9b5e4d24d16379ff05a56add48d2422edc9f90a0b

SHA512
0637fe361650de81c6bae7e597db6991edbd974a0aaf8490c8d3724518865eda78564aa5196942d1f9ce72c9ac176e6695f4368c657d6606094395491d14ccd6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
3c2c69a0d99cce9669fefd4bd8242e10

SHA1
1ee87018bdec7bc24b41cacb2b09d426d15236cd

SHA256
a66aa7790db0f17fbb1e146942767cdfb11b1651cdd9fd74569bb77e5c2db351

SHA512
c8fe3862a32e42ef2b5aaa71125212d4bab9d728456d397307ee3aedc0018f44a94237dd42e02747574bf5149d4816f921910e8e516d111d3dd424485b92754b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b0b7c48a4cc55bb4421841d916e9c2ce

SHA1
68b4920058242fee524d9947d0a2df85bacf8001

SHA256
06da2dd6499211b018ecd189114822bdcde4ce0f4b9c366669dd273cd7a51844

SHA512
ce438226875d289d5061a783db8d2301b045ad6210af13f67e9b975d494a019b40c137523e964f2f6986ad79515c3285ee33c5ecc418582e7fb028cb5d871941

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
ecdee961c3eca861f795bc5e1dd03c57

SHA1
8a3ad2833064c5114ab1f310ad9266e54c2a5773

SHA256
677ed199d1915f408e7dfc2053ca3db20ced2de81235f70732f8de2c970ea5e1

SHA512
cd2a99fe9c996557d83b8f1b94d47343687ceca45c1f31713eb05c2c1b9a3d0ecf5a3ce4c9cc58dc5ef932dec2a6be70e4affc97d05708df9b60de06bc017ea6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
334fbcffec83b96f6b58e3c20140cc48

SHA1
52ad79133c9695d69b692b3d3f3e810c9f46fc72

SHA256
386ae99016ba24753298f5e2fcd3344b489fde8effb1a96b7721ff19839bb5db

SHA512
3a3778438e06fedf2b601c6826e894db0aa687b915e44e51747f060dbd93393231dd58c82f8c5f4d7999cb2f04b5019e7bd09f70e435804bc7002091f9c30c9d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ce0123db7268986cb15a93cd716432e3

SHA1
55cf2b67729052478f27e3aebd024028d879fa58

SHA256
5623ffbfaf7fb58bff7eff9087140767436aeda4fc2e044fd55539d795e1bb81

SHA512
bd1cf30fd4dec5bcfc5e263394c54306aff6459db0b3bc0dae4e65347a1158e525bda5c0c53cdf224eebe16b85403d82c4c01ee85c3126a04328f149c5772264

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
9a272f549e1225ec192081f1245e3e07

SHA1
fc28060049b053c8fb46af1551c3f1406bafec5f

SHA256
8079edb1561618197193b048ff02eaf45214b3b3d74af8fe6ffb1b8e2a7bac70

SHA512
f8a1d185d767ed40ea1b03c5784379077f3d3bfae3dc088d67d3d53b139e7883e3774ba25a47ba909de0b9ccdc832e475edd0850f8fce7d9cf3143fca4534c4f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
6006e7ab38648d43a863622c158d3f15

SHA1
9cfad8ccb54e3a300fe9de7666405e5c822f61d4

SHA256
5bb0dceb8cc75ed51b024f1a36ffdccf83958ea8ef933c0cb332541094673dfe

SHA512
cf8544105883ee0276fecb4c1cddb54a2a8f6955cc3c357f502bd2c9bd36c0440e4aaa5c0874f04ad643f6f72444120f19756ba0ebc24a6d48e3f9dc8e4b8ceb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2ae970bf45e3d500142cdd3fd415c4c7

SHA1
442b4585e61bbf2ab1ccb576399f1e98ce432267

SHA256
6e62f6abf37347820034ccdceaf5a8e5313af9447b47b74e5db5f50cb9ee0afe

SHA512
82c4be2715c1235409d167e5c7041ada1e07046d370654f756fb151bda41c93f154dfa2737abc829adcec1257e16cce8d671169e886cf0b06a6d400a9f1a7170

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
fafff1b69867072107be4994d7abe6dd

SHA1
3962471b2a08bef8c0e2efbcf5a552703ed5236d

SHA256
2d39ad6c5cd432bbffde86cd2ad4217518e63725cad197b7f9e37b196f996010

SHA512
a519935724478c59ca5287e8440d4744813266d4f98c7375327e44a08caf7d02887a29e9caab73d4306432c43852dca4db52863d0eca63eb33de8bde3079574d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
cfa87a19726685456fd8c8c978dc7268

SHA1
a12b04c567984c2acf88e7b95a7796c43f9c7639

SHA256
c99d41f25f28a5d7971cd334034c1e773cdc137ace63f13b17a31bd5d9d9374c

SHA512
9ebebec254a865c234970710165c722857e026f41404745aff950ccaf94179d99d75f61201495cd6f6bd1515080d17148e1d19f9ac216df19acf300133aba6ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
e437c45e23319fbc9c3c7c898376b3ac

SHA1
25559ae5936d8e9b895485650d6c9a4218af41e3

SHA256
cd90179e768d869ac65b28e7db0c1acfd5ab3945bd8c546dee10dc679487acfe

SHA512
78cf0c96e17049473b0922636e590e678d744d70a7b8d2c22809e9d333df4a9c06b23ac83d0f79551b40a6a499f0929527bdb8141d05524706cddf8921c55c7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
16c143c5c847e6cdff21c863406fb843

SHA1
bcd0fb5a9a2cdacf74e79d5f0bdfc199af14ad0f

SHA256
a69ad2ed814e18dcf6e8ac43eda030b11742ac7b305735017999061ce68e4320

SHA512
adece14d180b46cecb548cdefbaf3fe28119c3aa0a906dac5daff09fdfcb9fa0ba0e1591527930a9ecf7eb4a4c9486783661fcc786059b1e76b0778c4ef79588

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
b4230e29b044cbeb294aa6492aa3904e

SHA1
7fb8244395b023a1017944610dfcc393f6d7ebc7

SHA256
b594dfc94893d85372a744c0b9fc1bd3b6fdca563830414fbe3330cab2a2750d

SHA512
f21d0cf3c86eeaf8047ac14bef683495b2034d122ad6d5f50477c464321a8ff1285fe4062fecc3452973f58b0052308294f2d649b97b867e0ad09efb5eda7ce6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b77e69bc1bf9776d7543687a32dfa972

SHA1
442bf19e05c22d5f612b363c111138003b0b35a1

SHA256
95439a9726623a5f8ac9ede900a00f2ed4014038f8123eb8d6a9e6897403e89f

SHA512
d1c09435b3ee0e0a85acf57700778e87641a6ba04ee565d63053b388dffdd0dec9123bffa896bc21a63e43b1f708e328fd47aebd3e6b3623f7b2e13ea23189ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
039cc46863d32a80bb353835c7de98df

SHA1
1503b62ed8a00b5a166777dfdf6f70f8b448cd15

SHA256
470328759b3053f6746543e05cdd5ddf1601cb5346f00451fc54498d2bc19214

SHA512
c38c83576577acffd491547215ed7cfbd5eeb43f8f3310930dd59a35ec9f5ef6da7b41c040c07f494308c5bd7d34f09adfd9c19758b36a5e5d52038fb52a1c13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
1f4eea04cec18b2e4a2c3d03cd3fa454

SHA1
b66dc95296893caef66c7212f71094d434815cbf

SHA256
c2625fe853533b8f65b560e3d6f2f7c3b3b3577f41b765ebb4db0fe299f74210

SHA512
28e78b97a0ff6d2bc9f372292bfc7c77cc2f6d97f9f904e666f79c09c281c8c2ba6a2a65cdded136e4581006244099c3206f4f5820a791b85e16d76e57f10d1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
411c401882e4dbcc31660c94d8adb21e

SHA1
cfc9ba23f3f5c4bd0b25c75355bc415bc0fd5b0b

SHA256
dae3167be53c1e0269917a3c9a7ff4a906f874d5a9f4349f8b2606734d60c12b

SHA512
a0d35325d5dd127403453e454dd5ac45a8bc0124d940e42fa34c065fefc3bb33a8d5378f1bdc8b07d8ad126ee782e983d48240762c76c900fda4eb7e6c47af01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
705975d5151d94faf7c24152145c3dfe

SHA1
a822f40a6c44d46ce2958cd68dcacf65c4517f10

SHA256
ede7647f544bac06be96719f6a40949f9e8ba9b3c32c10b2ec289b9661c2e3cf

SHA512
76f8043ad2bab350dffb44ed81b84d3c3c86d1cbcc1641abaa27dbdd09999a45ce4e62069cc52747646016b66a32fc3c14dfac4f3709d6dae5b1e178ad4734ba

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
51ff7e2d6fe4b9d27c8c22c0a9a8df88

SHA1
2a0958093dd2001c8913c5aa265a6fc5c2c2fabe

SHA256
fb4de9851d9fc491bd8c8b37dea4ff4e38d9d7278f45d557a49d90e8c1522d69

SHA512
bfcd062df25960066e13520b400e4a10e64da4bb056aed92b7b0094e153d2b21e48135081ea21a939bd073fcec3fdef7ad9839b9047ad000ce888bb274446267

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
7eeb7e1e6c7e678e642c8ddcdc1bd010

SHA1
3e39a71abd62763d0b123602b9e31f1f69d1529f

SHA256
cc947a026ba3eaa736d20ce0b2a6466920ad141e4ce6a965fa1aa66ed2e32ac9

SHA512
d890c61be45ca4aac6312c3701dffec097668f26d27ef3fc6cf6605a243fdcb78924d4f0ca923c3d2dc962913c1ce77268baded6e48daed015ad113fcc054458

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
00bf9bdeff7f45477ae7b022d9e4914a

SHA1
078f3191a7922ab1c28e64e2c01fe1a7aba66353

SHA256
9ccc9fe563508357f51cd55dd10842d0babbdaf130e08b5a750f4b9d651c38cd

SHA512
55fd6f5c6c144102441621ff491503ccf9d0af33d331b733aaa351cf9bb36c01c98739cf63b55284744516354ca255ae8c1e40a6b94e8ab26d04f7fdf96f1123

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
10bc4f215623d929952d520341b445bf

SHA1
5f5755d7012101850c3737e3a40a3b5b254ae114

SHA256
071db5149009bc5d33b3172726a442280f825d3d147931b614e94606ea23f1eb

SHA512
594a365749982879e6b0d5a56c96a5d261e4294b22b7c6483b85d0c30ba45257145f4ac8a065709ac7bb42d5b9d22f745fef463acb68e5fec82ce3f79079777c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b17ebdba41298809f3654102a338343a

SHA1
7daa9b8b8ef872d47ace3d49e3abb6b63d3b4dd1

SHA256
979e5fd27a97b0b081d1d007fb1a34d3e6111a6c694c74844f8164e0910c9d04

SHA512
8dba9c270a274a228cb2aa8c169ab4010e9663a152c9907fade40e009cf3a3f9c6028378f607ba53d359e91066284a971917e1c7fe04814832a8fec50cefa5f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
bb2d6fdb0aae5b6eec18378f61d9adf7

SHA1
cceafb48a2d6fc7540ae3037b86d0a8177d7fefe

SHA256
bd48d61dc7ae95d77b58dd9c3f81d3f34b8191f4196e63bf967f02bec14da0f7

SHA512
c45186e8db66571d8cc8b75dbd1b7fa34250ed8a7ab4d9f58e12ffb447d1d8fc0a2839cfa0a92954f0e3878d650b241b314bd0d42fdf9fabb89e9f3230f1f8e5

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f5a5b1c87097949e90e325643a21f758

SHA1
e6f60352f848af73b7c8206276d0b66998094702

SHA256
009cace8fd086033690dd8c83e5fbf41182c472f7b7bdb90f9ea9fd27cba57c9

SHA512
cc9cb832ecd86e4e64a4a85554b6dc1a901304eec36bec70b7142b730ec03958b38bee4d2efb05a082857cd7ca23a8993fb36984b7a346995d2f6a423d4b33dc

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
806354c8f78a298f6b3ff92330ec85c8

SHA1
b9f519c9d82d416538854ef8edeefac9189356bf

SHA256
afdb6cfe1ae64c20bf1984c5b10e8d8207a9f56d416579f1fc03a6f8a134166c

SHA512
1278fa474c50a756bf8b3f41dd5bbdb048fb0721b91e01dc6a0b9c5209395d4eb6a8fe484746e8b3150e593574bbb626f1ecd96835505e9f687265b2ae671ee7

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0b7c79bec46a6bb2dcd40128ed19f52d

SHA1
dbc4bf2b309bdfd2d8e7dfde04a16cbb56ae15a3

SHA256
9dc224a53469cd4e9cfbf337c04340e0590375f0e2a2b74acaf533602cf7f23f

SHA512
2e79b9e20d87ee955c7cde535c947bcfd4f93087c07b58c182b65966082fb55c12e07cc78faa8b249212ec414c7a515bb9aa1958f2b41d88a5aa8949b9151c06

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ba90f27ce144232d560bd02fcd4d21e1

SHA1
2c103f02ed7ecbc947f6fed6d9cea66b675e017b

SHA256
8309cb4c7438c8cf8cf9d6696902470bd8a03e7d073b2207c9f276bfa158832b

SHA512
04b04a829bd7f535c2dc75694f2a1784611452a7480ff98962fa4686fbc8d8b40df2c5e16cb994a562e16fc2e2c6ef8ad882ec79d6719031e97770e089d9716e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
48f7165450e02efb70e613c0ed8e8251

SHA1
fa12772f4ad61366255861f4279b2542cb9bbc72

SHA256
5f6ae6005b6214e490924d4c63a4201b522a12c7249dbd36057f0664950e0b81

SHA512
82d93a7e50c8ba23ec80b599e34e90c6155ebaa73d33bbf3fb87ee1b2357ea0489e6f1b9cec72df1c6c52ade786c075a918a0db6cee8975bb42282c4f7e681e2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
953a564bfca7fd43f8e2a496bef75255

SHA1
7ca74f2c92887afcf23f9c6c75f41951444b8512

SHA256
50d406dfd3b62aee7b133ce9309915463947ba166b64cdf7aed9a53e3035189c

SHA512
bd39ab0f697f3c9ce214d6ca1b1131d630ed155f167fe0d131efd0bbff0c9feaea19fe9d7c8464cde90371999858d15e631c75e9c6db92cf3ac3ceadddd2e47d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
575536fadee95dc39d41de1c324fe695

SHA1
0cfa8e237512bf2b2707605cb83eb1681b40de68

SHA256
3f8a502457e0deda2e54e1f92455ab85dadf768bcf94157be417804edbe11de2

SHA512
f10acbdeaa9dd41465a183b492f282439853b80e18dd2060bec20970d2d730a6fa1ece962d0ce3f4e9a255309f94e9d1a3983b0350436330a72efa9378934a94

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
51e9971b8c46524275a0406860ef901f

SHA1
36ec61e5bbfb646fbdbaa06794ebfc62eb6ae209

SHA256
1cc0772d60d99f65be8681b33c24596588c1463890695f0cf4048969e40fed9d

SHA512
8ce0a335d701648ec308a433b395f4bbbe3eb7dc44afbe10bceb5302bf2dec4b0ad01a9139f8630110b2351f01996cf323f6a61758a06306eb09c7613b7b5f6b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
5a1af5b2f80922dbf7b096d71b00b34b

SHA1
209fad969da916b12795dc606f37d6175a8abafe

SHA256
097133ed6b26c16ed24858d0a50e8007f889b9591a9bf2bcf19bcb2c5cb855fa

SHA512
9322ee19e4b859e3ecd431a1e07aeb21fea8501e04161d1b2835889fa92d4e58c9feb23348f15cd570b3a84031dcdeb5e79379a9b2b78158fbe2ff006c73712b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
256b05848242ae993ca1a8e38a3bbd77

SHA1
552bd7c0fe3a34f95cfdb3d591f1bcd3d4f9e072

SHA256
130cc6362e4fd3733d7702a7e1de9daacb979b842645c2684f8e2c8d31462455

SHA512
8ceb9711f9ed88e0fd8f1ddb74346d60b397a5ee5815c57d6be0693b1d006ab6e21a44d28e810528b7b0b466327f3d0c41b9014e1c7f1dad008077598bf7f808

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0ef24df6972f1178bda4d598c65fca8a

SHA1
5afaf46bf101740254658c7ae05d910d8be9d57e

SHA256
97d754e855466fc8552de219c701067692aab592c7c87ecd1778e11d54955f0e

SHA512
237fa65eb1c334b7d84aad4bfaa860dd882b05b0e3569ed647fcbdb4b22d4a8c841dbdebb3f29597117dd765072f27ce1d10b7d8abbef938394a2258091cf52c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
40001e92529f5c9b495f1e15c23ce62b

SHA1
bf9143bc0622ae7320161e2829aefee899da8bb9

SHA256
07e58e788724f994b294772a8a990f5d4d1f3c2f30bc7e7f1cc17c96683f1bfa

SHA512
2980ee398ec00e0a24b23d3e998f30ecd5dfdae4a17aa601ad7f0bd3e3fd753014a8d62ba1e959897e6fa51c37f185756b2f1fe746fa82b51e049e72de8aec07

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
8336f43fc71b7d3a64a807c454b18d09

SHA1
763dded0099eb0be8b4cd7d82100185527973e4d

SHA256
670ac233e2f9079ed591cb38dd47e0e31671c97c54a78cb00b0b22bbfd98ec69

SHA512
96d939cef391f46767e02880ab4934bf662428fecfe9f0288addfb69226b2cae076e20a9187361dd177d2d65d8903d56d68cbc70a068bb33234286380ab19a2a

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b881c1fa137ab70e7b7bd9575d342f0d

SHA1
77d7ff2262cfb90411eab9ea84717c3870abb167

SHA256
bc17fd4bdbe26899b820593e83140a71e11b9fc191f16d6a31709ab6df1e57aa

SHA512
a44dfe8a66917096266b653fee1a509e905401bd17e6715e99a7ff0ae086418ccead90ac3016178a8b6ac893a580bba7629ae84d5835a6f58b79b8bab4eb785e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
a22d517bec4d461afd2a658d4be90d3c

SHA1
db46c3d3ea6c7c5b40ed8d4f83b0a864f4a02e51

SHA256
8d84bc80914b4f11e1a45125577c7631eb4f8782da753693fafa8dc44ebeaaea

SHA512
7258f0f63805316f430d259dbc3289d96a8c2a9e774cf67b003dda6f7fc201e521affc301ec2591f0d6a0568b5a1075d5bfbbfb6a7b6ff4ef7f47b7f22ad0431

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
bf21054f09b8cd20425b6f3dee2cea64

SHA1
0c8cd037dadc4a72207ce16d2c542e983e09ed22

SHA256
01d9cbcb9abcf7b11f417a2596c54c4b649bcd25de04e6aba54b416cf0629c6e

SHA512
ea42b61011b93ac8a460091c4f555e6629d075e169c8ff54545ea487f572e644b16f63367c7601a8e0827d465e26e1dafc6ce103db0a6e42ed8914d9396bdb62

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d5518e4f89e6125a4903fe4906347cd4

SHA1
eef67fbde04f0cc9943c1f480f8f1a6b0aafb3cb

SHA256
299f727012d5efbdabeb62dfe6b6e0e8bf982b206532dfe2cdac32ac814efd1e

SHA512
9f76c0af92e891aa246baa35be4916109726065b0c5739a4634ab4cc5361668a06c8500276dd09f9a7d26eb38342af41c3cf7b08a23c1b85be709e07404432b2

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c86d576c5cdcf6e81b6afde7fd9885db

SHA1
f571e3640491a90bc0d854f2e227e852f0b17712

SHA256
55a80a4cea8d1a1a8d355b265a9d58af4663fc474d59f882815b75ab6f1c251b

SHA512
5c4cfc8fcb50dd389a46173f9433ca50270238ca0a11a5b15d9572ac359dc0e93bc34dcc5bf5f1c0550e2c9945bb632a84508ac601d403d6b45bf98c5966a8c3

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
fe0ef5878d56d776fcb2a73bffe77ec5

SHA1
16b7dce3c0f8c0222c699c734bdadcc220bf9028

SHA256
f467a4d8da0415214d525adf63e340c05fc7631c0ce516e7f823de349b68a154

SHA512
533db0db4d94c8d5e9eee5be05bcd01b094c14ea099bf995a6f6b260b65328f3095b4ff113a8cbdaf18bd140d1a41c94c96536876f368a9a5d78feebc215a267

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
8d5eb4a18c13482803bd47e21614f4e1

SHA1
7763684cf8938bcfbaea963279e0f65426340474

SHA256
f344a0cc5596c409bf44bf953732fae341f595d55f0f09a18d11c5bf5638fcbc

SHA512
632bc542832a232ab567d238a27b4c864dd5cfd54c42db961eac2c16723b839ddadac13c6c0fe6990d5e4b8487633e4f0ab37ea675eb8b2051ec9254fc52464c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9117c9776c49ead9d27ea7976f41be04

SHA1
b08e8a92205a7ba9ab609f96b8641df1550484c6

SHA256
371a34a456418eb2d14c501712758b33d4fde36e24b1c70fc7e3b64652135a67

SHA512
0059d32f075c1dbb25ba7da9ebc8e42ae9f352036b80de193aea87fe4d7cad7f6f914b341d61846f7ca438559f82650ddf0005dbadaae99c6bff1680701fc846

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
31182e6900a11947d717540632a6078b

SHA1
bd2ef67dd8b20f460296c99b6abb69b4c47d644d

SHA256
bb367ea00a65b1486a9c204ff4a895fd23db1a5d2cc68cd40e24973989673494

SHA512
66608ada80dbecdc018761b84a963afda3a3ffee2725f6cd8639dbdeff4abd27f7eda968b92934b806a9ff6dc838237b5bb0f5f648230e2dfe9d37a9880795de

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
342010d4c9f855412f039ddbf52922c7

SHA1
ad134c78345ded5888d4fc108fc7cf5f81d02b36

SHA256
7b2593cff73cc0f3d5a52194a57cbd37e0ab9630655d00a19a3972bf666a778b

SHA512
dd97ed0510e984ccb3de441b2989fe03808fc943358b1cb55516667b13661844adecb2a415cd4cb5ff9b22342de3970e0c61b6ab01e2c8652aa5bea3724d5ca2

Download Submit
memory/404-308-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1276-301-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1720-32-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1720-40-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1720-41-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2512-471-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2512-303-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2680-312-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2992-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2992-298-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2992-505-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2992-75-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3356-306-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3372-309-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3516-299-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3532-304-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3632-667-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3632-315-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3800-310-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3948-5-0x0000000002FD0000-0x0000000003037000-memory.dmp

Filesize
412KB

Download
memory/3948-14-0x0000000002FD0000-0x0000000003037000-memory.dmp

Filesize
412KB

Download
memory/3948-4-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/3948-0-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/3948-13-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/3948-12-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/3948-2-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/3948-1-0x0000000000400000-0x000000000064F000-memory.dmp

Filesize
2.3MB

Download
memory/4024-656-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4024-314-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4348-317-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4468-300-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4560-51-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4560-67-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-45-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4560-44-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4560-65-0x0000000000460000-0x00000000004C0000-memory.dmp

Filesize
384KB

Download
memory/4676-85-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4676-91-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4676-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/4680-61-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4680-63-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4680-504-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4680-55-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4920-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4960-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4960-18-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/4960-429-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4960-27-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/5048-311-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5104-302-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download