3327d24853ffdfbe3206037e00e41d37920c2f57bea462438af4bf3a7d85f048

Analysis

max time kernel
115s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 02:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

93722354d5849dce120ce1421d787e70N.exe
Size

648KB
MD5

93722354d5849dce120ce1421d787e70
SHA1

c6f0804e794d707321e2ba6ad0ac5a4ecdc92315
SHA256

3327d24853ffdfbe3206037e00e41d37920c2f57bea462438af4bf3a7d85f048
SHA512

3de73b38f4c303949d888fa44ba7de1c7725a28ad31b97cbcaacfef4738ea1c778e29d3a6403b15fa1365afedccc6a74bf660930a07eb831484b26b15d338c85
SSDEEP

12288:7qz2DWUm6FggLbrQXbR7jqkf1Hm7tJc0FS3jicGWVSI7dMua43Ek0cIHAN4:Wz2DWd6LaRFdGJm0Q3WKVSwdr13Ek0V

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2936	alg.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
1160	fxssvc.exe
1016	elevation_service.exe
1804	elevation_service.exe
1528	maintenanceservice.exe
3672	msdtc.exe
4444	OSE.EXE
4600	PerceptionSimulationService.exe
1280	perfhost.exe
868	locator.exe
3100	SensorDataService.exe
2988	snmptrap.exe
1792	spectrum.exe
4336	ssh-agent.exe
4532	TieringEngineService.exe
3548	AgentService.exe
2972	vds.exe
4340	vssvc.exe
5112	wbengine.exe
2648	WmiApSrv.exe
4604	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4ee4e89a2dbdc151.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\locator.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\System32\vds.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	93722354d5849dce120ce1421d787e70N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\dotnet.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_81359\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	93722354d5849dce120ce1421d787e70N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	93722354d5849dce120ce1421d787e70N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ddbda46b4ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d7a7296a4ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad56596a4ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d2e176c4ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055a90a6a4ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c41e206a4ef0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009ce1436a4ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051cb336c4ef0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b81226a4ef0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe
3164	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4288	93722354d5849dce120ce1421d787e70N.exe
Token: SeAuditPrivilege	1160	fxssvc.exe
Token: SeRestorePrivilege	4532	TieringEngineService.exe
Token: SeManageVolumePrivilege	4532	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3548	AgentService.exe
Token: SeBackupPrivilege	4340	vssvc.exe
Token: SeRestorePrivilege	4340	vssvc.exe
Token: SeAuditPrivilege	4340	vssvc.exe
Token: SeBackupPrivilege	5112	wbengine.exe
Token: SeRestorePrivilege	5112	wbengine.exe
Token: SeSecurityPrivilege	5112	wbengine.exe
Token: 33	4604	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4604	SearchIndexer.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	2936	alg.exe
Token: SeDebugPrivilege	3164	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 2264	4604	SearchIndexer.exe	114
PID 4604 wrote to memory of 2264	4604	SearchIndexer.exe	114
PID 4604 wrote to memory of 636	4604	SearchIndexer.exe	115
PID 4604 wrote to memory of 636	4604	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\93722354d5849dce120ce1421d787e70N.exe
"C:\Users\Admin\AppData\Local\Temp\93722354d5849dce120ce1421d787e70N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4288

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1804

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:868

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3100

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5036

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4532

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3548

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2648

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2264
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
c9dcd52ae9621fc2e62ced5c67d83e57

SHA1
ede8e79f720cea6c46e8bc9e38fe089f173ef880

SHA256
c61d1b38ca4c7572ae1b4e2aa4058c1e7b1ac702a655f4e7271ffb7fe40c1bc9

SHA512
6b7062d32df3144d0980ccd616c01fcc52bcad401c8e4f480484f08cb6d45c9ee6fdaad9f4acaaf2b8ea9b44a64ab11852a96ca30f39b6a3dc7c218c75cbf526

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
44e1e6121194140af9e6e3d307a07748

SHA1
0200dbcde8540335f7713ba2c8b6e7aaf9efbd0c

SHA256
0d31e560d5f5cf051427b8d7f8aef4b163af5126ee19154be09b9e9f94c5397f

SHA512
356498486e8c8d4abc5b28be13793d66e9058680a9c085d44394d741e789a832140cb6b915da691d94622d564813ea39c2f359668f76a0de3ef2696094a8ad7e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
ea2139dbbce86c4b24e1328456ca6980

SHA1
24fa584178f1fca9170b3906afa2b5911e9e0f05

SHA256
fea96c5b27aef238eb8812fca8749c4aac02d985f5091fa8fdf8e60c4274fc36

SHA512
4e075c7e21242506c4537ae690b20075f9a18b2f6cb027bd54c1f08b592c57ac0d7a5e4c540030d7a259706c93be45f1f04496a14ea6fc48a49b48e663581eca

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
84438e751e308e2299c0e92537cbd586

SHA1
9c33de7ff164af03f8a1fa14adf66f0f18478376

SHA256
06ed4c033c87ba27c91c4258cd7584aff9ddbc65d4719eda1ce85f84004e9b5b

SHA512
4bf4c39f5576045c9d32bee83a86899c12f2ce4089b58d50bd2a0bd7a4ebe46635d7f8b84a7e9572d3f6670ab4413b8cf84e39a0820781860410f640c335c650

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ae89a13233f54d8a25e2f0b6c5c57109

SHA1
f75bd7c947ae042625df403656cfa49193a9bcff

SHA256
798e4791965adbded7048d0f3752a5f3269ef366f951ed6712afe486f4643062

SHA512
6b3f549fd32b3d93f6bd30ec9799fa0c2c83480886aa4a90ae2bf91bb016c530b05f2f804a590d99b7b2a7ec73251519a965340fd4c866dbd6a562643d8ee6cc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4cc7aa3330b7b9b66ff856afb02a252a

SHA1
3bd227a24bf136dcded3e447613101725e8f1ecf

SHA256
02a1992113c87fa6da7e1cd6bd75c44f4ec60a8bf00d18d9e544dfba2143088a

SHA512
7d4e05ca02699f6457509610dac2371b236a112ca81eb9dacfffa425f825750bf8668bf9197a6f8a10b67f4120461bb90e86284bf2c40f7c26186e1b48fad1c1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b5ec7ec53c530faa0b0f48c83b7cbf56

SHA1
e8946c9d2e149ab4904bf8adf4b79adc5dfbadc9

SHA256
91fb8bb8f252bffe20ff4adb6f04bdd47c24cec63f33735c68fb8f2fade2852b

SHA512
ff3f3c7e69e0fad2482002524ec1b57e28c2baae39d48f1f99371cf7e6b45ffc1e03373090f11ea29ceff7ad6eadd63b6210f3ec6f1bb5f2de459505a030dc0c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7bdd84aa1e2b03b045863498627d8a2e

SHA1
853e91f29a03e60c27e946cf66f9924482d02ae6

SHA256
80cb551721297371391d19f5b709fca37b2210f4d9e3e8acdaa1eba23e049283

SHA512
9a801ef042a56ce986a13ab8a3939bec8023ea9787be84df9796749b17b68c92240074281b79d00a025eb692e58202d90f3a23faae252a6affe210aed1201469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
213744e12dfb870edcfcbeed9905364e

SHA1
2e7423600cfca4c2864ec934d0408f371dfb1ee5

SHA256
08a1770be012ccc0aef14e5060466fcc262c2a9cdb2d79a920ca592e16ab3970

SHA512
956e4aed75dfc76db15fd7dedbeae1d7ccd29869e4414296ee1e3ac59502daeebbc40f8578ea2073ceac697c70eadae559c5aee63e3e2f92ea4c9a77eeb56795

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2571c7f8ffb1008dc6a279689a3a117f

SHA1
2e5c1ec679ef755052934a09ed0abdb61a438c09

SHA256
8d824c42757e01573ca2ed40a5e49815bf665d730a8010cb6a865693b8308b42

SHA512
27e4e6311acf144f292f9f9e1f85e1080a2b8bd42315fd313f040745c4b9802ac5b6f72695487e1e96b661324e558f7a07c83d2e4a976cedd8f0992b40d6bce5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3b7d8d044ef49605c5fb6356247a9d15

SHA1
ec93d09210fe806264167efdb8b19141ca561a77

SHA256
69d229fc39170e92d433bf946df5f70255f83ffbec909b87a00993e5beeb4b1c

SHA512
02b029d704d8a1268eed1c9fe2628baec2ab5feeeb77ec39996d10a8e71dcabbcf02505355d447ea4f3d7a5d6fbed1bbe74917c5959904a73a083e5371db8ff7

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fb1ab49e32451fd02eb26531f43f1624

SHA1
1b897c55b657e57d4d15c74c5a1826efe292d51d

SHA256
625e917362f1a1c090c6d959b07ee8fcef760daf75521855ef996c71ca946aa4

SHA512
90606469156411f2e9b57bfa65d03927570ab6bf9ab4704a9a6e6627c4993e4d1ae5b78729ffe7eb64280839ed5cb36d8d381ffd04f7e982778c9b1ee94ee389

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
43bf87375c237b4e982b84ec491678af

SHA1
33732bcf4c59e8da370f8b8fb4c4f06d671f93e7

SHA256
8e5001d3a177a09052c897b9983d4f8b23da398ad20df811a2fc1d24452387e3

SHA512
00551e5bc46d89385b9798759014bb77c45c762ef6a98f7146435aae8fb6b61d7bd84e9645ebcff649b51e93c78343ba36fd35a13e283dd90769c98abe1bb131

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8e87c9fd0f588e726979bff17ada78ac

SHA1
5454d16c329a513f6dc084a7b3de464c368126cf

SHA256
1d08300852c03d64643c37f56a9d9a67dcc6362e8c213501e00254584fcbdcc7

SHA512
d1b57b2a8d0ac266d2c9c1ba3afad8bb58d7bc4a3667e7918f8c514c96aa88fcfc031a0c30c6e9f612bcd6a03a6b2c153e8ee6672d299d4e5d6a8fab13023750

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
07f08ffc7bf8870ea159b2bdc63b1fb0

SHA1
95f5d58d4fed14a1e57b4a54bd04e978bccdb5b4

SHA256
02df480b462c25c4b35b02ac9c9ec619739ae3ab60c1a8a4020b80cf50d07c3b

SHA512
09f8caeadf2b28870cd0c443314f47abc37ba253d92978d4f3b8ada5c5ac2c8201d477470196808a99f5c3410a0643747a404dbfe46a09e1d4b9c7444673ec68

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
8d323a2948f2c1311bd125b83a145529

SHA1
b55c3d850c922d5bb63c8c2114fb0f5a6ca5fb74

SHA256
898d2e64221568d1c7f08520a571004f5aa756d7bc9f6fb1bd7a87339eb300ae

SHA512
c4613ef89159b439d06bb642efb9a70a340d7915157416293a48b88d75a1c9d313e815c1938e8d38260047995565e8416fde4ab3312fad0e4f0be824d635b6c1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e2edeb0a482c93445b45d7640f182209

SHA1
0b5e31c64ae452dd62bc66949e1d5e193d530358

SHA256
00f03055fb16a99997bdd1dec880585509c2972bffaf1362d2d2447a8c166671

SHA512
aeee2189c18e5807b7034a843007a08ef12e2b05c641b039e9a688e0e2e0d0331d678bc8dc42b2b5d867e68fb469d6b0618230ba2097004b2c59b5b9bbbbec20

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
dd2ebc22b9721e5203f248056652fdc2

SHA1
049b58ffa9ecc3bdf14d55109aaefdd1e0fefdbb

SHA256
731e5f9b063704b2321bc385ba7b42ad183e0bc84d6a3e6a3945945d8c16072c

SHA512
fe0363efe8423b7b1ea4afed2eb4c6feb1f843ae13af5e780e5d6e52c1f81dd9a16782bfda29f7cf105eaa660d730cd1c0b0a22337ae3cca98fec525835c09cd

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d5ca946a1f02d89382477ccbf7f64bfe

SHA1
b91e8542ae5574b8c9808abdc4ee005cd4d53f5e

SHA256
050f4c46d0ce153000987c25c9314939e9f985d75210bdef236bcf236bd1fc65

SHA512
09dac9b633ff52d1e6c886633cd977584566c839a6b7fa9179ed410eed68491b1c86c4880d619a046dd88334b41c2d6d664d7ea91b603571af90d606034e125f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b95be26286a2d81c423927aef90f3e68

SHA1
81b0c993798c40908fae56c6b7cb23a3a7194b7d

SHA256
50c785b962424a08e8db8eb26e81f94a2a8ebb4ff2e50353338701ab048aaf6f

SHA512
ec66dd4ac8085fd982c4c2a7dec287e571ebacdd6bc31377527b4971e0b9f31fa924c877a00279ca5a72434380d723d6b32151243246f2f2433e3cd97d0bed35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
6f49876846ab5e9f168eb1ba166662bf

SHA1
f4cf2e39a104a6b9f7f496608e75d1dbfe362da3

SHA256
be8b3bc0f430b0f486d7cb8bc1e99b78c71ad64ce13033c5cac88447355c93e6

SHA512
7fe7b7cae9879e257c951aa7a80df2c217f40522b042d21575e168aba88c449f39966b278522357dbf66e1c9e4bf3eab549fe6d24254dd548f9e64f121f1f254

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b2a57fea1cdaf1bf8649e0479b84c34b

SHA1
fab7835065686eeb25f6200f5717d92477273024

SHA256
3100bbf0c696cf39cccbce54258f1c6a36c8d39d1deecce6319415e66f669c28

SHA512
1af564f3878d91af793d84a66c4b803cfc94ebc3bc95dd0a77964e1f8ed66d2d6ce176afd5d8ed26ca38995a6716629aae74f5ed23bc5bb5ea67d40a31cf8ef0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
cb8afd5d01fff595e5842d4e2290def1

SHA1
f0302f2420d1057db9df178460a40a2eb91e0f14

SHA256
e074bf3aa3be616ef329b4798a7746132b63fef92fbff384b4a5d3dc165af37a

SHA512
c02c520d8602a5bd73b5ca87d382d00ad82a72f3e9e68f292995595741457447d9031a4968bd905f9ff6a303ae25472c608665957443b5ef052173fdc416f79c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0b008d2dffd2d7774af43080b7da1667

SHA1
7f84e95c6e25b78d71ec92a483baec3fb9e93f59

SHA256
f64d900ca93bfd78b29ebbb3e03f7d02761d9712b2d00b09af265cb58db75779

SHA512
e5458cf63793c8663b5f54fbaba377d6dfbc3b368f0ae25fc2f7951fca5364815c4c01daddfe01715f5d5707297ee9ee0d6433beeb477ab9f883aa87af24c455

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7ed7e9df7601dc7e19201b3cb4f8f58b

SHA1
31d06a12e4a460a8bdbc4bd950ac6358735435e0

SHA256
a2005551c9720b677888ddc3f1a3b04784cc697e03a1652fa02eab8d4d64709a

SHA512
6a53f15c26b5728ab80134e025aed2e61ba160984a01bb1e032c4f1e4b89481d7be75c72490face23f4a4539286d6c3350608cac63d9f2f4bc92b8d9ffd45c44

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9421ee5999fec8146e249c8887fb67cd

SHA1
4dec498b376ab2b12c786879a4540428caae8636

SHA256
8e74531c55295962de932e6081bfb404744b1170b6ee58451a03062e35d174ce

SHA512
9717769f693bc74da288ece44abe08a773db2c0e218f899230529074631bc642b75c8fd8943a47fb9f6ce19e379fec673e807de3f706610eb2e9e58bc203c4fb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
13dbcc44740a0c00a7c66e9d736c475c

SHA1
631ca6641c7442da8494871897466a28c4677bb4

SHA256
7013dc77c28eaf48555a984213d89fbcc731e4139e0c2a5027b38ecb4287e474

SHA512
97c42e058fef7799bb657ede8e1a49d62f01aff8576a92fe60b1bd77ea59196a33bba223b3e41446f61f7f2757cf89764c8c5ac9646145e7b0ab3e15800caeb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
69272274e8d0c60013d5e4de63a7b3cf

SHA1
3c6d7a3c6130c5ba574722cb10e4dcb9cec75e10

SHA256
6cbecaaec55e6f72b95ae830345d6b695a0fd9d86804c3b6b0d1b1d322ec2eba

SHA512
73a670d11d917c192b544fa43f38c84413cf79e833c00bc12f42acd5fcf78b6a1005297b467482e44a3eed7e860dc4517b84de27fd4341fcf510b9d6900d2626

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
192d561faf3244b0028770c97dc7084d

SHA1
96788006717255991c0046136268eaa6b96a4afb

SHA256
74846198e0c9475d05f0e458631fd790a6f1a9533dbd205e33dd8bfca1635454

SHA512
4e34ddb2cb8d24165179139b9461918e77594600ade508cce658ef890047d2bea2c6e1f5e0b7ab95580504e55fc996510bd21db9bd660fcdafcbf10a3053455b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
5d5c3aa2a4199a82cdfc601bf1d59e6e

SHA1
d9cb0ded81871ce3d728a4657971b1668918cd46

SHA256
afe18ad03c4c2643e53b30019d9ec57a18f8486bddb26ac03f8410b3f2ac8886

SHA512
5c7f062ddcb85bf5139abf0015ff81bf2d15ad264bcbbfd97e19bcbdfca14e888ce643a1865ad468140a3a1393292d31583e31cc3d51a734ccdeaec4ccc4bed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
fc2f0d1735f725bd3de8868a467cb040

SHA1
046234b9d5ad6ff7a95e30c2c05729823204188c

SHA256
73a7b70ad2d564e9cb1784fd2640bd9a8a7b3a8b2856b9891583f6140794202a

SHA512
d4715443fdaa3bdbf0891a62d5d3bcdd35f1ea4d12e995960c3e5d9022d3c3e1186e76b584aa64b240cefe884644c707e282bf6fe8bded1f606a15ecf3748e11

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
1f6506c07e30029ccb7b0cf06e889e18

SHA1
8d91d29943dea31b27a49de4df105bb9f0bda364

SHA256
558937552d8f11fe5ca34e408bb0141dfd5150ac7a8a716ff1f5970582c9e9f2

SHA512
ba50ecdeffd8cc7d51b635a77d366294621c30a8f771237d0c28062e34d6d1725d01254f9b1b767ebe46f1d1bb995da9a86b72db7efc03fcc2983007ab06ed0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
7420619dc5fdd391919bd44a8b486944

SHA1
dd0224f268de81d1946960dbeec5fdef5c3dae27

SHA256
c75241084026f6334fccc6d8535dd63389024ea18cfeefc17fb97a1dc6e89c37

SHA512
581d1cf83393c13586524dadcfd9a631ecf39e3797d158c1d4b3c85fc523aa16888ce8c99a13b41b56ffcad3b2b53a5ee454e6165d8cd260c84bc499e9841500

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
fbe5d78e19fc8036cf097a98f6ef8430

SHA1
efe02af368f5fa1ecdb3249aa6b6f3636fb931df

SHA256
63c7b46970c55ea82a23aa52ab62ca80f001f984488e6d1c396d6bae6ccabf14

SHA512
c37bcaae59f83c923ed51815e0fdeae8b1c953c91b81ba9e3e8a12f480c04dd3b11935dd3a40cdcaa4dbd02fe5695e3ae953940322583be300b7711994519f6a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
e868667e5154ae15b08e9068917ae805

SHA1
2b0f158e94662badea484481e15ffca69f6f4c8b

SHA256
9420843bebf499c97331fb874116978bcf57acd4f1fe87853bb23004eabcd68d

SHA512
e6d70394e6cacbdfa37ccc301d2b299f8499f2617a62d4dc6b3eba7a61bbbec4c2f5fe6c8737d171139f3bb16adad25ee5ed5e08c9aa0dbb759ec1f25b61904b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8b8b4916911c28fb9fd03461ae8b879e

SHA1
a435422cccb7e77c51331ad0d0d8c486b71d5a35

SHA256
ff4bd0956ec60562d67996e655630ee0cc2805b2c4008551055d47c49b31aad5

SHA512
70e8ff1858178197f87d6a2ad2ea4f8a10cc2e25fbc24a5863c2b741268131551bd4e6acb028252f54d3ac86c1a5830a7e204f9b8c3b140be4b20c79b8a2db9f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
dca3783a3578b499419cbc239c032611

SHA1
9addf25335906b0f0c546f329164df3091502ca1

SHA256
240339b14d952204b3c88562af194bb8513cf80830fe2044d63ed53a8cdfb5d4

SHA512
2e942f2151b24b81496e406d97acd0c76c95052537c3b5cae2b9afd8bcd85df8d912feee83a00955a7694cdd72c9f8f9d59c45db18135ac7d11475fadb4d0e41

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0ce9763ffa5f4181472d77678e516c1b

SHA1
a8447b0543f4469dd75f7ed36f754c7b11da2f8c

SHA256
c595bf341b7f573b6730250bbde78bb92532ee677ac68551df221ff0d136b7c6

SHA512
ee4b9c2b0ac7674daef10c3a8694b30bdea1f9ee06e1e83f238925cedf5463e5d90c54d077d32869512ed5977df4c06c8a23f22c587237b1fab781facecdcefb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
01a741fd6ed23c8df301092cd8b462f9

SHA1
49916a927975b3fd75585f65bca48efe85cf475f

SHA256
3cfcc4780a5bac0e39435fa06cf4cace4ddbbd0d7d6154c31139211186afb57e

SHA512
0dc517e992a4e4145cc993ed195d7b1261ff16244a8d69cf4914517e58c02b1dd2bcda62e987a30a2e092ad61c5daaafffcd9d8177e32dd6e3e402d16c2c1414

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
730aeeba573e7e8409cd84549ac9bf96

SHA1
7ef0ebfdfbce6d38b3b473e2e83790ed8e90a9c3

SHA256
b51745366b2540278cf696bae119c09ed0035bae978332e1aa80c0b4bf87e819

SHA512
f79cd3d2bc4e3feaa183b5a40bb746f3f07253abc239cb3724f0a9ac7644033742b467bcfed58465dd42a6f1c1d87d85e21b12d591bccf820094ccb5f61a159e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8e5609fc54fd1740d29bdf1eb04694f2

SHA1
d2d579cd07483bbabc2b3630e1bd5ceacc7cf20c

SHA256
5b304c6203be241b421f05dbbc9e96869ee911b5c600d5cbf741def280e6d716

SHA512
7fc32133e9d80d3ea478bb72d6b43634bd782f3dee342a77e9c746cffb3a5b9366ef48d29e2907ec33e7850cac3d0f189b2d7e8db9f5c6fa1fc189656e37fa8d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
078094ae6f70770b80d36477ff026567

SHA1
383b13820e94e264aedc21e457cc8e54aac0fd43

SHA256
7af7fdbb00905103de3ee8b10c263c4f896dca235cdc9bb8e463ab09959ba02f

SHA512
1a9827cb101ce4ed3ad38b603fbb76af6482d0cd0e4401819556fce233c03f556b20ba2a5090c0d737eb815e8db262c6b36e1b65aac046750a59937a273156e3

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
81a6f206864681bafc1766a008bd4d74

SHA1
b27b155b156a79df345d873683d617d714a49cc3

SHA256
98702376adda3f52850037cee6a401d772d62eff9bd4948a8c782de8eddfd075

SHA512
9bb15b35ae55f5bb75bcf05b3e7b5dc28bb2ace2ae60dc777ad4da92f49103eecc6e73339416a4084594b57df3f39400ff6a221e970e0afbf573d6a075321b53

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a2e4d14886c6b6bddd4919fe12960eca

SHA1
74ff932cfd387c72b4d15777503a265ac25c78a2

SHA256
826a065de7c49950a7d13ef5bc163d232297e7282f8aa11a287324259b928adb

SHA512
6c6a9aed94f489677869732986b61e009d976daf877bd43135e9a4d3d72d08254a3a85caec41f973eb56329bb414e99fe5d193202da0dab98a56cb04fbc5cd70

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
41cb0bbee8607e8f4a003e72225a3bc7

SHA1
5294ce5de454ecb8f280b783b3116f6820589c2c

SHA256
d4526c0e42d57d97c43c4e1b96c4c194cec9ddfc18b889c1989d69b536e5f68a

SHA512
8d2ea9a263c83d97937e419d877ab9f847b7cea8159e283ece41da82f82ea6aecbebcbdf3e2c71531132d88d7fa673c47da96ed1bd6e73e18005ab0680f334c2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
ef0bfcf7cd4eabb45008fd83229f674e

SHA1
92441366334a5ba291e6b08fe87dfd8fc16cd696

SHA256
b5adf64799508b4eb586c7e7afd02a95f5926510dc135b21ba4971d1efbbf349

SHA512
dde62fa6dc3329c11015f9ae72ebac22189a1df5e9ac70819394a0aa68cf9165d38f7bdec08f9d487a3551f801f47c76874b112ff9bc419d3e1e02f15965fd99

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
57e59379dffcd052cf0bfd374c7477ca

SHA1
5bfd3b045d54fc024447c1dcecc7d1a8337467a2

SHA256
56aed4f3d1a0d0f1ffc33f1297d3f3f4c0a73cd71afb5d8f773b30a67406b528

SHA512
b73d0dbec6d0d6cfdba6666550eb05c8796a5fb33d0f42acafa2c2e8cd57c87c8bf2d8994f15abfa5e9a275aafc8ba65b7343088783785287f8d6befd8aee2e3

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c5d81bcc832980b0c77fce114b473e7d

SHA1
7839eff3d6a87cd6f1a9e3ec3618cc0c90127dbb

SHA256
a3a5b41c27dbe00dedee4a3c17048a6509e449cc8d5d6e4fadb4d732d2bd047f

SHA512
e22c9b4d1f6829969a33b0ba76f62ed0106b6073e714eb80ae727c5fbcb357938a5fd885d6a778234b620a732613da794c9d2b1023447aff2ca3fd6365917415

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fd056a6aa7a8dbc7b047404a8ac8539a

SHA1
80d10b9eb54a90afc4241af9fa73d1b3983f8bdd

SHA256
288536da6034becae43354df5410f54d7bf4ff5b2107cadc973a073ac9130263

SHA512
46c18e36defe2b24fa4f17f7ba37810b1208f44f10510fcec17aa0dc1879f243e4d742d00923d4550ab6e5d2db82fb712ec0ba3f51e799bd6c4e06b910c689c4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5333cba8ed513f3f395ecc1fe6f1ce67

SHA1
284e2597be1b8c820ad6569bf497fa960adcbf68

SHA256
93fc34235398e30d5e2354e2b2e6abeeaf685b56fb7f449c8492cd677ca68a25

SHA512
b226416f1b6238273ebac2c5167a825268b3ed39c9bacc961a74f117900b96e2676ca63218bd04c1becd02e77df03cb60afc8eccf6889e264a2fb0131411e609

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7e2cdb352f7125dd97a0879ed5c3732a

SHA1
e7b14b3859d7efd65fba6b1119630b225c9237a8

SHA256
18649fe2a227b6203514ce548e477bd68b269486ccbaf578ec3df6354898c000

SHA512
b6378b7b296cf89e68513e9a0882c89105d3ff6cb1914f892b855ce9b0ce2fe117e2fa19926aa747664f125212787b6bc50e6b41e79222902b391f8fa4ea48ee

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
647ec8650872fdd5813122807b638c2b

SHA1
7b97809378f720f3abb2599f21f74d5c8288a2f9

SHA256
a545018ecf0e8c627d599ed9b83eb80383118374348461190d7735b31598a244

SHA512
8c08ab68037d496070660f98208357005fe143ab90ff2464113ff6f50fa3ca624fbc804e2a79285bc93c4d52823ae509b3e3961bf33053c8c44b4a3c2cb65e3b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
9ff93b627a61ea7616ec0c75ccf22736

SHA1
736c38e543ed9c6de1e7193669a67aa845d1e840

SHA256
883cf5132b4765bd526c075032f512bfe98df46697f45edf2519f0d4f22f4e65

SHA512
1c8c15fc22f8304df0d37da5f3184a863dd10d8ee452c8f76716d06fc9fdb0c922e3792819c28058976a1c6f341d993c602ccd2bcc9518b413ed23d24fcec43d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1c045bee5275701760e025b429ad3594

SHA1
345461f8496fbe48cbc945b4da1e3d488d15e8f8

SHA256
1c9e128e68e5fdbb0e4c67d9b5b75a006f23c19bfe80dcb4f2d3a91ff193229f

SHA512
baeaa6986192e2610a0d3d689f2a793d9253d2b1a322145d18b5bbb3417ed80a5771d375e4ecd18f7c84c04dc8f25d0fd8716af253956e363249a859653c26d1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5bf6848fab22e4a0c4d7f6dd3434af1c

SHA1
c2e6328b3ef87b67f0fdfb7700faa9ddf82ce2a6

SHA256
b50360d770468b201a0eec0b54ca1e3ef3c17111504a9d98c0916feb01d3aaf1

SHA512
3eb40dfe67b8d4e811264ec85d90227ba23ba2e58d6da450806674ce63a1c37b4451e283f7317a231af75080ad13b3ce75b55fc05b5ed2997d66080aa3fbb081

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1090a38e04b9315076069522e0d22297

SHA1
12dec58341fa4e2b20cd74c3fb02811713a54bbd

SHA256
acf90eb33c870cee49e58a3d187968a48f9ba45853a51893bc72455d18d63436

SHA512
5403f15b528bcdd5ea4b6516d06ef4d8daeaaf3801df3a0d29df0b8b9f0e51a16f675b3e8adee8a4bcaac1575707204f438b89d04c2bb97644ecabb6b6ea6a67

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6416b2222b2d34be1a18ff86e050d0cb

SHA1
b07f1945c14df6d9823b897c4c97a6091fd7bb1f

SHA256
fdc2ebe18e388bdda0b04682b7742317a3aa6ee540df70e412135b596a58e4fe

SHA512
fb2bb4b747bd4ea48879d36e990a2099e91f9a11c0606ee765ba83b7fa2a7d69c46c67b203b3bfa335401828fee92fe16517257a750f166e4688926524f33ea1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
4abfb68bc0b32f83913365e1e8eff75a

SHA1
da4cac7832a3dbad14178483f8afb362a39d5129

SHA256
f721c6638974dcbff7d138de6ec6b3f8e15216ff6c9ebd52976ba06a61d6cccd

SHA512
d294457a4d426fe2549928b123f01a7bf4094cf2cf844bdeb851fad580849f47fa3ef4fa15664a0dca4d0280ec43054adf81d7c8b259e74f36b0f7d63a59a931

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ad76f80cd549fd876e4c9b3ff9cf1c92

SHA1
41c4a1afbcd1f594952f868a3ddb98c42d1243ea

SHA256
591e4ec1434e1246d2edfe953ec51f059d92b5ad23deab9727f8194dff4cdd91

SHA512
c606c22529c3bba12c6186eddb9e5b2bfbe263c3dc7bf6632547fb2090727ec2e20e263510b60bca7aaf8c2c8a3117b42ee2f247862ec1d4bd58ca0e25d8431e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5efd0c81aee1732c84d1de0777ec3309

SHA1
d0c189550e645c599783a034800922c2dcbee86d

SHA256
f6bcc3709a1a50e6c3c8d8057eb00b6c1f4973c39ceea581df91fba407eb0966

SHA512
8d88cb6d995fbac0d8648a8ab4d25f7174b556bb0266bffe3f3fe61f014f287ba12f6162d0dc2d36a70db49429c16f751d8d335041669d3783e69d80ea13d7ee

Download Submit
memory/868-255-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/868-135-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1016-169-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1016-51-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1016-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1016-57-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/1160-49-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/1160-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1160-40-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1160-64-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/1160-61-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1160-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1160-46-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/1280-243-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1280-132-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1528-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1528-78-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1528-84-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1528-89-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1528-91-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1792-448-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1792-170-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1804-182-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1804-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1804-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1804-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2648-588-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2648-256-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2936-22-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/2936-19-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2936-93-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2936-13-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2936-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2972-566-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2972-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2988-158-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2988-409-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3100-583-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3100-146-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3100-268-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3164-131-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3164-36-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/3164-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3164-28-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3164-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3548-205-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3548-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3672-103-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3672-94-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/4288-8-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/4288-77-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4288-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4288-474-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/4288-476-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/4288-1-0x0000000000A70000-0x0000000000AD0000-memory.dmp

Filesize
384KB

Download
memory/4288-9-0x00007FFA96680000-0x00007FFA9671D000-memory.dmp

Filesize
628KB

Download
memory/4336-183-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4336-467-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4340-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4340-584-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4444-219-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4444-106-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4532-514-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4532-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4600-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4600-231-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4604-277-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4604-589-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5112-587-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5112-244-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download