0cf0bea8109a761cfcbf8094b9709706fbbec83c1ebfc55dfbdb7576c781816b

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

11df08f0fc370c3ee353182caccf7d20N.exe
Size

1.8MB
MD5

11df08f0fc370c3ee353182caccf7d20
SHA1

0a7d362e570c269814832d7c2c6b630b2c66e97b
SHA256

0cf0bea8109a761cfcbf8094b9709706fbbec83c1ebfc55dfbdb7576c781816b
SHA512

b38a21b1621a653c6e89886b464dc59aaf1539a8b8e17a28d004aa92b3002910bf69e91bf01722f8897ae809a02c31caab8a07d8fcaa32d03ca36866a5d90db0
SSDEEP

49152:/EtnrICSooGSTs5xbX022fjBxrj3X8FD5nb2LLPrFmRY:KrICSbGSsH8H8F1b6TwY

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2300	alg.exe
2752	DiagnosticsHub.StandardCollector.Service.exe
4940	fxssvc.exe
4568	elevation_service.exe
1696	elevation_service.exe
4848	maintenanceservice.exe
3960	msdtc.exe
3948	OSE.EXE
3096	PerceptionSimulationService.exe
1432	perfhost.exe
1852	locator.exe
660	SensorDataService.exe
3736	snmptrap.exe
2404	spectrum.exe
4860	ssh-agent.exe
964	TieringEngineService.exe
4528	AgentService.exe
2800	vds.exe
2584	vssvc.exe
5024	wbengine.exe
1572	WmiApSrv.exe
4756	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\cf83b58689816891.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\System32\vds.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	11df08f0fc370c3ee353182caccf7d20N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\javaw.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	11df08f0fc370c3ee353182caccf7d20N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	11df08f0fc370c3ee353182caccf7d20N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	11df08f0fc370c3ee353182caccf7d20N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	11df08f0fc370c3ee353182caccf7d20N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2c812d87af0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003f739fd87af0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002a5927d97af0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3b948d97af0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ff4a5dda7af0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a53220d97af0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5f362d97af0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b8dc06d87af0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe
5048	11df08f0fc370c3ee353182caccf7d20N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeAuditPrivilege	4940	fxssvc.exe
Token: SeRestorePrivilege	964	TieringEngineService.exe
Token: SeManageVolumePrivilege	964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4528	AgentService.exe
Token: SeBackupPrivilege	2584	vssvc.exe
Token: SeRestorePrivilege	2584	vssvc.exe
Token: SeAuditPrivilege	2584	vssvc.exe
Token: SeBackupPrivilege	5024	wbengine.exe
Token: SeRestorePrivilege	5024	wbengine.exe
Token: SeSecurityPrivilege	5024	wbengine.exe
Token: 33	4756	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4756	SearchIndexer.exe
Token: SeDebugPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeDebugPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeDebugPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeDebugPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeDebugPrivilege	5048	11df08f0fc370c3ee353182caccf7d20N.exe
Token: SeDebugPrivilege	2300	alg.exe
Token: SeDebugPrivilege	2300	alg.exe
Token: SeDebugPrivilege	2300	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 2732	4756	SearchIndexer.exe	113
PID 4756 wrote to memory of 2732	4756	SearchIndexer.exe	113
PID 4756 wrote to memory of 1480	4756	SearchIndexer.exe	114
PID 4756 wrote to memory of 1480	4756	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\11df08f0fc370c3ee353182caccf7d20N.exe
"C:\Users\Admin\AppData\Local\Temp\11df08f0fc370c3ee353182caccf7d20N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2752

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5112

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3960

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3096

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1852

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:660

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5096

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4860

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4528

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5024

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1572

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
cc2626c9008e06486440e434ac9db3b9

SHA1
933731ff41620d163933798d791e27f97ee480c4

SHA256
70dedca58a960817118b28764c0111a5c5bbcf85d6404b332fcf45570df4f855

SHA512
901957378ea841629ec36400b646e6c573f3868cd5414d5432540ad9a81fc0665fc27ddb672460a3fa22d8a78738236dbfb350e9e6d46f191028c033c0dce6b7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
20aafdd5d992ffedc23aca0fcb2538de

SHA1
0d40c9fd08c297273f6ee8c391f601c33205fead

SHA256
02c957e3108d5bb8956e3ec4d3dabc4a4c5f24982279bacb6268f2bd62450117

SHA512
f6e034d9fc01f0254bc798c3fb1066f4d3647467f53b3c91d7f81b970ebfc471ba5dae73cfd037e2bbcf78bd29d745841b67e38a79b3674d0eae16690d067090

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7f3406ccf0ba48f246031d690afe3b5a

SHA1
4c380e516d26f63b49d10149b88f26b48e81375c

SHA256
d103ec2e99ec747580e9b382b8d82e451f26f6cba8d90da100b7ab79e9d583ea

SHA512
c0f86af391e13df06189dec6136a8ca74adfbb143ec09c5ac64ce01d25e70e0b65a5aa02a7e757be77969b2f0fca67c5ad746e9234bf892f84f7d13d4e7e63bc

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
075e73b12b465377631531a28f9bfc52

SHA1
7714050affc288f74d228608833516c8a782f3a8

SHA256
6d5ca39b365c8997b0f9cd5fcc2a130c2422cf2ae2f78a4e0b8446f6c738570a

SHA512
0ef79fbe5c4d96f46ef1c8a150dc298248f254737f9065fb685b6fc686d7cbdf4073354e26b4edd5cdc52e7616615daeb247d24e12272149d4128c6f646aa43b

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0ae656fdc665aab11220de0cc8500d71

SHA1
78bcb3cbd90618a47edcb97a0d738d9e1847d269

SHA256
f5049f5b8dd08aef209cb4c77c4d7cf3a40bc68a0a260542b93cfbf7772faf4f

SHA512
642c9d78e3378c3d35e4fa04573a217a03b977bc6450fb1256a9f75a29f47a59e622e540f27b1cee117a26aa1acfbd5a6c006e009e24dfb70e64c225247a715a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
ce1140a36f5bb92e8536170eee4b95d8

SHA1
4e7f9524a0110e63fef99ea0f7cd02537e7046ea

SHA256
3f748fccfc5350c817be86d3b5356e33485e4b38472ccd4eb19f50fc91811257

SHA512
a99010b5545ff9cf5b02aabe7170e8ffb22c5049dd883cf5eb8c4fbd01cbfd12e8dd70def5657e24f967c8c7a69c8125d50928ee75f7bb010e11046259bec05b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
f618d9d0a0816aa447f636f835208687

SHA1
e23912d6a6f31a984ce161547686c0bdd4950c49

SHA256
7a7189ad4965adbf3490d88e3fbe96b1defe7b7d374d31d40fd867b412123134

SHA512
e239677cbe0dc4708f204b688ca5b306eaf52cb7ce48d3d64d85b8e88e8501e709e933205c81b0b28aa7f40d1ea283c076fd7c8269f10d847e3af2ec583d494f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
94857b4505d840629ad05762a5e443bb

SHA1
f6240034adb0bab006aa7eb09806b01a9a4851bc

SHA256
2a8a1acc9842fc653573a8c931ea3d689b2c33cdcd8f8064fd658fc0fba73dd0

SHA512
f31fd255c8220b2ff4ba6ff97470bc63074581caa68c412b39b69e59832bbd97647e5f35c281268a9e121174f18894f8c94dc9fbf8b442533c75d1a51482aaed

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
48c6b59af2fba3cc291ba4f7067f5eff

SHA1
43503967a5ccf29b6375a399c17f6596b893ee5b

SHA256
a57395c6d8cffd909ed6cb8f7b197cf5f669c86fc965755b9659c946b466fc6e

SHA512
acf4799a828e44aa53f5bf2575a9c92bc6aa9e2407cbfd01ec57323d15081eb6da5b5718df7342bcfc8e9aded1b6f7c27680df03e2a4182ff179df24eacede32

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
44fdfe59b38128caa8214e5312897f23

SHA1
6f03fa9de387b768a809ea15548538ae308e1b25

SHA256
d7f244a8da88cdfce0086e74a2a4ac5bf12f8ddb157a0da385810c6f1d092e3a

SHA512
a79d01098dd0d7a2e89c358b4d927874b2a9fc3856a1d8d80af48fc9a8fbe6e055c225d2b2cebba370dd112c88aa855557daf7ad95513488a02fada650c22aeb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c8231df53eabf183b8838c27136c5338

SHA1
9b236601f0b2058cfdc2ac67740b210436ae2262

SHA256
3f6ac0b44363a9b4d493872dcd2427663e84ab77590fd3dd4a5c1c3387b31f89

SHA512
dae383197190f0f24703650f3678ef4466e539243efc321f300bd0676643c0c344918fc6a1437f589479c5552b5e47527deba26560bb88ddaa2db5ee4e14b082

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
4ad06dff7e871dddf0c18a648e35ec23

SHA1
76f276cf24606b47bdfeeb209fb70f903ae4959e

SHA256
d3b761541031a794bbc7ecd5979dcbf594f699bfe1348abd1708712eb624f52b

SHA512
e2fc5ad57ce618b4e79c83df77b364dd67a2605af43f23f1b3113a1373a2ab3ae70d9188e4b6cf63949f125a789c59db8ab678e2909e98827102d897d400cd85

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9b0c8a5ce363f1402670ea9cce627488

SHA1
cfe3d64f593fb2bd34b784dfa629498d1cd22a9a

SHA256
c3d7529dc1d379a54e657c6175e478fe795fe9b9cb13ea7a9d5c73bb5da8d5e2

SHA512
bec48cec510791752fa5121c5556200a0acfafde2184a5d8348c03aabdf6a0730d4b8451a305897ed50cc17fa7ab637566195ea475571eacde2144e2313fe4a1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
b1656a1070650ae76c6c89276898d64f

SHA1
233ce4357115957f12460b1ae0cefea0a396fcf1

SHA256
fa7be88a5619bde40bf12e1069a7b58207c619dd49fe3e4d04b90d8b434dbc06

SHA512
3324ccec992ae06b73c10d29488f6881949155c226b91502db9bf7fb9bd7124f4d1916425b0241b3c33f7db05a65ee9ea635c078c7399420d37831c63202b724

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
3d74a83568974ccad42a29c51cc75391

SHA1
f93d070bf89c270f59d931cd4c160e2f304a3111

SHA256
43e7cc5600495cc18c5b98cf4a870f0e4ce5a218dd848a22ba262480e7148c23

SHA512
d1aba61a7eb44f3bbbfa032dcbfae68780b1cd5d52d35a5ff7a2acb5615e6d036a69946a5be525e0e57afe605cf53dcc1751c97b132adace5149f9711c1e8c57

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
6d4699b5f77ff6454de6d8efe95b13ce

SHA1
89d7065e23652e3340c9d4e863ae915d6ad96127

SHA256
1a0a56741e4a90818728c02ec60b92d13ce23e54692410253827fdee97416acb

SHA512
d76d967640957c87fee77a65713ca19cb7bdab625e0eb83953a8943f5f0ab316993636f18f8a1c2da4f2a61ebfd4683043173c71b209d7084ade1d908d0c33c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
c9d705eb98cfcac78da2590529795816

SHA1
fde5fe21685bc42a5425d503ee4ef1d8989cbe45

SHA256
8482992605b23938095ba37af55010ff2d0c82b56f0dab8fb405641557fa8683

SHA512
375f62a03a8de63842d39976e01ab96d9fa9fd1cb20f1685ad2d7e11494cff881c7ba2627af5f50adacb6d96b868a7e361b2c10671ddf05029e41921d9cd0661

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
fda0b46771040ebedd6c5fa003e5227a

SHA1
cdcc4a84d6efb0e0c9d74a711c3c55f4e524818e

SHA256
b23472692c8f2e37a3f6e2bb2557b5a10129fbf2eb61f89e53c51a28519d8511

SHA512
4442fa7961e8688833a34358891cd3e5411323423bd55b89dcc3599b736f1b7be8c26ac862ae6680bfa1690d45c11798c9132ce84658ba95292722e468e95151

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c66092d1bbf6473fff511161f3314497

SHA1
793b8f4552b60a8ab895fcd7c5c59777041a8f63

SHA256
ba8d536042d1d556ba2c452dd9bb0287606c432b67c1a7d173a71e16e49d6c5a

SHA512
18165da27e1bdcf8a041bbe72a7827ea50dd03907bbfd1b443be5272c26150f6f1c814ef705ab398ba8fc65f52c5700ecc5fe9673304ff5fc2a85c14dc12a58c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4465f068edd2a7217bdfa6bc91d28c3b

SHA1
66035a1fb1ea15dacbae24a4221d1bf8e3ab7c80

SHA256
14cd2a2e76e2e72da1d0053ece25b76fb8dac8fcd3f67529c7ffb5772e50f012

SHA512
ff7f4e57d88a6d9aa962f810ea9175b88353c4c2473246ce1bd8442bc96982ed45fec76b3cb0337a2ce3ba15d1dde080dd8bfb1f8b9252cfe2cbf25ac9585a42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
b7aeff1281d7d0a91fa17c3e00b2fb5d

SHA1
fd14d9f4960e5a467e7f9671681f0f7fa47affa4

SHA256
cd5ef711dba7ce2bd623090783b6155aff0b02e24f6ef28fb7d9b47b2acb3b91

SHA512
3581177cc80077c558f72f22c00c05325a17e7239e0e4ee1d11e9a031971e2ccd26feab5bd1fabbde9086edd91ca849320886e21ab04531e9c504c3ae175ca5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
0065713195a724292bc604084225dda8

SHA1
705e068dc74f693d8342e35e1f74a7a55a67aaf3

SHA256
b8f4904bedb6503c229f0a00988852680c14451984d7724315b14495ec83da0c

SHA512
ac7cfae8d84d06834d680e5f66314cc0e24a0a37990a20afb6489ae1c99271b3618cd03d2057db47bc90d65e06aa235d3c71fe2b5cacec5c1fa867549892f111

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
149c6f1b2a198856748cc966b6d1b8bb

SHA1
9b54e7766e3bdaa1aec517c08cecdd0e0298fb0b

SHA256
7264d0cc1112ea64a5170cb1190636688a7d6e1e0c3d22b7c5ae6c7230a3f4ca

SHA512
fd137bef224dad65af7f48b0fa52486bdc95a70efc0514917ededb0c1c99cdb433d3c2852658e91a5b74dcfc8c61ca062f8fd98c44603270280656327fc8cc39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0328b213a3bd8ce957472a810da282dc

SHA1
b53f6ad3008f703273a8f80e0956fa6b97c4387a

SHA256
1dd535a1450ac1a7a17e7ed050d021e360ede8ce9d348a31626f5bbf0eda5c46

SHA512
0b0872863cda65914afcf785106a1348fa2726e5b6cdc60ba60df79dece8e394b7697f09e5712eaa324b96c86cba2415f43d551112da7ee0db1a7af455c756f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
80d44f48e35669f04a3ecac52c41088c

SHA1
8809e9a79e6978fe5c2fce48e18ba6a3276c665c

SHA256
2efe1fefe046b968033078cfb28d09171529600acb97154e88d8b5255b982c1c

SHA512
678d7ce1ec9d5792cf77e0e753c544d27749c6b0d57d072a3a82f9465b08d29b627c6a5dedbd7ed29d2b32d2064dd90dd6f0e049dca3cfc8c352e5eb4da520bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8c41120a5b1a5f64ffe070c16ed426dc

SHA1
b8bf83f1a0cbaebd40c81aede9866405ef24213e

SHA256
e183b4aac01a74ac838966720a895eb0ea81a74051ab89ab27509283f7b3600a

SHA512
a3d2bd994b3103a85c4bf34da185b8210f2f1faead8f61a00da74b2a2dea30ce8de449c8a940e61aac5de06170e1de6d0390384229b0ce0e112df5b892de2bc3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
d6a5b289166044405cf636a802cfe517

SHA1
bb3bb48fb7034c8b58242f617dd1ad73cabc7c84

SHA256
ae139171cd846088167760ba30bea7c8a813b388aa3641f7ac2b61c0719724a2

SHA512
05e23b8934018e64004a28c78f13c217b1eec0e5c11939d12d1a8e9243fcdf6ee0a71ff6addd731df68a4bf966b4de89d42c34299f0b15027ad1fc65c67af175

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
c3f009cdd8c7823f97b8d2c55f42c7aa

SHA1
fe1e8565cf9da7eba681e26dc3bf00996e674323

SHA256
fbe30e0a5d5e5160984bed39064fa42889094e2543b68c0efba8192fe38a2d09

SHA512
a6e7012e7645b4a3ba61d532b4bead1e986ace3fb2814761288ca8de3bca072166a1b226dd7aa004780e43eeb6eaf1d17d0915d5a335529e0bd0e8c1de0c57b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
250aa9678ce81931cfeac7cf97cc1c1f

SHA1
8f42dc1075b18257a7663ae3d789eff7f63ca1cd

SHA256
9fc88efadbb5c7bcf35126b88733bf026dde84cdf67a77c4a83561867079de4d

SHA512
e1450f3b12182cde56be7a11428f69b7d46055ae6d8e223aa795ea7d65cd32bbf4ee926b2b72cc83e2b0b78a1b1a73f33c425b19b056c5a73508db1675980fb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
22b6be161d04948a86d3a25d4a45ef08

SHA1
5775486d625f8ebff7dbc43abaea95f411db835b

SHA256
8ccbaa8ed0a1120874d7fe6d93a22d410fdd766b61d0e90832d3972f1bc8f083

SHA512
9108ad7a8c656e33e6dce41a64f96feca87a95e21df16ac3a3d3037291934e468a94b41c493b5b06e8c3ae0e6db6419f261662cceddd0777b41197108f2f0651

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
a072cee2d43034f6eb00c846e06d392a

SHA1
2ce21a8d3ad5b973a3b88ab63826d80cf82d86ba

SHA256
3538ca04bb6dd7509b441d88601dce54892dcd1eff6105f5a67cae235027d871

SHA512
b92ab1661249cacaab156eb2930a6b88823f152e29a69b1596c6eec0947619632dd2d2ce8f511df5ce94d0f86bee46493f7a2e908d46acebe253f7e2f09293b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c95d98f58f6528fb30c4c962f3672123

SHA1
b2dce61aa675c04ab6abea0df33b819583c08a20

SHA256
7623c5a0b1efa6c7369e29627c817a1157d20f2b67f5c09d1c92aaa660596ccf

SHA512
26ac3aae928388f4d8b86a06850815ce507cb2a66853adae1fd5f37a6f32e0ee7e2804f7766c0d14ced60209c3998f6716aee8c84a709be96f11f75d8a1e996a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c23ef4b9f561b3899980e9bcb3853547

SHA1
e34f0ed9083bc6c9e499b8465595cc4ab2589440

SHA256
857466e18cdc9aded9df336870c6c3edc41e2756e905cc93f6fe688d2f70945c

SHA512
d92cc4a4a28cda4f791042ae8fcef03459122828783ba1c3a7aaee23f086c436da7f37912eb8f2efc6a9af1019916d577a06e9b3f04b24122c524e923f4b448c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
0ff3b71c6d3b40408a0dfd0b62ceb3eb

SHA1
5d4f9203697fd7989d7b5f317bab1a680354b148

SHA256
828fe71764139aa41cd383a22a3590d2d9f27ade7fa9531535c24a928d7098d5

SHA512
36e14b3bcf5a9fe04f684acabd10e74e9b5d677592113ee2e96cf0f2d671e0095b4c04942811253c1ccb2683941bee0e971a22e368fd3483ace5abd85b75e89e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
90ff0c7c5f8c94c8e92b84e39a8b258f

SHA1
d1f7ab3bb4cbffdb241985ddbd2dd8a96e0f8448

SHA256
8ba3a3ac88ec48da40c13b62f74ef8160de62213f05523bd556673da8967a10b

SHA512
55aaf24f503c0a45d96398744035e52636cef9255e186ae3d35dfa88b2f6237e36d846a24b6c8665184f161d1c4994bc06f0e25b1beadc01c53f949be73856d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
f69be012b2b34e63e5b3f8293211bd90

SHA1
8c7162536c3cf9dac5f1ab6b539fdf867af4dabd

SHA256
7598991e437260147cc970809dc43e70221fe4eb80f94502a40c7bd2105a13af

SHA512
57e81de2cb41ab14259213f180804da6175dc4e51c26e2e9064723a3a971649243f21da84c0e485ef62cba05f8384036a6d12e777295146c9621e1c437c5a35f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
6b74e79505141ca86deb6486f65254aa

SHA1
997373ca7bea156f2b09c06bb6bc2afe0b60e4e1

SHA256
b7f3b324f0ae4456fe79bf7c62120e3bc05386573003e21d5cc5b9e9de16069a

SHA512
b0b05d17231986963369ff2e8163ded48ebc18ff972286f8ce87fe90a7bd461774298b7e7abab8a1b33d20f30f5138198983eb867ebb1cc36afc4d95eca82aa5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
778808358e4ae2fca36ae5373ff92473

SHA1
de80963b01737009d7abd3552aeb273df9246628

SHA256
7ac26488e876aba1052a26e95fc015ccc300d758e6d6c697127c0c319729f78c

SHA512
41153675a3e96c7bf6670995fc7c6737db9f2554ab90b19e6f107fc07f1a03b9f4101546f5c97e2a51f8ea490ff569587a0162d1124ce23a6ca644a4af67a9a3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cf0a02d80f66034ef471ec8891fb81fc

SHA1
0e7f1e9beb7eac58dd110bccb35921f807630171

SHA256
bf129966d2fc3a80f565964c41856be0547b8a8fe6ca02e32d94ac2f374e2a1b

SHA512
d0b9ce5f333cbb58585f4aae694f3b47b3e671e0433e963ec80d2aadaddf90f864d32f724527f5219cfdcff5b064b809b23ef7cc0be19a70392e7772b822acf3

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
fe0f362b10150f16671430ae340046a5

SHA1
79ef0a541e936a5d4859803884bdf50758ed1379

SHA256
7691bd20710d0eb227519266c8edc80df8ca48cbd3ad8e426d19664e18716351

SHA512
ee21fa11a94d1c7ba97bc3a3ed32caa84da2a38342705f9dd19f590a31049ab6b0cf1adc4e1e3d7e0e547f9170a3b10ca2ff82cd6c904737cae5da55c263575b

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
579f93bb989ba4c6224176b014f3ca61

SHA1
9a26458f1ac81b3a549fcfcdc1ef4f9a95333db8

SHA256
be0ab6b1756db13479b2493dadbfb4583fdccf2c161a082f14c95a774cd60ac3

SHA512
c42364fc983b57f4e4cf46bfbcf6e421b635389f2ad3d8fe12632a592b4d2f20156509beab5b18cc3df1ed1f5cdad4cab98f66ee99a2882128958ea5acc6c15c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
67afeab1596efe13102491cd6608068d

SHA1
d3b2653734ae0d3a4a3ff102b05f8b7763dbaf75

SHA256
6b123c36a8177bb73209eb1b12ee6828ba81c990d6cb739122c70c29bec2ec96

SHA512
d12eb86dc1f6b5f5550105a795a554ab1db9d4b3a3fba930f7371d4a5cfbec0bd1e3d5be3dbaf06da6dce7555e82728f092964ab3b5f5be6c580421d483c5587

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
37fc6f518a741f3ec6dfe69fd3bd0817

SHA1
c8565e72924c6a255d1061d02b7958bb4f41c35f

SHA256
ee56244eefd673d080357a01c26021740cd2194f96536de7788c274d88cd54e1

SHA512
b34dab6acdbb88c426be63c1b1cf4f092b4b6f4b1627fe80581bbb6c7f543171d262fe7d70de829250f48c153309e40f97d93a5a8528c461821a758ea0a22576

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
f5bd256fa3fa7498f9e9c8a5fabfa925

SHA1
09bdb0007b58f304b3cf12e1e16e4e6003556cb1

SHA256
56f1d6799cc6685d10111d75fb43d6431af1b5b4b40df571488fd884727bef8f

SHA512
ddb0e2e3601d7d1cb788702a52799986de9f315022642c211985b5ff430cd27a705cd63b0ecc46a3ea925d916ab0a19e2142a5c31e35cfc392a4430a86f6a2bd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d82e54746319f77d11cad736e540fd9c

SHA1
d03905560e925f5e298fb34ae5427aa22420653d

SHA256
2164154f8466b69a6cf5797a848b36b6d48841f334eb39e818009aa11d578454

SHA512
d0a684f125c22b3a936a2ce35dc0987e6a660594ff54c45a7465d114d1ca98a80e4a634aa80856e79f357ee3cb0414dbbc4c524a1c972cee1a523186b1456c03

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
212328b229c0a5f1c5f910ea47fda2aa

SHA1
54ad08edf29add40d989705bda7591609d0ec478

SHA256
5a8c886530ecab1b4617d6bc9dd4ff1f1e661a142d5b8e1424b35f4eb2b7bdd0

SHA512
1827fdab463a448b0ac0f2cf3ed95ba1a7843e3eddb4185d3ae959d64c6e5959ff5734d5806910cf17f14ea868830df7f64092d92996ac5212bb76c4c1d0e9f0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
402ebd50873a413876a042c2c7b25e57

SHA1
7ed6694ccd52bb2bdabbbfc7d102f07c1ac66ba5

SHA256
0a0a1a686f285e78b33a1a90de53af908690ccc96abaa886eaf1652ca44a2e6d

SHA512
1733f511d43f11b1ab7b25ca31d5df1be2fb65b4d228434b332b5a243a923626007aded0dcd707d177b786fbefb17f84ed99c63be63723e47df83b181425dc87

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
829b5f949efe299238be25a2619a342b

SHA1
2b5484a36fa9b60aa0c4431a6989ce268f0fc9d3

SHA256
d1f875c3c0a807639415c9712e79079a5e00324502de46486bfee692d95b23ec

SHA512
8b460046b994f5dbb54c46b1a2d338a3ba21a88a81c58d93260850e9ac6c50325c6ef934940dcc8fc0329566c6ea7a275ad528a6fc62d7793d3fa44193664108

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
79c17ed53b35b17df131fd758f0018bd

SHA1
a642a1584abdfe6ae68173e5fcdfbf39a5081278

SHA256
3005dc612470528f533689383a5f38b6e8aa7b340d637e561683bfbdeed72b52

SHA512
37304307935c5ecde69c3bff4ad7b1bf02dd4b9ded046100492ff425e741039b1646bc121ef68e02641775b453c85f0f080fecdf5a91781348fab564b0ae89a4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
bf23a6679a02819965d57f909c3da7fa

SHA1
0dede2fa23f3c424c192df42845371d97fc14614

SHA256
c8ea574d503762730ff6b8f34cb0fd960d3212ef95519bce4d034428ba39e636

SHA512
c9b4694a09466b4cf2aa07488bd6ff915d569816621a3ae719cc223f9008759c883b46fb46a08ace647094957e26b450ac97c4df2d45225ea762b252794b47b3

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
8b51c1f42a1343775cf30b540853045d

SHA1
c349317ca1955860f0b7adfb61ae28be7799bdc2

SHA256
ca1b5cbbd35fee64e66a7b37e152cbcdfd988da2adf270b4ccdf068a5d69dfca

SHA512
a0b73f26a71bfe1665b5dd9af6e6c496419afa8b06f0ada636e47ab188a8f3dc2562962a5023fd0c1831219abe52f86fc377df15be66ab09bf974238ed45ba3f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
70e0e71aa2da38c5729e511db2e61590

SHA1
1983f78f896a50c4a3de8d0e17683503636c3e6c

SHA256
95d31933fd9584d2e4d648c58d6a7542a656b3e8d63997de459ed9db00e15f0b

SHA512
0f98bb84ad1ad45c0b1a8764e6e7399c2bc65a9b549eaf6c82429adcec3644308c655c861178843eb6cda347b93edeb1e50899d452529914c0071fe785b2339c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b6c60b1d41aa59790695d64162513adf

SHA1
cf997d90c07be6935d8b3f264b6ae1028b410636

SHA256
41ca8f8609484ce67f49c60e60b66614bd5269bce75c74d18533ef4c1ee716b0

SHA512
b1dc8fac9806c00219ae90f76de94df07769bc75e1bcb0f57f1584e3406851b978f02903631835b0a26b71343e680b0d6d8058b4abd79e2da53b340aef6a1b5e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3ec37cf666010571bb19fabe026be2c7

SHA1
9320b52626b0f06e0b4de38381add792fceb1b2e

SHA256
e817162429a3cd7386759e92266d14afd7cb4e596936ec7bffb21b2a6db4f841

SHA512
b4c71c075deac96a6a47566e25af579ae57d43d954caa7f8e8ee21ffb4d25388f0ea1cfc74d097ec2c8774ec6de03b5c3517823ef015e480f11f89fabc3e8feb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
dd778ba9d2e24bc9fb7d4a5bce1ccc76

SHA1
904452a5013b35e17d8c0dd8926369c9ebca3649

SHA256
a2dad92807792f0afb6745b607a27b71de3f6514b95947a7af68b61ed8efc002

SHA512
7bc7de7aa97c850d99feb8d934ad89b64ac67e0ba5e3912d8fffc33cc9305a3b3ebe4ec2506f02a6def4daf4968d90198f5495dc8b5c797c85e4d3f4f9ef8ec4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a047a2aab924d5e1efc259382184fffb

SHA1
43b4977939f7062668e26601d7fa365997264f6e

SHA256
e936866003146bfc0b5014659c52c0a238b4f9007a1089bf8d34c11a59eb226d

SHA512
86ac1824c7eae6a595738e6cf4f9fcaeb05179ccd1f66b8249ebd453b0258d9a6da89669e4a026911240fae3b3cd88052e6437ead9ee640cb7d8966a88a50102

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
119b22397b8879561b92129dfe43759a

SHA1
fb72cf9126222336880b6da9536e1111876fe96f

SHA256
8a3fbb99aed5230d3cf24f555d7bbc6a4fe1c3f29d204dd3dd0499bdbc8e6c92

SHA512
a658ab2c37f3bf5c31d41c168eed0c6651b9ec059e9036d3d72d70b8a3dfd9edc752ea0aebf157b2993dcadb8764cb31ae1c12a7f1014f12477ccf3e22af5e7c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2189064eb84c838847adf5fe3288d6bb

SHA1
e499e3d504cd1d006f79e2de041f27e0f6baf07d

SHA256
66ecd96352a2f46612ea7c21c2ae4b8518f05e06cbf161bfeb89b71f8648ecf9

SHA512
496467fa36188bc367523a5cae8162099b5abbf14b399998ff114789339da69ef909e9e7de0a5e857f6c9a08b78a6f0e628510db74880301a2c2f1f388e96e19

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
480b162ec58e5e3b2b46721c71ac0cf8

SHA1
4bad62d04648c07dbd25279ada96362424713eb4

SHA256
0bbcdbf0661a696307ebb988d4862c375d071ec430e1de1c5c7e42707c256ea2

SHA512
fca061aa6b20f13a9e82d5dee27c2b49eb205cafe24ea3cfe28061c45ff308c06df4a80f98f50d48272407882c48cd2b0787d7105506bdb08f76ba3c3d71c54f

Download Submit
memory/660-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/660-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/660-612-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/964-199-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/964-474-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1432-249-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1432-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1572-613-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1572-262-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1696-187-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1696-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1696-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1696-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1852-140-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1852-261-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2300-20-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2300-13-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2300-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2300-109-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2300-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2404-431-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2404-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2584-238-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2584-528-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2752-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2752-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2752-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2752-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2800-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2800-495-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3096-237-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3096-115-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3736-361-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3736-163-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3948-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3948-225-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3960-92-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/3960-91-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3960-210-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4528-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4528-211-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4568-57-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4568-180-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4568-50-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4568-56-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4756-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4756-283-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4848-89-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-77-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4848-87-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4848-76-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4848-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4860-452-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4860-188-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4940-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4940-59-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4940-47-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4940-39-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/4940-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5024-250-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5024-609-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5048-75-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/5048-0-0x0000000000400000-0x00000000005C6000-memory.dmp

Filesize
1.8MB

Download
memory/5048-8-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/5048-2-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download