0278fef86b92f909d1f4f97895a4b7378ea5d3b9791242e85ac6172903f388bd

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ecb61e348178502a91baa00da851180N.exe
Size

1.2MB
MD5

7ecb61e348178502a91baa00da851180
SHA1

c3993a394e2d581dc5b6f3638e4312590ee4f268
SHA256

0278fef86b92f909d1f4f97895a4b7378ea5d3b9791242e85ac6172903f388bd
SHA512

52d0c89f8469272c5d33b0fbfdce0875b50c040fde4fe4ca1b7e662cf26f5b85df96fd788e387070de887bbdb821256bd81809ab0a90841be299ea26fc217258
SSDEEP

12288:AurYlc+pFByStv9JRa//inz86NRo1qiRlUWC4kXzVC3:Au2c+pFB5z+//ufNRoZW

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2744	alg.exe
3516	DiagnosticsHub.StandardCollector.Service.exe
1904	fxssvc.exe
1320	elevation_service.exe
4072	elevation_service.exe
2116	maintenanceservice.exe
400	msdtc.exe
1948	OSE.EXE
3736	PerceptionSimulationService.exe
3012	perfhost.exe
624	locator.exe
4752	SensorDataService.exe
1600	snmptrap.exe
2632	spectrum.exe
4612	ssh-agent.exe
4064	TieringEngineService.exe
1756	AgentService.exe
3064	vds.exe
3984	vssvc.exe
5040	wbengine.exe
2560	WmiApSrv.exe
4048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\System32\alg.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\System32\vds.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f6ece8caa29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	7ecb61e348178502a91baa00da851180N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D9F0045F-21F2-4700-8EFC-E6B49ABA2A8A}\chrome_installer.exe	7ecb61e348178502a91baa00da851180N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	7ecb61e348178502a91baa00da851180N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ecb61e348178502a91baa00da851180N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019c468c5a3f0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084a14dbea3f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000183f02c5a3f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfdec1c4a3f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b733bbda3f0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ca3e5c4a3f0da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe
1936	7ecb61e348178502a91baa00da851180N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeAuditPrivilege	1904	fxssvc.exe
Token: SeRestorePrivilege	4064	TieringEngineService.exe
Token: SeManageVolumePrivilege	4064	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1756	AgentService.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeBackupPrivilege	5040	wbengine.exe
Token: SeRestorePrivilege	5040	wbengine.exe
Token: SeSecurityPrivilege	5040	wbengine.exe
Token: 33	4048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4048	SearchIndexer.exe
Token: SeDebugPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeDebugPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeDebugPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeDebugPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeDebugPrivilege	1936	7ecb61e348178502a91baa00da851180N.exe
Token: SeDebugPrivilege	2744	alg.exe
Token: SeDebugPrivilege	2744	alg.exe
Token: SeDebugPrivilege	2744	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 544	4048	SearchIndexer.exe	119
PID 4048 wrote to memory of 544	4048	SearchIndexer.exe	119
PID 4048 wrote to memory of 3436	4048	SearchIndexer.exe	120
PID 4048 wrote to memory of 3436	4048	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\7ecb61e348178502a91baa00da851180N.exe
"C:\Users\Admin\AppData\Local\Temp\7ecb61e348178502a91baa00da851180N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3516

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2328

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4072

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:400

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1948

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3012

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4752

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1600

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2632

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:768

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3064

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3984

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2560

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:544
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b2cb31f88d65330c8b54f8905232eb70

SHA1
960e99714f3511f20c10ed6501420e917f361319

SHA256
57dcabb71b6964ffbd7ce1e9cefeebc28ffee695ba3a09ebf1a838775fb195fd

SHA512
3ac3fab0706f8416aa436db54b4af60d86c7c74b23916192bd85c5adc6ed5692474f4e472344a9b360d9df3faee67f012d4bd79beb83aed960382cda3aaae081

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
5e9966d84239503504127ef26f9749e1

SHA1
bf1296b33142ed896f79e317687d41dd6010f40a

SHA256
a87e09e1dc98631ed15ea4f0716f007be7cf12cec9211f8f5ce0869ffaa56610

SHA512
32eea2bb88fd659da5e13e00a4646565f2242e91259a6427506e9ae39cf1647d987a7885af20c6e244b60d17d85dfd3574478e4a6232ed7200f28924402fa00c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
d47eecf0438055d4f999446b002565ef

SHA1
2ce098740b4e09f6619bf506c19195835805598b

SHA256
ef6f4c6671aba89ee078d026b24679ae9496742bbb28c906bc16ef7787d0a622

SHA512
61e68c61bb7af67e6d32633007e12b1bbc11dc0667a29be6dcef3d4e8b5ea344970348fedd8c5df7bd6eaf629a3bcf9c6c6737d34247cb2beb36586636c7ad1d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
20f4b8923aaccb3b9060e28256f2062c

SHA1
a9fda6a93d8ac18382dcc3fd1d1e0f2f37135b5e

SHA256
c66a62898147509c81c1851d177752e99753d6fe2d37012739170a892e4f9bc1

SHA512
15e0a4ff11810afdd40c5d9b0313a094dc276af61f0c6e69c1ef727b44531de52f739cbf377a4b63c4247b266dec14781e3395ca104a9cf5a4a00a0db747033e

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
4d88ff506ede9764fa7beb71c01489a4

SHA1
705d13936cd3076321bee73fffd04fa36d65c84f

SHA256
6708e5ce5deda382f55b5d395bc247a68bda58d27ba723ea33a7b048d2343824

SHA512
537dd390b31552796bd0bb2f3d817ea46435b3597deaed286cb7e78b7e200f06cf1f580ae3849d093695560fee4508faac616e89f726f9f6f788a28e1555b527

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
5b69878bab88163cc5963250d68253f4

SHA1
2253c6cdbe96883294871e4137c35a0b03d8828f

SHA256
d0f5f918540639073fcc89718d44f4a8e89f5e043e7f66347ebb69e57e327d40

SHA512
5e57892ee3d20fbb989bb9c3b70b99bb97143fb53fdd96d89912cb19e2b8cf9c6d12e98c1c533944ad806e929b550e393981d627e20a8c397027367ad1e9d01f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ee62616483604e9339fdd627c72f0373

SHA1
1bbff803c6dd6b85f47579b49329cfdb3d037926

SHA256
b114f38707cc6bb2804e2cf504535d80653133f3eb45d7db434cf4e7d47bbb5b

SHA512
f337a2915c532b6f097e331bc2219e5fca9eba46f786a5ac5ac5a6fe39c8c23f9882aee1cf0897dbb3754449b8bb7779e757847ec8756202651f1b6672d76be9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
213bfffdda0f5bca98b708a02ba1bbed

SHA1
100e7f50a87910b853d3596849da919e12d799fa

SHA256
2ff9f7bb155ed825f0b9a7ea79ef4b3805d8e3fdee48265695bd734984a2f115

SHA512
6780de253e9a3b40a296d44c98516153485e35fc779d7d4ad2839433098be2ca82c0686cdebfe138aa78c757428b889a2e28cf4e2d1c34c89f2c32edf7b7ce39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
b5b1fa9e1f28f3f335697b324c3ef3b1

SHA1
db73c339f3bae9b499c32b6c6de79570f50d0aba

SHA256
7949643e996d45e604eed7ba9dbc71b9efe5c768a23265c83794b49413c6e5f0

SHA512
2a87d3aa6aa083a2a101e63a091495f954fef3d62c93d5c2a18630357132576a565575a771c139170c8f9287a458170aa61b2dea586bbe09da7a0a371705cc52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
dbf687b43652ee2c821c3b97b0e86510

SHA1
686d516eb5f5af4b7d728c8a28ee317eadfddd84

SHA256
2032125087658362edfd2b39d48d39369c4b3e7f2d982d30394310033179b6a1

SHA512
c639cf2428dd14964f5f9d1a5d104a10d820e4cc54734b0fe49e9a8c265304900706d40a55aacb43d777c8a4e27ff635ff76eb7a47f033b557669d8c1426b065

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
39a6a78e48734493188d385eb186e0e7

SHA1
66a1c01b93debc0d6db209cbc7b57b574a0bf401

SHA256
bd86035922dc186b038510a799403929d1a2d53a436cfe550ac1945d3a191ea4

SHA512
4a8f80405ed99cc003309eee93f3129b74cfd11e87a89b5f477ab0cd902f765c6923e07aa738e56ffb5f00a15fac7f99dfc117513bd2ce637e01f396bedbf2ac

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
04d64c8df792259900bb3c266e3ffeb7

SHA1
91cab47aa43ec555e0c7253fed686066505f270d

SHA256
c357f32caf8da3b4973a759eb803f3f1c6d18d8768099e46aaa6fc963a682635

SHA512
3af20c99a790d54d59a0d3000dd2b89d3ccd8cd881b4eb9d2b1d552331740bae198c69f67e3372290e8bcedcaaa9ffe42906706f40c1b6fb8f4ddcb8f8b91039

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
113389729d7dcc8353e338c6fe62a015

SHA1
d832c8c9dc13b90ada3af0b64cd4579edc6086fd

SHA256
c3d11b90d2847cb28ed85895bd99510ce891e4bd537e36ac3e75e7ebe16dd7d5

SHA512
37dd0fb53e8c9b302b66f67e7a78daa4e8624f60de463cb434119930afeceb0a44e3103abd4202b98659a46a0380c18a9ef0624bea19a97126a445d41964c5ae

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
427bfee26df38fc475da73158fb4357f

SHA1
52d607e6d3e572bf226a943edb06040ba2a4b5cd

SHA256
69c0ecc6ce7eefb96d2921b03af8ca2e48e033954df5bcd3dc48441336198ce9

SHA512
de4c77304286e117da57be2bc3b65c8e70952fb67cd553d747c6932c0523b08d62d5d2aa3c87fbe82ef8013cd816516d87530b2740974b096511d9a10daa8a4d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fcc1834fdaf360eb14ac3b886d05cab4

SHA1
108aa31faa796ff83670cbcc3c4acac7f1d745ca

SHA256
434ebaca0e65a6e4c9a72c6ba57151cf85759018bf69d542c0dd01d2c286aa70

SHA512
e56fe182428d66d0e965e071cb36f6bb8f835e0a9f6517eadc458af757a4c3621d51618bcfe59621989f569cf94f5ae25a9a733e49891824258b27c7a0bea7a9

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
7a5ab6fd954d058a9138a473120bdbd8

SHA1
ed029a6e12d2835f3d5f4741465882b5ac7804c7

SHA256
5a9a8e89fe1d2ba61f52a577fe76e038dde34119e32401d5fba5b24cb86b18b7

SHA512
a21d1862966d02fbb44bbff265d0d650136b73d59d75e8a9ca0a18eb323653db2804d7a9294063dd81fb1cf4c24727909f9a858d9913175ba9da44ca0840d3e7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
be17399bf7a86dc9ed76da021bf068e9

SHA1
27278bffb1e7b6279c20c0a8d9c92ca827eefc58

SHA256
157e8ba00e1770006d2bd1ba22d48745d47baadbba8d0389a31bbe2119aa0ccc

SHA512
f543027ddda038f96d3b94a7b753d9f19bad18587b2d990eabec83863467e5b8b249a455d70d3a7867355892f614661c79f3829e1e094cd1c09dd691b68f3bb7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
abcf883cd19d8b1556cad6508c16aec6

SHA1
3787e697c13075f0e988b49112c7f888338dceee

SHA256
bceff62c12144a6335ce96bfb3167e46b3dbd31288cbbfbc4869110973bcc556

SHA512
235a5cfd0810098caa23041f73c653ff17269127904ee8838118d5e190780adb81f3cb8532f5dd1fc0fe89d5589b209df0df072d8d541b5a1d955286b6cb73b2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
56388ce2a22bbd03358fc15ca74a4062

SHA1
0501c0c75ee896c590dd4dc5ea4e73bc6e1849c6

SHA256
2fea7f73e1db38834f1febee495dd871196cb2a16ba521acabe79782c3b91dce

SHA512
4007e676a37bb7d69608ce05885984118f9e57a4215a4c3692fa72df0db08797d94ec95dd3c9016aef5678259d753a51ad173c8f1609407ca19f29d0ed0648ad

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
2740b27e0438c854cdfaa703bd059200

SHA1
097f87e39cb9d3033cd5d5bcd9090bb5e618c8e3

SHA256
e001c47dd562d00529804836df4d0eddc6a5d9ac57c4fa373df9227a04a16e51

SHA512
2ad9c896e8261cf60a4a5a6a90e1430062c7b97dab0d079e949f46d98808ba1d2b8c4cd83dc93a6f622ab5bb4b1b48d7661af133f4e0a1065a4f1bd615981cb8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
7b071f2ef02a11c39c6836e91eba7788

SHA1
ebda94566553d61588a4ec80031b45236d4cfceb

SHA256
e9a9b8db94ce3f7eaa72d6747b22eb609e2f97403796555ef582fdbf646dfe2c

SHA512
21e9ca2cea44615835109a5c70ae915618e2aadc755e4442377304c892ab2d4961461f54314e0b3061c11d54203377edb5ec8631e7175dbbcfe5dabe3d65b19c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9cb5f84a3d49e8d729440d9fd14ed64a

SHA1
8f5e9d988203612df57bf7e7ececbbfca1fd5e15

SHA256
a092f6c38bf7d477ad51d2fd1ff48d0ee1cd3541ea30afa7cb677ebfdbc31516

SHA512
6cab44c734ef2891bad18c8d66e323324661536db1115de6a01d3d5a9ec22afe9bb689749ff620d4102c4047904910014776548a21864f67d6a7e8e340a851b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c4127cb6d43b0dc1998b7303b754184b

SHA1
22b73b43664d21c6bd7e2f1adf3e66a0b1c0dcf5

SHA256
cf5d25c4d2dc383b1a9e28ba23bfb41bf7f5363803b2dbd643a5fba112deead9

SHA512
71776a037ce5997654046d80a13edc49d55b843e3a59c5e9fcd38d7d0332c70b685780dff8a88d0495019feed509604fee5dc70673f18f242f04e13c8fdee41c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
2ce3509e4ad3d7aa1e1940845e91adc4

SHA1
78ac14ee2d24522746001a8d3e5a4a43d0d13104

SHA256
a66f165a79972b13b293a40fb8683f9fb18c811d99ede85dddb45522e27ae4b9

SHA512
4e1b6ee89bcc0b63cc3c8b27046acb59647a4223054127d714c28520c4a7ce1edd15eebab126318eb49499c7fb46e11ee112cb1b04f18c6f9358c96fa752a378

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
771f1ce55abb8b988fbc4d4b32e8a7d8

SHA1
56c9112f95a6224c7fbf3d50e4eb4d4d5668efcc

SHA256
07aca1777d7d2cce456445f58036b287c2aca6b3cd99fbeb0741f0dcfe42a97a

SHA512
8689a0abbcac8189e8d69a6da79382d139061a0f230ca2e967b23d7396da8710817aa091537a7855866de4193bee445ba70c8b1455e8674f862a1a5b6724a0ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
66b35b28144069d7553989297fdbfaa4

SHA1
986c82f012283e9c40e5de007e8bce75a2a24d49

SHA256
d4cfdc2f6ffee9213b75a3ef7abcf830921b5cb6e0bad458becafea8b5faaa82

SHA512
61e63b58903ab9016bb9623e76c2f314f3528fce1e3c08c333c99450aa2ee3373090d6929005d0b35607aa83daf04a1d1427aef7019d92256659106872b360aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b8eef0b436731061e2d217c362f21314

SHA1
6436728a41a623e874435ca0786c2fb026f5126d

SHA256
de8dadff817b7e16c29673796f0942a3d88e8515436a6d0f504bfc2e39bdc1e9

SHA512
89a49c5ea0c1973ef82b3953ba698c5e6c2bd4ee3dc3b55dd9b9830729ce12ed949b7f01014322bd809552bc9a8d93b11f7889132f2fafbaba5e657fb226487d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
5e963245566d851eb77cd83577af2257

SHA1
1dfbd2edf2d8f1c5daf26d5dde14878beb4fab5e

SHA256
46c8f0c813a36107177c77a78c6b87216feb2c3f4ea1b570fb52a47345ddf2a2

SHA512
86bba10ef4ac8ef7424ac93afee70b05b5a11ada24e3077599876488ca850074255da3dcdbce28153d552853c1ff89ba5454350d99489fa2d3b6c74ff6ef4bb7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
b6304c6348ad07c745a534497038a6ee

SHA1
fe2827ba374fc93b2f291dec48c43d3772be7bde

SHA256
bb1cef292704abcccc2f247cfcc8b2868a649a4bf9cd16fc772f650a6a603c33

SHA512
b3221dd7cfd2f3a1b77996d900a74982dcd000cb2b7141ba9034be7350fd088b08586288b31ea6a8cde36079c3806012d2701a9018e6b65f7a37164c17c907cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
cd90869ffc871afa43e6aae2408b29d7

SHA1
5bec0e1d477cc84df143c00c4f4879a611871249

SHA256
4ce6c66ad83e3f015f421583e0c7ee176b64da8bd6d87b4ec3000be24ed399de

SHA512
9f7ce4b223dad9cd026f73255f295c8ffa2cb3dc9298e9f82045f47168a087c2561492f6b4f370d1f711a7643b53de4795691459bf69fb203ed90742725cadbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
b11cb7a055092d71653143636f9dcd81

SHA1
9e1abb89f428b19fa98348d714edc360ea5b0afa

SHA256
bedbcaa46fc4f18328f791c83925bf5dd6153499c6477737732aaff551cdfee3

SHA512
2d1f00eaf583ce66530290802d15b26164940773646d67502b1655a4ab2dd8882fd4fa373a6bdcd1644ee63ddc8cb01292c05d0ab19b544d5e77545428f7b764

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
951b58f8edf5017b1b380e87bb6ee607

SHA1
fdd5e17dcec2624ec285dff25092414ce9e5a82e

SHA256
d2ef4f02052c456740166ee11df4443ecf1f593b30283e805ccc54b45ad4cb54

SHA512
44b06f22225f677b75ad1f8136bcc7333d93a1540baf48f6cc5c6afb211daeefbebf829cbf5cf526fc5e3600af0b1929fe0e977b0b56dc5c903a39f5bb0b9621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
8baf0f5043c23683535c3e7060ad99dd

SHA1
8f1ade32c94b34c3ba5823329ea20ca86b30d95b

SHA256
b047f2450b0ce9f8b345b90dcedcd11eec0b7e49ec19d2d49942e0338dfce645

SHA512
922b7a9a9dc709301ac2246e46284517a4d92e5bc95122f9a7184510972a2c6f848c79266e0f929103f99fb0cebc93f7e56302ef2a4389621dbfa8ed83af982b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
23a21e1ebcd3d2cc55ec791d64060f74

SHA1
2880ab05136752f53b635ef3007ec5bd094b4591

SHA256
b12fe6c695575492279e4774102e7cee37f00ff99bfe89affcf80ec83e108d7f

SHA512
fb9c7c72ec19120bd819e008a521ae14899b5a93e79e274853d1ccc381aff048d9d405d1f50ff2bda600bcb6c19584db04c992f7529dfcb8dea2d0a97baa4f37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
0871a81f1658863117f0341ae4f10eac

SHA1
f98d1ae35db797074fce92cf4ab2aa10b18ece5d

SHA256
a0adf4ca5ae10eec35dc412bafb01500a1c2f1b630b3f5de61813f7a6a148fbd

SHA512
565b8ec7abd907266bc0ac4438d0ffb9827985e7b0098e67b9c47468fa6bc55fbc54a4eea9bfa531592d152757fbd2a3e46f376d2f1a60837a7ff8afc7f9a7c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
212e5cf69ba793497a200866daf31ab5

SHA1
46934d9a5198656366502805d62fc9f6bc0308ef

SHA256
02ec439d71f5812f1c4c3d0698c75796dafa3a15d8a78a0314a2da7c7456d0b7

SHA512
4ef539e9250cb18e35a36871b6083cb1d7e22b99b3d2466f179186bb1c38ca54a8e58f5234f995504cfa70bcb8a70c772f2e56610243aabd8aadd037d997a1e0

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a324a19f779430ae07d3c3bb5aa7cf4a

SHA1
02efb8f1704f51e527dc4f269d3bc8c4503d3939

SHA256
efb813ff9b5e4e06d49f75edb3c1d92199781d623119ca269606f3df8e5c1a5e

SHA512
2dbee536697c42cc8b7b33b1809c0586f084bf74d88aeaaf383d9e2a4a0822476eee0913d6fc8265705c5241f2f334379290332140b19f3768c7428cbe7f69c7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
80a27f40eaa9b05744caaa491ee8bda8

SHA1
2472f7be6adf492f2fe4b3fc086193aaa36937aa

SHA256
3aa8b79e93ab82f6e1ef9835c376f8ee45c343ba80c7b5d62f9611f159fd63d4

SHA512
b048447031e0f31e5cd67c3650f54c84dbcffdfc0bd4b2587d350c3a971796f2d9da7675300adfd3a0bae48fa6e3283ba3febd9b2cfbfca5fb16eb64d62dc966

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
96772aa96f8f381ba72c9ba7ad0ba69f

SHA1
75c1e1a72ddf080f2487cde0e203a0ce581d7ea8

SHA256
2be59bfe4a1523a5147c18c61efc1f8667e031b9163cd7c37b0145769d53ad2f

SHA512
141d038ad85a71138afee05c47fb012f545daf6d73568127d9a39e6137d049018dcd046b8a26c1e44d93d1afe801cf0771be6efc15e6205297350dcfb96afffa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
86c1d34ab85e3d125ac27cb4a7d93d93

SHA1
1ddd314d66be4ba0caf25f65ca5987097ef2ae9a

SHA256
f8d1cf82fa8aac67b47ac9c4b260c0f3e566ea237e8e4f220d7200bd568ad0ef

SHA512
5f97d6bb7c071b77f8d50f0fcd6a4b3def1b0909caac35cb62fb162e69848ee0ab25d22f311476df9250ad1a853832bd7ed6e6a9a20221927378698ec262aa7c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c068d529f2716730dd66fa6c03ea9f89

SHA1
6fe5acc9fc8f21238f66306b7760b2d11f15556c

SHA256
858855cff7b698e542b45d423f6869133dadb6213a025260110078602da8fba5

SHA512
5317d39f0b4d8a66f85cfd44e1aa2401684293296812098e8f54376179ce1078f8fc27318f1bd417b3ab80874198fe88746eb767aa0bd661070e62fdab3ab913

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a9069b22258857aef6a2a3618adc916c

SHA1
6afa4f38b6df3951921ca762cb440e3c8399625f

SHA256
c32e0d169be7166e16bb2e610bda2ae1fad0754501cee1df6ecc0a5c4f74b984

SHA512
92ebff211839019068c6b6ed4e240b4b9819943607d445d4df700a596da4b803518625c9381e3cbbae05f795e23fdb45e61edbb3db2a2e963214c3b4cf0e0b46

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
478289a2aebadf7d1426061845606ffd

SHA1
80b8fc5c63ef6783e14972bee91785c8097e8557

SHA256
00ce8e2744a505c5c4fdcd23877d02d2723686ac736a2446c7214cd7f4e052a1

SHA512
96acde255d3777d5cea6a21892f19e460fd52be497c71aab4837b3cceca6a2e2e2d4a05b613e4963bd20ddb68f9e04052aa016d172d33c6d24e0f3aea8aeeff7

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b453959f40105d6e85d55ec5687e5c54

SHA1
0851dc60a349be14907f328b669250c3351794ac

SHA256
c644ced758672a80f4bdad315de2805bb9c7397a82f612d19c52b14217e0ac3e

SHA512
82db447903ddb30e2017d1b235364555f0187b50691fad7ca88be162d1831b7df02462d580569c04086dd9d0d94ddf7acf51ad17abeb26c45a0aad1ad5524b06

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b13311223a5715109d2bb6443c8c9b3d

SHA1
8c153a9b8748eed95d8bb396f5624d890e12e4e5

SHA256
2b59d69491f80b1e889f377b81b6fe175d7a682528e4c1bfb2716e024b7134b0

SHA512
0ccaa96205b110d20b45e6ccdd08d9d55b26e193b5536b2ac1d94ee01da1ce0e8c56d40800688b62fe6fad066c58111a14b35c296750caa956c85f9954a5928f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
68666d2dc7f4f7bd5639acdee245966f

SHA1
7d42659c2644b73492fa3e2843c72be9b61a9e09

SHA256
f56ed10ca757588194493144c4d80b2540ac9d231d652e358ee94fff5611131d

SHA512
3bd794625f14ba8ff196592ad3f2fce957343cf1a2f76bac486820c8146e8ac3be39c422c0333f6e443964570541b55e1343c96866b20485033863889d5f543b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6ac3f7284d41305fea8bd42aa73a3b28

SHA1
22883e442c73800d9738d6a7967631cec93b1d11

SHA256
3522c61218cbb837026e168c8a77645fcad9424ee6230b3cc0fc03369ae3b4df

SHA512
6ca8e3e57dabaefc38c0d1ff37ee08e1b5143fc81c68cfb8fa2fb051fbaa73a7c06ba7b363df68f1b9ab202a0d2598214a7a130b388f83c142c4f3f56916b5c4

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ce07de5390c04a02a12379ee614fc48b

SHA1
9c026f087f2dcceb792850d2b61bd61fd71f4cdf

SHA256
37a20d6843bf6efc0e47227a234f41167a782445c8a84bd1a97c06494bb9a491

SHA512
d78d56fd026f58b112e2b4bdeb5d2d4b794ebf11cc0c85769d68115c7ef8d37f55d564da4f8349e294215fdb1657d6f19b02bcdf55f2ed772a968b9ed0ed5d37

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
97cff9fc839a079950dd5fb4c291629a

SHA1
33e635f92eaee3411698a59d73562f9159deb1a6

SHA256
01acbd8722c5d82b47b21e48f5b4057de5cdb45d49ff49f90c0f626255566048

SHA512
4787194c77fbc2732503236f1d2d7ce90f11d171f8c18acd3c4531036f2c772cfd2889ef2fceef53fa28f06874e409c5c132c784d4e9c2e09c4b7340ddba1fac

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
df285ad0dfe0d04bfb3bfde144c5293e

SHA1
b3d87cb06825ae08082917cdfdd644bcc8355cfa

SHA256
3c041d8d54560fb8f4090a759ad05723ff0c8881d95be4a4aec48a361ee2e80a

SHA512
14ad6649bbfdc3c4a0398d74bc40583a7e90a05aadf3c494a52b9ed29b173fb5deaa512874d4a4e23c31db9f72c9eedc2c577ababe0ce408ac34be2a952c6a7d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
886dd52d14bcebc2d35190e4d9d4929d

SHA1
190ac6ce7d2bc6acc15c4b59e1fd5555f1abb20a

SHA256
196bffe7b26d5e24e92f9de83332941a4ac65d639a66a839a4107cea6989c35e

SHA512
ef9376d5006ffd6579f36e1930f9dee1b5dd01bb79edd8bc790d6ed1e279a42ace0df381109a79b55e00da0b0f10a468737695ec44ca544a3c5f8f7f0ab59efa

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
24ac600f0f773ca574c4b9cb7288e4d4

SHA1
046b7f8a0f90aba6fc6fc733ccab674606b05241

SHA256
f8540d815c0042e2fa6490c9d3475cf558a1cbfa89c3ad1fdaa78b27aae7f0df

SHA512
1bcd74ce01d201959c4da77bac0868df1c197b36f7249cc191e87549246dec5edd941868eaa489165089a1ef215370f41ae11449987a1ad1462b81a776684a63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
852926af8664776eedd5f88908ec226d

SHA1
20ad575054ea450f62218891f401e95a5c325fbd

SHA256
41f498b2964fce231308634da551f7d1429846ee60336baf33289e4e178091fa

SHA512
c86fd5d00e835492f80e8c7e26ce304fd9972bb525555be21d8bdd05c24aac80e53f8d7e34781984a094b44cbf7fa33f03efe266bb36661596e87fcd155369d9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
21712e171e725a18c9679355d5658e12

SHA1
49b7ad0ebfc6a6a64d7da471ff542dffbbdcf820

SHA256
399b0b87b92f59fa982e2bf02c54c5af115d591eeb7e3c78835578a5c8821c88

SHA512
0acfe0e349f621ebe02fcc959a619c8df34eb083ff0f2c265dc23d2329b62a4490c94bf9f66c6912494ebdeae045c95d307e6cd6e5887b89a4cea230269b9bfa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
3eb25f408ea9232f122cbd5fb765acbf

SHA1
4c735410f4b6337f0ab175cb31431b536e8a4cad

SHA256
8b348143cc090dbf588d99a34f2fd7a5cdbef22a426abf43b65658c73affe3a9

SHA512
8b5cfa1e54b6acfbb4a3e49dd042892f90fd1e063809602294a8a05a457b311a01fe3d5345e7539afde626dc72128778fa7e765edc33b915d825a16dd8363a20

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
49e1a7b88517f638a631d92e173fee73

SHA1
40d98c6b06b401136b5fc87f77b341a87d5a765d

SHA256
0541255722c3ae12f0775e251c1053f04833913f24fc3d00a5e6bf4dbcc9b877

SHA512
cf19d7cbda81cd8a38835b4aed58e81f440976ab371208d87465c286d442a462a857b1b0948afe5a55e5062bca15a74d4c045c157bdda23169b89e1ebf2333ba

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9ad3a2c37afc531ae45f303fa4ac4805

SHA1
2684877e5c4c2574d9184694dd9685c9ba015976

SHA256
d600daaf343aad553f5fe5dc65c21693a95654dbcc3c743dcaacc065f1a08240

SHA512
a66efde3d88f1e86c4accea6238d90c936e0cd055a9bd64991de17c3a6168c58497dfb9f21b74ecfa41a260166de155884aaec709e68cc5bd471289d3e2cb943

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
34d03bbda4a7894e5e66bec483d5fe3b

SHA1
6faed0c2f16838fb2780ce783ca27a909d7c9c7f

SHA256
e202761c676a6a174ff9c60a4609cfd0e28d7fb17b631cf67ca1b918ce441f31

SHA512
baebde6c8089fa36a7b80ef741740d60fb9c7b05ae6982841372c974e310178b0a3fb8ddc76899d952323dcfd657e3e867fbab541f34d1b86c9a9487002613f6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
58e93040f43cb49c058e17b265aab6f8

SHA1
6bae7a4281fa8cb9a572e89e466b428f24bcfd27

SHA256
151ce4715cff8290afae2b1f1c98de600d24c40711100884ab096d2532a5aadc

SHA512
f1b5585bb949acf635d8bb4c24db51fd111a38cfa49b45f9d5386a71eb95d8561a2a2ff2fa92ef2836ce744eea7ec4f06fe762e1abb00a5a92b5e79ca1c6eb37

Download Submit
memory/400-93-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/400-203-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/400-92-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/624-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/624-262-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1320-59-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1320-53-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1320-61-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1320-167-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1600-338-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1600-156-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1756-206-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1756-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1904-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1904-48-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1904-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1904-47-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1904-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1936-75-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1936-0-0x0000000000400000-0x00000000005DD000-memory.dmp

Filesize
1.9MB

Download
memory/1936-8-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1936-1-0x0000000002330000-0x0000000002397000-memory.dmp

Filesize
412KB

Download
memory/1948-104-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1948-218-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2116-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2116-86-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/2116-83-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/2116-77-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/2116-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2560-276-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2560-526-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/2632-168-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2632-369-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2744-91-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2744-18-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2744-12-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/2744-21-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3012-242-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3012-130-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/3064-219-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3064-484-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3516-129-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3516-26-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3516-27-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3516-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3736-236-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3736-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3984-240-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3984-518-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4048-527-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4048-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4064-200-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4064-433-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4072-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4072-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4072-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4612-181-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4612-402-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/4752-523-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-144-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5040-524-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5040-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download