af45a086d7409eed44bf41e1ca7de78d1c7e6e9a07b510a9d9e7751117f7e208

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 06:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ac5807b0e75d10549a7e1898cb625820N.exe
Size

602KB
MD5

ac5807b0e75d10549a7e1898cb625820
SHA1

1de31b25096c7b4df2bddf5ae6b29b8b4d3cf2c3
SHA256

af45a086d7409eed44bf41e1ca7de78d1c7e6e9a07b510a9d9e7751117f7e208
SHA512

8455cfa65b6866ef89ebf5fb4179613dbcdf0081f01589de349c61ca8ff887ea9ae1fd82265836779b106ee2fda8fcc846e71d527cdc8190b7291ca72356c7be
SSDEEP

12288:IPaqzPTY53of4XgbXZqHfdQCaIY//RnhOWrZVoexdqCLH31Ii3Dn:IlPYPwbXZq6C7Y/5kWrZVoe/1LH3bDn

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3668	alg.exe
4084	DiagnosticsHub.StandardCollector.Service.exe
3612	fxssvc.exe
2384	elevation_service.exe
916	elevation_service.exe
4532	maintenanceservice.exe
968	msdtc.exe
4536	OSE.EXE
2960	PerceptionSimulationService.exe
2404	perfhost.exe
2480	locator.exe
4356	SensorDataService.exe
516	snmptrap.exe
3300	spectrum.exe
4736	ssh-agent.exe
5072	TieringEngineService.exe
4960	AgentService.exe
3612	vds.exe
3296	vssvc.exe
1316	wbengine.exe
3684	WmiApSrv.exe
2904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\locator.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\System32\vds.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\93411c489816891.bin	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86062\java.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	ac5807b0e75d10549a7e1898cb625820N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ac5807b0e75d10549a7e1898cb625820N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b6b25187fdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000808a6987fdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f1ef2d87fdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000258b4a87fdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000080b6ab8dfdf1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ad3ed48dfdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000100da68efdf1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3276787fdf1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000002857d8efdf1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe
4372	ac5807b0e75d10549a7e1898cb625820N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeAuditPrivilege	3612	fxssvc.exe
Token: SeRestorePrivilege	5072	TieringEngineService.exe
Token: SeManageVolumePrivilege	5072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4960	AgentService.exe
Token: SeBackupPrivilege	3296	vssvc.exe
Token: SeRestorePrivilege	3296	vssvc.exe
Token: SeAuditPrivilege	3296	vssvc.exe
Token: SeBackupPrivilege	1316	wbengine.exe
Token: SeRestorePrivilege	1316	wbengine.exe
Token: SeSecurityPrivilege	1316	wbengine.exe
Token: 33	2904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2904	SearchIndexer.exe
Token: SeDebugPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeDebugPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeDebugPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeDebugPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeDebugPrivilege	4372	ac5807b0e75d10549a7e1898cb625820N.exe
Token: SeDebugPrivilege	3668	alg.exe
Token: SeDebugPrivilege	3668	alg.exe
Token: SeDebugPrivilege	3668	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2904 wrote to memory of 1900	2904	SearchIndexer.exe	114
PID 2904 wrote to memory of 1900	2904	SearchIndexer.exe	114
PID 2904 wrote to memory of 5064	2904	SearchIndexer.exe	115
PID 2904 wrote to memory of 5064	2904	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ac5807b0e75d10549a7e1898cb625820N.exe
"C:\Users\Admin\AppData\Local\Temp\ac5807b0e75d10549a7e1898cb625820N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3668

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4324

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2384

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:916

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:968

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2960

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2480

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4356

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:516

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1412

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3684

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1900
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
158613b7f492517ca284345b110e192c

SHA1
c3ff39a83b601f48d63079f63ba0d7a854615ddc

SHA256
9b2e3980a1ec4c4e0062b9595367553f92908d87b4b6c4569c240e660f9776d6

SHA512
0f5ac38f0a1cd4410f1aa5b6b84f8a463d4397e0d611e07b7bcb4bede6a81babf562440a587295eac8e8e4f5507a889d6a4be4b9bf2b674c6dcb6e4b47310e34

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
2ca7a034760bcbe0b5fe0d5224f85908

SHA1
f113fb1f0a3d0a4c2875df0eca609b2d594c6d58

SHA256
f55effbb35100f27973e83653dfee1d0b5742eb29bbcf0119b6d2c937fc4fabb

SHA512
9cde34a2e5546193e0e618756606151950fb08afc2632e50ed80f013f62b1ea027d612ad69c7accdb7ad9867642ce6f06d6078026f212811b0e3f1e8f3542d30

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
4d8a9736d2deebdc8fefcc59962f322e

SHA1
a0cd8ed4587a269720c00de94b9cc810e4f45005

SHA256
b7dea7e7dba28263fff0f4e04de21dc32ec27fa6c7cf27411db57d027208eab6

SHA512
dac5383a8e1b318eddc03cc9798f5d1130b039354a9c4fa0fe2c805b6bf8fd8673053e705a15f250e2aa4e2e78f1c4a5419d3a66c174ad866b74e814eee87fa1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8aa7a8deb8f24fcba20029d4995a2ec5

SHA1
d1a2789be3f375bd8800cb94cdc9a625789a1a8e

SHA256
d0c4c909edb89a29864adffa6c858d681d7490e2558d5fac05d44dfc34e37dca

SHA512
a78dbffaad3d84b73e1edced480759e9b2968c2920242da4564e448d9c4aba9303d0493dd28a14d82213ec6f7b208dacc202aab1b538106d26a2ca0da1433eeb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
e41df3d4e8b05242ad91fae14a46bb2d

SHA1
c41127043167ec7fb764b36f7f5d0aaede0a0577

SHA256
fc4b39b006f4831784b8deea92d494880f27f2c8e16f883a0a06425c13deccc7

SHA512
ed5740927c92519e48d823dbbafb45e97dedc6f7536fc9cfa8a56dcc3815bbc66b18d5bb2dc33e2ccc07cb1533f593f6718337104b5cf947e738518aff77ff4b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
258027bac5e91ec2f2ace3aa786fe9e7

SHA1
3eb68fa62f4ce5b8700ac395b1b4038549aedc3d

SHA256
adf0c0ebc0039cb1ea5c4fcdb96022ac22e36ad3d43eefe1833a889898972480

SHA512
0dcfa3d2157b3d61ded126e655e20592216172533123f28b4d8a50e9cb5ec431daf0611fe9c420fd3f2eb01d3a6ebea4127b99fbc55d0c4f04dd54c4df2d74f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
d931a80b5722341789a7f532fa5c307e

SHA1
f376182d1f44eef7a7d19e91dc63b6035f7a71a2

SHA256
774c5f318166bdd5e00a034eaeaa5d11de4f608582e8b0420098eebaca3be2eb

SHA512
7a29fd8f0f70ea716623b90c72bf707d875424e259421bfb77f93a51a418f96626b956ee1d3967c58e94c835c0495238874e8a4513765cd7e099f65aa0efd4c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
564260a1d36a893094e38840193e7fa3

SHA1
37fee8a5c4e77015ba0998c8a34c9145fb6f6e95

SHA256
58a6907b794c67d718db645369d3023afe957d7681ce622d60f7c33ebee6c93b

SHA512
21f915661adbf0893229d9deae94695e0aeca8547f0bf31424d960d0355f41e37980be66cbab17c348b38478f1036aada290bf9feba36dc12e4816299ba0abc3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
91ccbe244f4eb9fedaefb0381fa3ae8d

SHA1
3071e333dc78769850830e16fccc17656a69ec38

SHA256
21cde91a6ee90592159f184f7d8484bf9d36e22861a91543a9b10b9d3e3e9be5

SHA512
86f5be670b41a1f9b2fceabe88072963eb25f1cbc89a1a82656dcd8a22a4bdeba6c564caa18e34bbeae80e0c78c5f1dfbb76ec4b6f890be052ade6d42471fac2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d20037a42ebf3a4e9bad5a5f8b526048

SHA1
3a7de6b23496d9f6e4858ae6e7ab44c561bb9270

SHA256
cdae6b2c12439f212ed2baa65e3c26f0a42f89ed9b5e11e0915d95b3db3f14a2

SHA512
403bd204e2d9e32666d011984ad038ffe449f97938a01858a991f69ccc1bb98549d9fd727501c3554312c159f725fecc22c61c38089e5598d66393b726ccf284

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e0173912791db886e80f24faf1582636

SHA1
44076ce838259c6e2c58f1e6b89f888950cf9f2d

SHA256
ef39805449f6c02a0f4de77676fae77b3873f0c5049f2fa74373c7be7882351c

SHA512
1df764995c03e038abaea68e92505309d2aa0f77c1d925af3944d7c9a29338a542cad8b1c4839c75663234f7cc017c2ac89bf4f76c2f19af1ea40d33218557b3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
6a44e63c52446a6e35107e8f94594725

SHA1
eacb2f826c1c97b17b0bb538ebc611ca619c3603

SHA256
bf34038d8c2f828f8e55522a7f0b89e8c814025aa9326e6a666583076e64bde8

SHA512
49f642c56b4405aa0cedaa94e046a25a7c5e47db1732a119f1a65b77cdb080e15ef50d69d086a0443dc8f8ff3073853d0c92707373d5424ca8526b1d49f5b6ae

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
0f4e39ba4ffcb82c098c5233776d3463

SHA1
9d4910a43816af88414686cc8a6bfa08a2628dbe

SHA256
8334d2d037cc77de10d389b52ec9a4de10f97a6645e09469f9ad97ee6fadfdf5

SHA512
a2291665d200021f89134500bd3b39dc47e3929b1c57d8e039e5c4d8e478f8897054d20162e6bbfaa0bc8d02f3f4f30dc65bf971388d0b69245314594299b923

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
6c4b5107f58f66cb74e6c5287be65be8

SHA1
8bda8eb99b6d6f2175dda7deb76335ec912e5bff

SHA256
5a6fb7e4ac7cdcbc372a4c55ed9bdcbf4e3947783021f83c8fdce74851d2f0ed

SHA512
56322c620edb382b52a4e0674303ca10074641bf8eec399030a8a9b5ae30c21d8557b802cb131f2424ce4d2e894471d0807cc4833e9c5fedf72c7f1fc9622179

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2bb7b68bcdb6b33361cf39e02cef17bf

SHA1
6e0c6b7491f6b474f8ea9ff8bc2e72c5245aea38

SHA256
a794af6d9108f9240b37a911e8af1521006c0304c2a79c95a05f306601e9653f

SHA512
a863ecd2cfe2626e0c6616ae03202e8d9595806807a6f81eb9eb831369e7a22fb29f07504f99e4de6c446d80a5f9955ddd01728c0ce2f7c4062ac6f081369861

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
70f242da7320a61c73b936c23486aedc

SHA1
f012158eb450d3987ae43fea88d4fd79d776f4a0

SHA256
773042a109ad7422495a33322a006394a2853166df66188dad0ba29cddb2efc6

SHA512
c1150319739e775284f3e906db8a46533e66e8beab25b5616463ff50ee0ca0a0395e5dd2d2d0763d27cdad5090d3b292a8297d17fcf8b91c2a922a3360865f1f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
4c4652dcc65e4868ad94b907e7a5b8fb

SHA1
43eebc2709a63f92e272ff9aa4e3b00860002e7a

SHA256
16e84a2d30f16fd84edcfc3aeb274bf8221072b0572d1e196f17566347ba610c

SHA512
98564bbee3aafea6845eb0c4463dcc02a2321a4d0f240166a5c2724d50787437775b2dcb899304924de537d7f9f56a0dff850106f54b5e95a4ff2239aea84e4c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
e709cd6b5667304ae0a01f186143d7db

SHA1
fd572141f9d8bfa0037ce0ca3ba0785e4f44303d

SHA256
2dd606fa234088dadbcae61f563da680017d4e5b2b92ea3c5c3039d9f800940d

SHA512
a17beb05abbdf93ff59e32f390d0dc3f4f434b3ff1259d9b2f45f0e5b9368d45f1e5ffe078c76124f25ba74eecf5fbd653d0f99289eadf7eb9e3318160912b12

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
b12cca6e6a03df4f8ee3b2bc6277817a

SHA1
d8ec2e206a892bfdf609ebee6ef47296d831ddea

SHA256
bec5b332de49bffa9a2fde008795232c032834d1efb87ef03444726dafe21afb

SHA512
d5a22301e535af202cc741bd95bfd587d6bc2a4ec197013532951e1668b0ad80b875a60b06d2a4a7f0cf8d115a03a238218f27968ed70e234a7e0b0117e88f9f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6b11e5354303ade44f27fd4a80ca155e

SHA1
c16119ef4c4395262f0b4d1077cc32b617ef1458

SHA256
5e9587a1198717e0762f8190fddf4ed412abb296a22cff323ef908482f185a2b

SHA512
22707e80e9473a27b92f393230ccd79cdceb2a937c1df0cc59c85d2a84c2ce9e478bade5192d504c19682736214c218dc8b3e09dcef9bb01b6ab242201c8a99b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
2a5853ca6df513122f2b159d71f7698b

SHA1
a9162ca1188327d370db2f1ca6ca06d5ceac7e8d

SHA256
edde2959a9ad9b74b62b6d2b3c1913bc37378626d32f78a06c50e3a42ae1c13b

SHA512
c472a492c4c9f3739686c4beda4b75c464b113f6bda1bddd45380d97475eff13a6c722c41a7ee10e94a231065d595d88c1a7097053dc2dca7468ec93e0b4a0d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ada9b8ff546f4567e0cfef00e3ec182f

SHA1
5286684a6c3bfb7ad222f07e5bdedd506e5f1346

SHA256
1e1f426b38f6fcd486b5ab0cdd610eb0be690f673e310d0eb0b68f083a7c36e7

SHA512
73e20177d6baa5d49b27770ed2c261a7c643e56a7638142036b0612279278871c71130629cdddcd533555bd616e4567bf53e4e6bf950b9d61d7765d70c6e91ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
773586d699cb33d55b059f1a7378470d

SHA1
5b83ac7f2315654b9e73ac3b2d63fa56e7dc9936

SHA256
95e620796223680ec110be7d5fb70f1411fc01cd59f04dcf479570bd765b0bad

SHA512
d9cf6d569a06141f44af302a2a0a2c01064ae342aca6e7b00d787bc1279dc6643c8c60ef4943214c09577d573064dacb64ed3a0bf83df2ecd8df1ae354d4dc35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
00e9f5fd2c577f4b9422057e7c12a841

SHA1
34d716d636c0fbcb878bbe5e7c7ec2b0940d2e04

SHA256
adc4e359790db8be819ae93925ab16535351b6d016072b70469c2ee0c6e34001

SHA512
ae6bb713c6424a2f190ba6de3e083158273db6f3b06795090689d65812198b94ec6524f59bfb2c77e191ef785ba6c68b1ef6ef8871687d05a71d619f28516fa8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7ac67b7973f4ccf5194943a8496c3658

SHA1
6b02c0287382a6117f8b6513f567b61e5784a26a

SHA256
8dcab93708445c966dfbcb8267359fb906851ed303c0f1d820d23f6d1f01f217

SHA512
8c62140960d321cc8d0a011be3b570944f37899c742ef38fbdd792f9f9d095cbff00d7364e6993d0aa634e7372a04a1864bda9cc2d222ee26613ca9d7f1ab808

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
f5cf65144bed5baf3cbd8410538d6920

SHA1
0b02cb0dcc4c417206a652bc705f0ac7cb87cd2a

SHA256
6a2da3b981594d1eb767fd299c2878713f03855e802ed5c40f90665c82c5fa68

SHA512
f8de990cd8ed2c95ed0fdebcb4c4682639b64600084a81718845aaf21d55a9d0bbc9e8be28ad2520f7eb5a99ff64970e40ae389d1b9735df61b3ee9a68934ef4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
0bdb26feae19b6f4eb5ef4f4dad2e907

SHA1
8b6f2936596ea936c7cd599a625f68da876902b6

SHA256
5c88676a4c69ad126ddc6a3e2df1e8988f3726ff620fcbc02ab84d09592e8136

SHA512
47f608d09f7e9af48228c09595752c78c311d83b4db0cc0e426d98e38cc0334c37627ca692754b3845af104aa878b982a1b20b25c93c0784e60bc260c93c34e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
993d76a1633e322c972e9b3131a78cea

SHA1
fa3f2aaeb614cbf59eaaf05c19e3b268dd8458fd

SHA256
b6f82447f0111b874a3a250184909e187440f4a6c17ee0a727380f4687bdf968

SHA512
e5818ccdfc954673cd6468f913ec00f5be4afdecbc90b34ac94a96394118fc9b6570bcc7389ca9959ec02773f02130a0ee4686928c0d531fa8bb8d45bf6d3523

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
64ce39bf834d3e43ba5a82cbf6f776cc

SHA1
39e069009dcec7e4b9028f83018a83492bfd28bd

SHA256
b7d4b892bafdc76daaa60aa8c24139660b8d3ce9fa5aa0505bf69e03f0abce7d

SHA512
238a06d4ab43264c44db2599e66afad1c358254513d9be1b5e03354e4d1c770fa772ef796fbaad00c72a3781c164f01cc33bc3f37a401c9f6d5b4236c6e8b432

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
8150429f17e793aaecd304084fdc08ae

SHA1
f36a4c9bf8f539395dc2b6a918a0b5f1ddfc7a77

SHA256
f70a92423bfd1c2211bf8d3602eda6c2e4fa7058b8e7d41d993bfda9c51d9533

SHA512
e8750a5f544b16b1816f55460aa10d68b07cc928238a13042aaabc2f81abc23004c325a60de69413dee74957489115be900b8cf0e55fed998fa28c59aa305a3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
d1b26812b2bb3bb976ac43a33f1595ae

SHA1
2c8ec1ef788f344178be5e24e3fdc8b6d9963dbc

SHA256
5b0e3b43df07a8834d1da4bce6f35a5d572c99363413c6feff5656f588c0bc66

SHA512
0aa34923b27bcad60a8bb91647b2726d0e057f45d583bb449a756c8c9bf4206c758d8acd80cf6e8032d94dfc3fb79677e45d66b441a908533c0e1cc64a46bc5e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1451b090de1b4bfbe09f3c4f9f3f1e6c

SHA1
d786219e85b425b02918be2234113aefb0296dff

SHA256
9e33967e7a8ffa43149fff3758389d298109620eb81da2d379d75644da172f98

SHA512
2aa948c8aff3029c46243239d8ee9631aa92db0a50cf0d7c9cfb63356e3db6232934c81aa8e996a0ebfa93e249e46fe331a365e8afc997178fc0adc52bb11532

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
64eb35ddc07d369fc0ffb9c4b6b65078

SHA1
9c42223d5c434544e135041ceb5f70420d65b5dc

SHA256
5cdedcc8b79ccce807ad1036491febbb3477ffab19b507b0c993aeeb80ee9c47

SHA512
75faf80b7d1950359b56a1112b5dd02be16182dba620f6f1137b365a05967981cb6086971c5bf7e3dc6f7f37a588d091aef6a14318801daf01d4ce9d14c6c6c9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
c987471f57ca5d28a9d5e7d98be6075e

SHA1
921f01a6c9578bad819415931121cc9971c21762

SHA256
93995cee8d4a38696744a007afea87761efa1913741854e38494126ad859dbba

SHA512
c8f486a17b4c05fc4e138bd062478ad6dc26eef2442ecdc0abdf3bc28670131ea0c0deb5d784531584d05e4dd6e07bdda754ebc66099b878e0f3b5fcc2da3e19

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
b2680834c79cc157697047ebb7ba399a

SHA1
2c7983a0a3a2509f2c2a29d0d6e2c9dfd0e13bde

SHA256
15d7e72a52db26d30cfa87abeeaf372b1bdf8c2454eed80b5b04bc0ba1ae8649

SHA512
f084fea648181c070bbe573d1767565bae637069912475b858909dd024da0303563d0493b08a9a0d090228370650d35b74b0d118f81d367c3d7731098114b7bb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b99064d295fbcaf4dc418a04f110bbe1

SHA1
8a0e641b0b46c90600cd2a19c9f2c1433a890ff7

SHA256
47f17445b14ab26bb82f40a0c7c3936519c346ac3d9d589aa1ce13936df6d595

SHA512
ec1ff05d58c216f774d439872ce3959b4d4b5abfd0b63ecf75e38ec095a2c3245fe1e72ab9997b21a5fc51efdb65d317b2d26bdc652d8501d681c4f7fce5beda

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fbad0adbdc6084da125f441f39af3633

SHA1
8e2ef1d5568b91e50eab790848cf7361b81524c6

SHA256
bf0e1d44b0ec91bbfd0acc10bba6c0f0e3ac33ea65c59c8fa588aab851f236d3

SHA512
ce5d115e38d78f407cf0697380070129ed3dad80bf54ca8696505d9e69815050c2fe475b5c815c8f59d3ef5ee3d1c774cf5f29d22cc2882dc4922a2bdb1289bd

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
0f07e0eaf12b5d5f188ec94ca5a0d796

SHA1
e77af19a37d5d57250201211050174a88e26ef94

SHA256
21e79081370f15edbc805f5ed4499b1ee219441b4d66e5da2a80d1f04e12352b

SHA512
b2cc9aefed51b5c28a7728bb89bda619bae46838726c29cc7636c734e42d038cc1f0ea69b76e706a83175026070236329b5021c1191fd0f02e1516333f846297

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0b708c3da9be2ba55fe2f29d9a23437d

SHA1
ef132d7e47feac25574f7c7dd2cf8c109a0fbdc5

SHA256
167eb0ad371a60dc79803848bf8c8cb4539c32ddc25ff42177b25844cf891743

SHA512
1d596cecff6b5ba68dac45ad4fb0f0dc257cba229ebeb6e414f2bb0b79e6e67a8456f52cfcb65231000fef32415a180b4724f5ac5b80a6f7f492e53645b168f7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
43bdf0edabeb30a104f90097643e2534

SHA1
2c662dff88503c512c05ca60e6c3b7efd9a85dd0

SHA256
0c5de34e2fe4b7f37104c4e2f648c5bab254450bc5921eadd3ae36f18d0740f4

SHA512
72a7742c7bce02ba81530c9ec0df8532b2e243a7924fdc1e8f658222810dbd79a0cedd372afb801072417f2325774a3337e8ad33005f20e04c612349f87a9c5e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
d5cd457b9a934be824344f9f4ff7ff8a

SHA1
e67f341273695748a2541e9f4c979cdc63a85ea8

SHA256
1d8f4e1db713991d99eded62cf762fcd2138b3bb841f144dfeb6d87bd9f37ceb

SHA512
05b6b38322c76351b430e69abf1399284dd00292f48f7c0981c696dee9a952d500ea0abc175571be8e2b3b1dbd47ecfd3e9fe02099824a62b07021b9cdc8da18

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
acd70add2e4645f1fe19ad2eed147c81

SHA1
f34b099026bb6fb7fb0c8ba6d839f366c8e3fe0f

SHA256
81e2b5d00a9ab15ac818560a517ced9eb4170b8117d961a18dd831a7e582e06e

SHA512
a9fbfd1e3514a240d6b8f1b4dd8ac4c57e03a612630908d35b5a4732bee32ee7e66d55c0489f07965a065848267917c030e6ba4e21e3732eb8561e7489b07288

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
b374fadcdad0e350af2b00852bf824a2

SHA1
191a18d3ab3f50a14b647256d974e764fe93b97d

SHA256
5db382988d990d9c5e0d6782565dce814da1ebdbac59535a9e112b13f096b4ed

SHA512
ed19b35d214535254b3700add6ef3aa9699cec27d51b7aa22eeb8189f563843966780ff9e906e6cf99d74c41dd238c47f0af8564fbf337628e8e287199e1a779

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2b80f5e1fa574b0e99a2ba1095f04375

SHA1
73987fa77ad2191f1134723b350bc7b8167a0b2b

SHA256
9de9345211afcb928e121058dbe8129b7c8baf4488e0e04f39fcd9e174e6218a

SHA512
e3113bd7f78eb8a49c7fb3594ccfce45c41ca9f6038382b7d29e19ddae7ffd6ff22935bcb18081ce344a7bb0399830c6907bb327fb817702f964ea13cf1c71c2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5b4a166d137e3bc540ff84d10422c881

SHA1
7fee939b2be88a96c5c1384b47800370d355ab3c

SHA256
d7540f9e2e99ecaee5c7f3cdaf7cc7b0ba78137650442e86777072f745c07e27

SHA512
9a328d059fe1921ded9c8d424e4abb5fd6e7d932c010e1c50497f22ea160de4e96e83fbe6e667255dbe86725534dd118dfb4c6feb299164d55f1c9f2e3fe6910

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
64aa29ee682996c594b625b1bb02d19f

SHA1
03d931f1e84db0c4cb174779df1574dbdf4fbac0

SHA256
5824dc5100d13affd63576384c1f93fa82ff3947192aa0f9e10909a5b99f4365

SHA512
54c960fac38b4f2c5f44738e07706eb30cffcc1a1d0a162fb122e8bbb5c67af148b0a89f386652412e4acde5dbddaca5e9359910982d92d869b0997471da8d34

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c744da9d80fc4dfb293e4b5d40266715

SHA1
1cc2e1594eda3ad5b9940efefd47cd6798029bbb

SHA256
b23127ad60a3c0cc55f3694af3616b6a561035af116702db17acfb8c687d53cf

SHA512
8e68979c6cc008f5c55502e5796d3e9010f3f0ee208bd28f461b87ff62b0411a51f368eab0b301923ef911045a3f4b6d5195cd8661e4c83a74bf699e30def05d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
186c4e37d3d7380f9702d734bfb3d436

SHA1
bca543cdba13db407d01c739b6080a51e3650502

SHA256
116101c95ff5ac322b828ed03eb5c3f8ba70b212aeb6489632b4cf4f255086e8

SHA512
906f650242c2c14f3e9d137a6b0acae3384cd731e18bf6ef12a7d572cf85d93143d685c986d47c2d7de5a00b915e005be4669270c7e1f555a729ab2ccf4ac4f4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f01d40ca317389f7ac8ba627bc4d5101

SHA1
4b13eb86c5bb95c2c17ad0d4c26677640ad0c5c5

SHA256
11a0369855a3fd2178df9447d0224f522230c46de8962b9dbfba75509963f83f

SHA512
4e51da83987f8c0d084b61cb3ff2dc088793270001bfabcc3f5f740d168978191a24c769d266e065d3deec3bcbbc918c0e7913206c396c3ff441d357f02dca4f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b5326fa952be11144e9e4b602c705478

SHA1
14715de6051d68638524929059adc0ce46de75d2

SHA256
d80ccea3b3d39efa07c08c94bdf2e6fb824a0a49805450f958b5b7dc5d21f197

SHA512
7893a122b79e14f0db2f2dce60d7a19d2cc2413b0a2810490b4518376e605633b48470dc385ff342bd510d0b47b60ecb7d26913997867c9ebf02ff1c0ffc897b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
00e49d37bbc79a1fc0fb844098b29860

SHA1
f56a89c1955a84acd09c2b2207cd4fd8ade58357

SHA256
ff27da3ef3330ffccad691c96808fa33ff5ec70ad522f7e2340438456b7e2b53

SHA512
fb9cbc6e92b8cd6b9e783023c3be674d3c888c81534abe2018ee61f7d2a6b5ce3b2f76b8d30c15c056263373a53918ea13decf14bec2df7301ec5d162ad84016

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
e3caba834933cb77dbf045ec9441896f

SHA1
3b0dd38186bee0d1a2c79f427af548106b29247f

SHA256
3bf273fadc7e59eae1deffc391cd958b0fbf841713c354bdedba65e17fb404c7

SHA512
476bd9ebe90bfec43f57cc9a51faf92f59a9148a77c01c03706812a2201b0987535e9334f8e58979f54f6c403c4fa99172254037184f35d1f11eef32e9d303e9

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
4d12a9ba9ec0473b29e65b0029436543

SHA1
66ec814dbdec88cb7a155aa1e6864369e6737fbd

SHA256
fc3161be17bbe3cbaea91d0ce60c4b7e0513b8ef21c09689ecf39b718a8e4bb0

SHA512
76d234db730be92c723136dc7735ebf7099d05070d0cf8b591d0b1b39854632630e2684294902c3b998ecad7f879cad2a3cd7e3a075e7a9684ec128768ff1e88

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
6eaca54c4e5639d5765aed23bf379dfe

SHA1
b7372e3ee959d9da768b0451b639df64291acfe7

SHA256
7ee8fb9bccab351afab0ed18e519ec7e967d77343a55b4fbe7458c6400e148cd

SHA512
db35f0cb6fa98cafcf47778893cd5d443a93ae674451b248e23d9b86a1a1398f4add1c01ef69f4b155563f5a09a2565b6f76645502375e5eb83d5a9f8f93d361

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
86b2d139404eebafe402dab69e30ed40

SHA1
0ec28fe29e60711e0e926a64b98ae3cd776b36d0

SHA256
b481fc3e5072f9d2977c0ff706006ee8e0fcee62e86336dfcf2305d1d148c1e9

SHA512
c75256bda8c1d6067d6f52b078c20ea24074d976ba7736f3a91071976fed41040219a3097e021f52b055421cb7a9c7ef6835c7785f0ec60953fcbcb5d6fb7d0f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
8e06978ec772b008d9f6cca99c79227d

SHA1
12029cd249cf79af1fd54fae1d94ef536dae668c

SHA256
7beadd42e7926f384477f6a278521a96cf5b91d15ce83ab492158bae0bb8f353

SHA512
c8b21682c36f7c76a92f4a11a237ca04005cb082739de83e37a986f1ffa450780d03ee49d49bdac31e4e4b16572d5c4f16289f8a0cb3507f59abf99a80b8a87b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
df50edcfbf8dac7c2b70502158394614

SHA1
afb4017447db1958aed9efb1f6cee121de3dd6e6

SHA256
29833111440d7ee7bf77249d7c775f5a7eac94a4310173d0994a0557b17c2d63

SHA512
68f3df88f77f475d0c2c24ba2c4d27655bc4d7fa85111de8cb819a0783e01fa2c976f5cc6b09cb6946bc8c219870ca0d0a43007ed930aba534a673fe90967083

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
cc1d8bea76edb70414b45a16e39a3ab4

SHA1
22df48e0607d50ad549c4e35211334a5ef0b66c1

SHA256
ad2e07b0e5475607e253d5be39797c668c2bf5e8ace62e95dd027568278ba336

SHA512
00a8d2244b04a76e178b463ae530b1869d42613a3c6c8c4255f9f0f3ae99f24694a6f46eb90f083256d0c357827cdbfd27125be231b63280bd2389957f7c725c

Download Submit
memory/516-247-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/916-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/916-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/916-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/916-492-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/968-90-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/968-255-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1316-254-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2384-491-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2384-62-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2384-54-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2384-55-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2404-244-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2480-245-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2904-258-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2904-497-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-243-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3296-252-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3300-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3612-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3612-47-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3612-52-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3612-53-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3612-40-0x0000000000EE0000-0x0000000000F40000-memory.dmp

Filesize
384KB

Download
memory/3612-251-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3668-21-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3668-22-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3668-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/3668-256-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3684-496-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3684-257-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4084-27-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4084-28-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4084-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4084-454-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4356-246-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4356-495-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4372-0-0x0000000140000000-0x000000014009B000-memory.dmp

Filesize
620KB

Download
memory/4372-230-0x0000000140000000-0x000000014009B000-memory.dmp

Filesize
620KB

Download
memory/4372-9-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/4372-1-0x0000000001EB0000-0x0000000001F10000-memory.dmp

Filesize
384KB

Download
memory/4532-88-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4532-86-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4532-82-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4532-76-0x0000000000D00000-0x0000000000D60000-memory.dmp

Filesize
384KB

Download
memory/4536-231-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4736-249-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4960-199-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-250-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download