87b7dd7064a925f39e7c78d39887df4e921ef8ce7a716d35eb11ff1814723857

Analysis

max time kernel
120s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eacfd1f4d744b4543e8980df352e8660N.exe
Size

1.2MB
MD5

eacfd1f4d744b4543e8980df352e8660
SHA1

7b69820f2dcbc08a00515eb085396346888df65f
SHA256

87b7dd7064a925f39e7c78d39887df4e921ef8ce7a716d35eb11ff1814723857
SHA512

a6136007c92819b386bcf68287ffa00010f11084e438455d94a1f51ad20587fe9037fd24b34089f5341acd3f3a12e169002f777f842c9964d07f6d812fb701af
SSDEEP

12288:qJ6Xc3ajG+hjQKymY8efKCpD7Gj9G6G1qT8nQkCu83L3Wl/np9DBDt3kbE:g6sqjnhMgeiCl7G0nehbGZpbD

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4784	alg.exe
424	DiagnosticsHub.StandardCollector.Service.exe
3344	fxssvc.exe
3372	elevation_service.exe
3596	elevation_service.exe
4820	maintenanceservice.exe
1844	msdtc.exe
4932	OSE.EXE
1748	PerceptionSimulationService.exe
1492	perfhost.exe
4984	locator.exe
3772	SensorDataService.exe
4756	snmptrap.exe
5032	spectrum.exe
2908	ssh-agent.exe
4076	TieringEngineService.exe
5088	AgentService.exe
3580	vds.exe
4672	vssvc.exe
5112	wbengine.exe
708	WmiApSrv.exe
5072	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\locator.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\System32\vds.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e10a70a7a29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	eacfd1f4d744b4543e8980df352e8660N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	eacfd1f4d744b4543e8980df352e8660N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eacfd1f4d744b4543e8980df352e8660N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000c84f287fff4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a6bfed87fff4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008b38a687fff4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003574a187fff4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1fae887fff4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe
424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	388	eacfd1f4d744b4543e8980df352e8660N.exe
Token: SeAuditPrivilege	3344	fxssvc.exe
Token: SeRestorePrivilege	4076	TieringEngineService.exe
Token: SeManageVolumePrivilege	4076	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5088	AgentService.exe
Token: SeBackupPrivilege	4672	vssvc.exe
Token: SeRestorePrivilege	4672	vssvc.exe
Token: SeAuditPrivilege	4672	vssvc.exe
Token: SeBackupPrivilege	5112	wbengine.exe
Token: SeRestorePrivilege	5112	wbengine.exe
Token: SeSecurityPrivilege	5112	wbengine.exe
Token: 33	5072	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5072	SearchIndexer.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	4784	alg.exe
Token: SeDebugPrivilege	424	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 4340	5072	SearchIndexer.exe	117
PID 5072 wrote to memory of 4340	5072	SearchIndexer.exe	117
PID 5072 wrote to memory of 4836	5072	SearchIndexer.exe	118
PID 5072 wrote to memory of 4836	5072	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\eacfd1f4d744b4543e8980df352e8660N.exe
"C:\Users\Admin\AppData\Local\Temp\eacfd1f4d744b4543e8980df352e8660N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:424

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2152

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3596

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4820

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1844

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4932

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1748

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1492

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3772

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4756

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1792

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2908

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5088

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4672

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4340
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b9701307149e31d91b1e051898b1a0be

SHA1
d79d27fd49513e38c1a0efcd9c796de93b7a9f82

SHA256
6b5a267fb71dbcd822050767cc0400fccb9e05dbed43e82421a9909144c0a077

SHA512
1a06b1b5a6f5dddeaba1c02705d60321ed2d0ae2ec7d97146f9b2ff068063dabfd2660a492522e164d8db3e6c4c506a366b45661412cdffada6d30ea0e43e0ca

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
0e3a6e8ea2442cb1b0ca93de5eed71cd

SHA1
0f4456ce62f3aebea298d2c56658575f250a1ec4

SHA256
defc4b70c0026941c48637c04771f90529bef546b905396b37f8a00a260b72cc

SHA512
afd2fa276240f271a41584c8d00edbc86f6b5e5e508425df33fd5437eed5522d5edb21b6d3cae01a8892bdadd623cd57fdd4f256321686c7885cf8c36622bd34

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
be500f2b4d93038cd0cfc897eb49ae26

SHA1
da3997f1ede7519d5d1964ca9e40d88325add147

SHA256
867219b76dd8e2811b11189e976146982d6ba912623d24563798dd96d71a4aa4

SHA512
ef4b10fe7e138653fcf09c7daf7445ab0dcae456e355bb8ff7f6eb1ae7335592647975b33dee5b86d9245d47a89d44769505d800a4e58c1de7497b3d797149a3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
de7dcc98a93ab541c01dc81ef4744262

SHA1
b919c41c40c738091a39c02fb11bda7a72faf612

SHA256
606370b0627d27a48eb0458f72c6fcfc1764e1241761f50e7e542ec9928218e6

SHA512
8b2d9810528eabb284f5e047dd4df1eae4a89659b5f99174430fe99f9186cb0b2ae37a0e1ec5dc62d402148a1114c356e58c5a59fb8aa714189e5cadff1d0bc8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c0c7be30d875d773ffe5a5eec9ab90b7

SHA1
7fb90c47b615660b09f8b8615736253b75152604

SHA256
bddc5e2e5fd74cbffa9e802dcdbf3c326c4642d998e1b6e1c6a56e1913ed81f5

SHA512
e7e90865cd924c910b221b1badff7ac0cade3ee1d539506aa6c508264d3531df6f386429f6aa8741df469a5b6cff8c2821b6853a757b0ce39f4ee86cb9db2f17

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8b3380da77d85ed15a542876e3956a0d

SHA1
63b101085bea5ef0336f9c707eb5ef491e900e05

SHA256
7a8ccc784226521ccd947808e46de7b7f1a8b1f0d3e5a2ab9402cc3beb544f49

SHA512
e9d5c8a4c172f5a39882a280273cd08d4f750f2d61942bdd1b3000560a02dad1f9e1f17e279079503158ad752a9b48b35579f86cc380a4ad592d82b01f4ec020

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
ca9bb81e9d7b4b82366a747fe3c24d50

SHA1
3f5be850974e85e7a9ea368ac68d93f05448ed56

SHA256
ecce6316de2f6137d1192b9c1a3cd5f6d54ddf8c8b889170db130a49d7b44988

SHA512
ccbc1b8561aba26b43d4c6641bf4914afdc45dcfe31c60830f6066981bacf71c06f8445905815dbaea2dbc0214712b9d485ccb0d274333aaf4cd8e525576c248

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
563efa6cf275bbd9ef9eddf8f5089d92

SHA1
c8efff27afb4ffeb26f66595e907ecdf5c59ba49

SHA256
356aeb889bb5250d308389191ee12b47934bf7329c84cd1dac08dae3dd8d6f00

SHA512
6e5e2a1a48c5b683ca9521a3ed91815b99f9f0a51fe5dfd2f858acbe3ffabf9c1e7398b367d1e3b6d8197ad774d509349276cc2870ebb8e21ebd9ed9e04cb13b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
23b6ebe124bab0846e6564fbe4bd539e

SHA1
403a9b54764698b12c46f5cbf2e66d619e08c2a1

SHA256
bf6a576627d5948c2447343e7941c3731da48f1b59634f56b2cbbb4cf37500a8

SHA512
04055abb2c43e88978a936bff72ef95c53a95ce05cf9b21f2b39b6e2130862807da151566fc870d6af821d16be908444c69dcdb8e747df6c86a74c2b1d90b0da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ee1d95882dfa89a1aa94d565855a24b6

SHA1
d8a97936d061576aeaec75d671009311e439910e

SHA256
e074dc8b74e06ea63bbb0005c6f5e26e1b7a9fdc58f25477b77b1823de1c43a8

SHA512
98d3229e864400c697cb9e56f762d0669f870bd9a06eceded085040ac9459aa1d6e019b783ceee307fa6c71ff37f0448cbc7280697a1d7f6e8f9f03298d7d967

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c638d26cf3fdece821e0467602182c49

SHA1
929675fce15b27b315f1edc8122f5f59de554479

SHA256
c33a2eeecee2e904dc8397bc3675d45c95d359d49ee9a9f5e64d2d462787d9c9

SHA512
6df8a040240b7fea6da2ecb795163f84f51de75eec5889f79ac7881801022e6dac5c81c342cbfd2607b25b27124467133ae5439bdc075e038c26e1a2841bf171

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
784cf730dc8ccf8836e3d7062438be2f

SHA1
9d41bb124aea38d35cf296af5545e3d33d9bf5f7

SHA256
5bc6a90fe35bc33e4c7a63278d2aca5ed724206cbb7b653be78f720bdbfb1bc5

SHA512
5bbe1b9bfa75e05c80166c385407be83c250c447eb391e9418318059e2d8f8e9f3b48259c1c4df51c788a14c9877cd1c495f6e830aef583dba6b33ecd84a04b1

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
277b5842b62b040d8ffab4100e1782bb

SHA1
fa5dacfe26a307074c7562cae9ba95a3d1719bdd

SHA256
2d80a74e1249fea9add012c54500119879fa099047f7c54de33d50fbea45cf29

SHA512
3e76108f299497b6e6f056574b994801291d67b6f2a6508e58da5b5d1035d2445897229368b2fa93293d1d884ea8fbf73b02dd7060c1a8f8b2fd59e4572fb97e

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
c6040460ba1a7ae7790b145c46706039

SHA1
775d1ca78cf5f0a08665c84139f67c2555a1644f

SHA256
30317f64c80ce2a61528341594ba6297f7262ea82dc6cf44f55af4f639833924

SHA512
b050b35250e3c0c92e0e389d27c73b86b970558c588c99291984ce3535ef7b2a82b69de32bf17f2d55762a66c9360fdbe132fd2a7cf6b6a287f056ef384e0f90

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4af088c4e734b19c2472f4635621c458

SHA1
1bd1b5bd54d75127ac4808147dcb41c4de3dc96b

SHA256
3aa3545dff1bb7f02d55b0f5fa96de8c2fc02a9e263c9e904a2afd57d1fdd248

SHA512
6f7b1874e9a5c030c789972dfc33174c2d9f7bf86f85c0f2e26088fdc5a73d87ca29b9ef3dd81fc1bbb7ab0598abe9e565d32e67242017feec5a44481889f219

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c7a661f461c69705dbb51e7e024e0886

SHA1
7cb838d3daee9d7aa16d9ededfd998927cbf32b4

SHA256
f9dc39ceedf399865def11fd5a5ae43f959f347dcbede17e25eb6ba0ccd35b1b

SHA512
dfe262dd9fda499504fcc7b78ded13c0ba86a3ffca0250cd74ba495b13f3e082aa56102ccf5b5c04d41278964deb0fd277d288451dda54209527f2731825bd82

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
bcb8ab3bf6b62ac0b53fd5638fc9b65e

SHA1
54ea34010661d7f21f26323a839b9d7a968f7018

SHA256
ea9e0fe4745a56f7b7a222acd015e0663469aa67de6971529c9bdba9b0f84de7

SHA512
f4c56a60cca064855aefa2f1493a7ff8b483138cad2ee1096b22ba39a46a4175017212cbbc073fa7f755e0b6267e2295e3d3ad57a64215df3ef681c1718f85d6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
58d5419858ae42e3426b42d6d84ff856

SHA1
8915c08dd0e648e0c0c958097173b7ff2a492a3d

SHA256
215abc8e10e8889ab8112ccbc4b2fe51385e0e3a9603ad14575c40790099e088

SHA512
f726fa6fe8ddc06e995f8f064bd0994438b2d20648cd1f24bd678d79c90d032ed3820aa3b10fd6dae62d2fabdf272efbf42ec4e77345bef92c9a657f8c962eb0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
8bc679acca0dc2d5dee91128e0c9656a

SHA1
f742b8023a700bdbf96c6fcf770857a4756f6df6

SHA256
a9826ebf2fbb7eb87bd1d9ffc4f5fc3598be6193a130fcec05b86cfe1497e845

SHA512
0f06d6175cc56fa24856120a9e3a12085a47304df60a24e970f85a4e8599db30aef6ac56ec489cd9998336602942baab0dd1d7e97a67fe281f6fc66cde2f9482

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
cf537999fdbae6d743f31aebf2ef0dc0

SHA1
071eed1a5e4ff04d07ed8783c9715e59113ea0bb

SHA256
d5780f824975c82f7bb4bb4a1b6f7cafdcf00a076957ef302801a96fd09f1a48

SHA512
33245b0eccb9fc048e6a90c078b8c27867b0314d049d46087e8c1fa45608fb578c6acfd45576c32347c132744fcc5903873528f1fe3fc9f4cbe79eddd533bf5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6d498cc4a56cb729302935ce7737daf9

SHA1
04d9d33c5a02531726ca014cdd15c1568ad48134

SHA256
35670d3951095bb6a8cbcbb58864965b770aa0f0c43bf84925478da81c078214

SHA512
10e82c77499fda59f76016e1edc9c44f1356277accefa5e60417d5d31e75cddcfe6d91ae20c7f03cc64e1e613484a93915a5ad4457909dd6f9ab63c25bb63b7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3e59b73e1900610becb1abc153663373

SHA1
e2441db79f3262b6c7c26b12de6ce3676e4cea7c

SHA256
cdeb0ac007e7c442f3f4047462a0812b01ec2d999327b2fc544c3b6fc76ce160

SHA512
ab03567937aa51059145c567fa6688c06f322d2543967300720fc8fe74c7ce0c88fe33ea26775ca5efca3570dddaabab74a653a8224069f7b9ada64f6dc016bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
b95bd172a87aab4c63ea59af8cfcb7be

SHA1
5adbe966c57584ea5e14dab5227a237b4ca18acb

SHA256
fc55ccc4472aaa294f4cd471c2926c9ac150833ce371c70df4ac6196189bc43b

SHA512
032cc542be9aad4e2b7ecba9603f9ff722812e65e76586ea750cfa09be5e120e872c9db4d3873fdf96035aeb97cd9aea513dc33b02cc5eb90231dab06a94c016

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
f707288b92856f166743e87c084bba08

SHA1
9762d8f4012c0b48ce32bdafb035a8561988bb68

SHA256
c82723b8373536830eeb85efd6931030d417bab1ecff0d7c8a1dc8b35fad4987

SHA512
61b3cd2f8472ac55fd1e19b0d0211d4b9aeb798c381ada06af492a6bf9039ccf0df352a753a2f15ee5f7faadf835d93b6c34ed5bc0b4191e7093729af24bb339

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
e7bcff9d040b61fe7d558acf06a40a37

SHA1
3bad1385bbeaff2c736927fd149d424fe9c21c06

SHA256
65ea524c96381eed237965b61b9ad632970757f77c2efa7a73fe0b703c46ab96

SHA512
bf6244d6d707f905ec4011264beefb1d696a805adfa07a5541516bcae8bfab16ef960c9298804f2ac57468717e3486c4395444999609361745af9112941edc5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
2f6eb41f08342b2f15be6dd2355459d3

SHA1
2ee340344be14ba964b5ee8a371031cf68b77c9c

SHA256
daf2cc968b88bfb3323f0e3085f4dba00d0d9ad2ff11d2240c5029b8e2dc66cf

SHA512
a33914798ec97f0445dc7588d2452c90194fea64a79471f69f6a7fbc39838b25a0426221ebd5a9843a635b02c9dd6576d02cc047f8988b418617a45371ea4b62

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
a8fec4f5dc29cd200d33792ceb48de1e

SHA1
b2082a60e6a06a226c58bf19ef3c979f61ee7e10

SHA256
ba6107d0f04bda1cc30870d4d38ab60cec9a1808b24e6b430478304b335d8a9a

SHA512
9dfb7aefefd2eec4697c5f5ce022e8b90fdca2799cca08dedc5a5ae4f77f76861b6572465a3109edefc7c2e24675ed1922a1d68662a84a5f592a0b5bfbecb6e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
2369ee69b08ca4d87686fe2c317a93c0

SHA1
4b1321e94f6fdd735a3fb9f49427fab9df080127

SHA256
8d9cf1575b90aa8290d0897385574fa6851e9700093a86e9c90d3785fee9e883

SHA512
a6bf0c3ffa3197a317e7c1fc64fe5dc9fb3aeed232570cd7b17976f1e85ded1e6a88970dbfb2125fcad106724b13388ba4a7ba9356500239262e8e33c98a3ffe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
241f7ab14666abd37dbb2386a7bb0690

SHA1
6e244bb8f280725bb1c216699f5342486d2a8597

SHA256
72e8ef388a5056c52e74d249ad5b867f258e4e74478baf0494831083ea989ae0

SHA512
c7a6a9946e43f22d6dec43fc6873d80bdbda6efc9f8b620e22dbbc7be8d5d398125d17b1b1e20ac5509cbca0999d1d5320c3cea592254eb5658545c9ad529c02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
b4d96443530ad4bfbb1f521ac9cccb0f

SHA1
6b80c1964e40a3df15e1f82235b81bf3c414789d

SHA256
8ee03f2ae8ca178e19b4e761ed909c80ca5bad24a469f8427c87bd470c05c40d

SHA512
22fc372c517f0d7fa1392da2985ae3bbf4db91304b38c5bd79dc043759fcaa7ed90ab283e0031e4e594efac0d5ed08b4af982f2e88491bdad21e27179c1ab9be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
1f49a27c1a520d8ae73688711eeb56ff

SHA1
6d7e4ab75e48c2f6b7e526b3e12eecdeba3f2c50

SHA256
27d8692dd1ba46911607287237b46a33044caf615b7c341ad7a79c5151c4c9f6

SHA512
38aeed45f6fdbe7bf5e4bcaabd6f1a28c00b0f0b3e69909d29b8471f14d29f260452b0da5ac2bad2c04c96c77fe6cf56c8c573f859727b1822764cb44fa8b6ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
65b6d3734cf7ecb6c9cb8b70534f4796

SHA1
b67fda19f8ce142ca34769fe949cdca107905459

SHA256
783cb794f4554b770f599d4a362ad3dcf1de359e5e0e81a8918e57393dd47058

SHA512
c63f3828a75fcfbaa39e8d2a57c9ec3942931de967fcb23b495d0a1dd40eeb95e2775d447c7c1de45725f19d36a65a739b1b6f83665b33ee3ac92902d8db2744

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
b15d74dad83cb7c0b0569fde8b4f581b

SHA1
1bd674c43fb21466fd2ce3e7ca4f1986da6e86ea

SHA256
254ebbfa655257e91fc8053f4fbaf52d5a21511741c4e94ac6eef49f3f714d21

SHA512
7461b0118a4b5a81aa8e4dac27875462621545dd702abbe2bfe0e4384db9e6f3b4ff810ae02dcd361ad1972f66367406cd42731a5c3eebbc942ffe9bf695d54d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
5bb7c026f72fe079e9e2cf8005ce9f7f

SHA1
c1221dfab1a9ae77cd647b228a92526848eefcb9

SHA256
1e31745cba6aef30055e44b0816c8f4771ebabf59641e2a282a9af31e86dfbc3

SHA512
47465155d522c0a483a1cd2a35af8041a5861a8ef4034065ed248bd779e2a49ad6bea659f0098e2b7a8ce6a61e7b7aa0dd1a67b478305b5b89cff23595e867d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
388ea640f8290a503b7f3041f3d0218d

SHA1
3943f8f0b7b5aa2833a5958f547f4847eecee7e1

SHA256
b21268d759f6f85d54589fc59591b31a264990ae58be5c37955d20fd3c202f17

SHA512
3d40975dc2724afc9140a6db9bde2e884a97546fbf468b2115489801fb0f150fc6334b43ec64dc73bda384ca08d8b15057e7269598bbaed4327fe34b0daba758

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
1583f483ed1f699c6211b7573bc1c378

SHA1
4a2a7dd13caf0deb00839ddc0f340dd0e02c0482

SHA256
f5ab1185c31dd34667d1170b5db44e4763d7628b6ab71f3759d3955f88edbb1f

SHA512
12033e7d663a0b5f8c0223157ce093e82857cdaa21863d5242f2405bdedcc5aab981e121b252f3f2cd34437ec75d9c56da1aaeb2760b6636f919afea18b0ff1d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
cbc9c9c803f858a802a96934ec956def

SHA1
4ee37cd123dcf0f25cb40f3ddf69361c4b1fc9d4

SHA256
0000123fcbfe34cee7a7927cdf0a8496c42bd7ed83312bb198ea3865591357b0

SHA512
74add3e7f7fd2344c9adb1862bc9bc98cd12e2aa2d77323f8158c072faa45808b005730eab5e01ed8167b41dd17f84a772b9fc0c84feb1fbfee0216569264d01

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5bb1d7d03ffacd534b9f90d00d95d256

SHA1
fbc5d662c7cab33599e841ed190b372924858b45

SHA256
511383ccc3983a7b6820fd922fb1c86e1cbaefa47281b91a7fb5f1ee9589978e

SHA512
ffb348b39cc2e14ac7b562a2906a987c06a52c8bceb9658f57cd770a164d838b865e3a4e162ca08561ba377d4fceb5530b28c14ef170d33e26f150a2f6f74839

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
510902afd46f9786dca4718ae8f3e98e

SHA1
42ad70f4dc98eb257d5d183b74702cc7f08f4b0f

SHA256
792508fbb6a261fd591575b308f32f98f4e2d551d4367802f0b015a469aadacc

SHA512
e5cc7c7eb65eb184753fff8121b4fd9b90950948b28fe3dde07186a51c088ad82ee21432e8cc1b604b9ce3f816e74cf49fed60965adf78351579295425a1d980

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
d4ceab1e7bf7df36873ec319cc65291c

SHA1
2b5090b155b8a7237f05bbe265779aa8426e6056

SHA256
af62ded41a5af96c65684890c990e9ff9a0274896bc72c9051fc94e686cb236c

SHA512
6a9664b3199ad4f1cb9547e96a6ba2cee0d3de04bc6a667d01707d1d8233c69acd0652755571d78e0516e134835f92edf1be57d2990f2d89f2f1101733a419a5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ce3335815a3a37ee67a16740db5474b9

SHA1
2a978cbe3e002b0d02d2e5585aedb009e2ad39e0

SHA256
6e1440e25ad15c2702e227a0bb0c5b478c25feb5e947aa6558c482cca21fc1b6

SHA512
31763064bb6251812dbec89ba9cd42985e5f5864511377d39d062ad4d11222db61dd003fef0381f5ee3e9e0c51728017a2e5f0d34bb0655077cabdb5095ab700

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dc8f8938bcac0d9c7e091569e1569cef

SHA1
b8013eb15b130ac92debeced352ae2ff7e191e21

SHA256
001525e9f72a20e698e6e84a520a1c6e94224eb4b5cb5e339f126110066ea433

SHA512
f62ab7d075018e2f1ab201afddd07c4940f80c7a1015f640d00ad9fe752b086ed77b8721e18539dac8552f3ce3329389b2061c1b90f327a61af2fe0bf5ef0ef5

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
afa0c2b2493a8d110c53402f0f24f0b6

SHA1
ec09cf270a6ed5137811d8edd182f48a894c44d9

SHA256
5ddca70259ad53753d34b0f74309990038686aa34731ccc0b30af3ff696b4482

SHA512
4465e340045a07f2eadb64c07eef492666fc53ef0397facea369445642f99aa3b61ac211d7ac4e4642576678fabe48a77d44e79901bd96b005edcaf14c0fdfa6

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dba3e0af613ee0014b2b903fe24110c9

SHA1
a2b21c579f345944dc7ce97adc0c870302dea275

SHA256
b734fb1b6f6262dfbaa0264044380520649b79da4b61b5534576d9ae58e4def3

SHA512
fd0ffbccc9dd771a65c685039a93953a832aa32018ee2a63760481b8dc038f103a9a195b951403590a7c35208036cddb8c4f61d9e08eb2607f8783a5b43c5239

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
65cc4b88053fed879fb5f7a311216978

SHA1
2938ebfdcaba11655e77201783b1c954d4b0cf79

SHA256
224559f2796680cf8fd6bd98ae400d4ad86edaf9c49995a2a88b1af798f82e62

SHA512
d5bb481d6e7ab6479be0b84305e4bb3d0f70427c6f959d0057e76306cc58194d00f2d598b1492c8f8e1a480d59c02e0e76b15ddbb6ca35506f0954419c126e56

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0fedabfe3e3fc92b70731fdac79e9e46

SHA1
aaf036c0b2a7172035033d1f48039edd01368a6d

SHA256
f5c01e0bdfc5befc35a3c246ac6e3d4fb050feb9fb9f08b29435ef903b09afc3

SHA512
20e8a8d675d155a99ce719e5cd89dafe464e55033937778f22d42b4b23616a082e7d80ee8f7969bd65b743a37f384fb21967a6169ea4f7be8ebfc77f21582a58

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e6412ef661d8ec95bf05ec5e48e95bdc

SHA1
660e1256cf666b8496bca3ad19cd7dfff47a17c8

SHA256
32bb9a55e9013df80f07cf92acadb974fe53c9ef36a31ca32ae5251b2083b395

SHA512
7f94592d80f6f8d13c2c2731a703ee2acb73c614243e278d179fe5a42763077a48dcbe6a3677ba72ab37207177f3c6310ce4012b63544ce29f55a93471365991

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e190709f2b72a9c3c5ad632eb14d1d42

SHA1
c087614d5b39f9c0366fc91d160b7b67ec525b64

SHA256
981dcab4e0812a6cb4b2e0cc8f70b8c82e279e02bf74b92eea8593e72fd61b45

SHA512
43cc089fb2162a1099783d3e2e5d64776b49448fce6afb074fabb54b0594a38254a90476ba3059ce905ef7e646974d1239b1685f009317edb422cc2ec4a2d367

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5b966d839647f11d41b7ef0b23f6184b

SHA1
460d7b1621f2c26e387dbe9cc2ccc5d1607226a8

SHA256
2f326af62a06625e47636c2160b073857e982d36de714a1e97f4a5b136638714

SHA512
df0ddd2c8a0f114f6500c99daadbc62da065ac34c2ae5598cc4520489cae3776d1cc48d0388c32959fd3ceccd4a5583d49c13c186a29d70c28ccca692e6843ed

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5d982cbbff2cf422d4f35e206377b0c1

SHA1
2a872cb5d70f3db181c2aef9cee38e51ae070376

SHA256
38fb215628890c2ff58ea86bebc5cc1b49f01c5c81268644fc84a3259b6367b3

SHA512
3c4404eca7f8012d87ae59286321d485f2ae44dcb4d35eb34d6c4414c960c7adb6ddc99499bb7453375c1c809498966e728e7478798f7128298b52bce40df06e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b6e1eae34168f8bdaf453f687f24b8d9

SHA1
7134a49f7835867905a4ae3e7311937002462c20

SHA256
9b8196a4863f3fba419c2d504dfbe4990df4666ab5a66511305601bfecc87eb4

SHA512
af3e3ffa25ca5858d9b996a0b54ac3194b64088fe29a62e445ebf1fb0395349cd54d8c868329d4b893fb574db720a0309ac659127a8f02cd50bdcfbca73abe25

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
1cbe3c9c45426d195b9661cdbdba3f38

SHA1
ddf58571e7cdf0a946e4feef3d944e6b3db88ba0

SHA256
0f819e979874b92d516bc9828bc2e8d258a86e53484374595980013e6dbcf04f

SHA512
ebf2a5f10c1704c38be9539064de11c768c813459d18b8611d84a2eaff98fed03ba32adec06980d1bed573681d2d659d3c574a28fb3fc242c4acb5eb0cb77e2f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
daa941efe9cc5a3cad128b58134d1188

SHA1
a1b890b106abd61fb66735c3a6e4b8eab3d77ed8

SHA256
16208a2bad1491981204ef2287ca7840448f8d28252ab13f9301730bdc00382c

SHA512
ead0f6b86d119af86ca969181ea710ff9b761ba11e696e09c4536e94dfa876bc7bfd563a6d68154563137768ff420bb39e71e3f23ebeb19a15de769389bba4d4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0dc17454dce8e8124373c51b57d123e0

SHA1
9f23d79334f11d1431a37d91ca290f670df8e8d1

SHA256
0207e6924af02f259055cfc466d570fc206f1e56bd9e62cfa23116fd9d46e747

SHA512
be19248337daccb5adb78631f2330edeb0bc89d50fd9be6fdb9c8f8f3789e57af6cbf6086db4cde448d9c75a4ef185e7237b8df4a5504bf2d79368f2a722307b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2547f6671f6ac342789e618662f7c6ab

SHA1
e24730f83f53e9ec749bd6a5c70e98863b777f80

SHA256
311afb3f26dc4ad5f8b61dc4da6694f3c247a5a1781b9b3163edf66a6a3b890c

SHA512
77da1b8b6f26e542bf8e7ab71df782d434deef715bd0f28161279729177c1ca914dca8dbed9e55d481bd59c8427ba64cb29f2c23a1c5edd748d13f3dd923feec

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
5d97f798a3b06b6b82db4b559ec4913a

SHA1
d854a5830375b0d560be876d10b5e3fe9e315540

SHA256
3020db8078acfe1759d3a69bee0370d692a026d45399da4d242d4cfff5d65616

SHA512
f7cc67a5675641d28b65b35d3b7bd59c06470088f5f1d580b67f8242780c2c694338a661f45c660beca76455b8441009d18f2ab7f1e9ec3a68532399067f6930

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
838f960b1ba225ff4f6f23a081766f2b

SHA1
cce6cba345d6a53cd98f87b03f24a29166f84427

SHA256
6e4acac99efc1fe840cc4db85dfb8d9c04a2591462930210a2d49d50f84884bf

SHA512
6326f95fab007a5aafa787c5527481b212652f755c776c1b6c00682beaef0ead47c46871fd934ce95a950033c7be02787e8a4bc0f3649b17241d67dfeaf71712

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
fb3d985a36b143759eee2cc31969a596

SHA1
6537267dcdcb4471dd986a1c37d458dcb19cc595

SHA256
d951f94c3db880bc8a2cdd904687e6986bcde9dc4bc3805539ad65e0e5784f66

SHA512
a96fc6a337b18d20a536173240c237f86d8fb0087a224fbf0c6d8a1cd40ed7b03699c51bf7f786d07044fdf4bd3c935183a68252fb60e490b9bdb40f40cfd8fc

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
89ac7be5d0165c72c2d02e7719e77c06

SHA1
0f514e0c627077c11cee5a94df01b75468f4aae4

SHA256
fd395cc75c69bc7d65283c3e8df196b705fd992c67880ea2c006da78838e5bc3

SHA512
a03f62dc7d608a7a841952903d1dec554ef49412c021b9e5ad26fcc55465d6f32c5a1a933cd8d00da53760f81cb7de3d6f38c9287163890ccf2222c2839b2870

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3360dd31ac72523c1b7778182d7aafa0

SHA1
5b0e77b73c1fa90fe48797e9f4292362ff05d6b5

SHA256
2d8904a72107db4cd8d1637c6299abcfcf343b0db08636a4cd6d60479629cae0

SHA512
f52bcadd5f104d7bd0fc9e1f84c627bf52ae5017019c0162222cc368657c66afbab97b71a080c95897d237d7b2352a59c0b10826362b44235ec149e2570a50eb

Download Submit
memory/388-2-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/388-8-0x00000000006D0000-0x0000000000737000-memory.dmp

Filesize
412KB

Download
memory/388-407-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/388-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/388-75-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/424-26-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/424-35-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/424-36-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/708-583-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/708-259-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1492-140-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1748-118-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1748-229-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1844-202-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1844-92-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1844-91-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2908-180-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2908-455-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3344-47-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3344-72-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3344-46-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3344-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3344-70-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/3372-50-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3372-56-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/3372-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3372-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3580-226-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3580-575-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3596-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3596-67-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3596-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3596-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3772-273-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3772-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3772-580-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4076-191-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4076-490-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4672-581-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4672-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4756-311-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4756-155-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4784-20-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4784-19-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4784-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4784-13-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/4784-112-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4820-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4820-87-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4820-77-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4820-83-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4820-89-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4932-217-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4932-116-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4984-141-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4984-252-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/5032-355-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5032-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5072-274-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5072-584-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5088-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5088-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5112-582-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5112-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download