e147942a47f5cbed51caddf51f106ed13c6637210777ab7567fa2ea9d97bbfb0

Analysis

max time kernel
119s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/09/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
Size

1.3MB
MD5

d2a0c4d27f5b5dfae764aa0a1fe70540
SHA1

a66462620f6d20986da91df7ca350912303feb54
SHA256

e147942a47f5cbed51caddf51f106ed13c6637210777ab7567fa2ea9d97bbfb0
SHA512

8fd7fb07f2ec2a541c24e0dfb2100afa388795c1c40cf399280adb7c0c637ba15608fe077d94f527eab726b31e4baa278498e96019029ff8ec7296ff93028c17
SSDEEP

12288:K02r+lrUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:4ilratr0zAiX90z/F0jsFB3SQk

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1640	alg.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
3052	fxssvc.exe
2240	elevation_service.exe
4584	elevation_service.exe
4548	maintenanceservice.exe
2224	msdtc.exe
2080	OSE.EXE
2680	PerceptionSimulationService.exe
1096	perfhost.exe
2260	locator.exe
4108	SensorDataService.exe
3196	snmptrap.exe
1512	spectrum.exe
1712	ssh-agent.exe
368	TieringEngineService.exe
1520	AgentService.exe
4964	vds.exe
4880	vssvc.exe
2596	wbengine.exe
708	WmiApSrv.exe
4272	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\System32\vds.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\30e66d74352c8123.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\locator.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82781\javaw.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb18297d31ffda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001b3c8d7d31ffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002100467a31ffda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081868d7a31ffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000570d7b7c31ffda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000035387f7a31ffda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe
4920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3012	d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
Token: SeAuditPrivilege	3052	fxssvc.exe
Token: SeRestorePrivilege	368	TieringEngineService.exe
Token: SeManageVolumePrivilege	368	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1520	AgentService.exe
Token: SeBackupPrivilege	4880	vssvc.exe
Token: SeRestorePrivilege	4880	vssvc.exe
Token: SeAuditPrivilege	4880	vssvc.exe
Token: SeBackupPrivilege	2596	wbengine.exe
Token: SeRestorePrivilege	2596	wbengine.exe
Token: SeSecurityPrivilege	2596	wbengine.exe
Token: 33	4272	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4272	SearchIndexer.exe
Token: SeDebugPrivilege	1640	alg.exe
Token: SeDebugPrivilege	1640	alg.exe
Token: SeDebugPrivilege	1640	alg.exe
Token: SeDebugPrivilege	4920	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 4952	4272	SearchIndexer.exe	109
PID 4272 wrote to memory of 4952	4272	SearchIndexer.exe	109
PID 4272 wrote to memory of 1060	4272	SearchIndexer.exe	110
PID 4272 wrote to memory of 1060	4272	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d2a0c4d27f5b5dfae764aa0a1fe70540N.exe
"C:\Users\Admin\AppData\Local\Temp\d2a0c4d27f5b5dfae764aa0a1fe70540N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3764

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2224

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2680

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1096

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2260

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1512

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4052

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:708

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4952
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
62806982ffad397918fc450f749d411b

SHA1
c7479098fea7ade12eaf46dd5d7d0b929d682efd

SHA256
38d72353f8607db753f6a8ad797a597d2b27a8cd5c4a7de455562c7660ab8d68

SHA512
0bcb0aba9bfadbe16b76398c1eb2b0e608a906979d3a64f0d7604a402a8a48c9518db19a9f6d3636d6451fc01ece9a2a75c86fa461c1ca363aa1398e61ed962f

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
fa2e310fa5119ebdc70019f05e92aea0

SHA1
399fb03fdc980be51ca87c6dd04cacaabefa4f45

SHA256
f20b5541222a4b46e6d5488cfb760bf63a80e936c9b6bf8099377670a02d170d

SHA512
c24ccba4502899805ff86b145e6e448ddca4beb38e831416b6aa75a6b1640f601a34f15f019878bc6525f656d08e803624908447f1eb7d459acc56c104dc78d8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6c66e067297cb161273e31680cc9d3e0

SHA1
a9fe4d886b274800f533f6467ea565bb183477d8

SHA256
b5007c3c2de968a9fbbba63965fa88125725e26747d07fc9450803d0be0c9cc1

SHA512
9d785883a38ca90fa3e554c278223ee1d95bc01d41307c16e20b213c19c801b95f9d192f0303e1bd2ddbead3a54ba2935de96fe0186087ec8b3575e13dd73d55

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c7e2bd6b8e74f88540d3be2c2afe00dd

SHA1
27c534d041883f86123d619c8a0b1c419f89cce8

SHA256
4452cb8dc23516b03e495bcb6083a4b08e207aa39346d4e06fa0efc12c1ccb2a

SHA512
900fdc796eed36db91d493043fe153fc4ef3987fd74cdd8a533e137304391d888924794a51069cbcb941adbb7b3b50b60a7235e068e882ccdfd05bb1ab98dc52

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
93390bc90508a5cd82670851ef9cdabb

SHA1
ba0892c4076445e80ae481b2df088e4e46fd9788

SHA256
bfaf11f6dd8f5e39c39f45e882c8ce43fc5c96be4926c2bb653b2665b95cc2c7

SHA512
0c58e314500da31d3ce2a844ad280b7eba486ad97e70de9d07fa8badfc2c01d0e90f3402d8d3fea878f2feed42ee56a540732fe289522f9418172fa2808a9257

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
3d4b6a1ddd39b69177873b42853e5ae3

SHA1
c2b7ef99742784fdba84d324aad56a4d8ed7e099

SHA256
7c2ddca87485e113ac21298a4092e6ea6453825699558ad608e095b67356d125

SHA512
8ecd274bb0e4d558fd3664c135f57e7662d4fcb5b9dc00efa7331e88ffb73d9b50174a677da3f2507ddad7ee2b908833a537260997c9e0e727d4599e22db8207

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
73d5ad26b3cc48e24d5b846c23eae55e

SHA1
ed103ebcf0812e277c8f4fefaaae8852a2414630

SHA256
7b2c9060fa2d77b3ac7a917dd198ed296c5006a22717bb5c369042cc09619e35

SHA512
2eddd6a1c1ae56a3cbe1eddf73335dada6a23fdad2121ebd347977ee210b6041b8694312e9aafd63e5a91ec17af4278da89cdc393fa2cab93fdf8421a1ef6279

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
04ebb0cabcc750383b3048557c4d810d

SHA1
3a4b6b3e6d8aaaac69619837b20701a76eeb0ead

SHA256
87df5a0f1291b959746d5af1cb9b6434e0c23481aefc4d32e364c2b2a5afce80

SHA512
942bf19f73a6c1d2084a2619679e0d8087fb1e50eb3cb21e1962492123fb7a34262bb3254012d916fc7bc0a30dc3ab7dc0f577f007499fd2d4c801fd46be78aa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
2a78537a6f6c0e56f6973536595376d9

SHA1
f377518736c65ca1b3d2645cf2638ddea34639df

SHA256
bb49102846a0fdf4974d9d88e95fd4424db2a4c415dad04ce3bb2f3bb2b1968e

SHA512
fff63b24beec34f2ebbf06098c06c6bea848247127a7e80972506b4e75a3315ecaa28623d2927c87bbc1793fe6ecda8a459e2df3844cda4fc1a9789707043c88

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
39880686d3142e458c6b535d7e5c9b00

SHA1
792f03eb19650ee57a8bc2fb673ec48a924d4e0a

SHA256
247aa665648aa61595c8166513cb033189bc6e72e3aa38a003d1d255117f51e9

SHA512
953cf61b3a5463b2fc7388b36d7790fb0bdf601cc247a4ccdcd7e63f34520bddaebd9751f0db60e326d6edc86d69ebef2b23ea6435663bd787068288aef9b4fe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6fbd1d13b41d076d4519fb9e50607c19

SHA1
94a4ae28630425f1fba366934ad2acfd4f7403f2

SHA256
7a9a0ba5751abdf29dd1cba41caa0204cfbc4834086fd9f5ed361b6ad77d11d3

SHA512
29694a8e7737519689a6546abbe3cf4c6b7d5ed534f028556f8de14fd745363aabc6449a6775281a1967ac45ae01cf6c61f738b74ad9fcb574c3d0b4308db94d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a78d58e70b38d3f062f9d9dd7206dba3

SHA1
072d6630c2226d35f01512cddd4a2fe3c00adeea

SHA256
7b589595d848add5c2911547943adef0dd54a1a1ccc4aeb9ecd94a54f47c8dc6

SHA512
4a0072566f39c23ea81285035f08509739f306828589978da21c14dbb102327c7d50b0746ef87b72e5c1cc6f1853841410d4d2bea43fb1cb16443d008562f5f9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
26380a290186e802a74fbbb17054015f

SHA1
af85179726aea043b0c4983c013b6b61ea70f414

SHA256
6a6ba7e83355839bdc0024543ca0269f1177e56bcc732b093e8bc17e2180eb14

SHA512
5a050f16dffc0655925a6bd793767fb8dbfe1cfe6178f24c6ab7d3b21b1aa14db25fe3ddecf2662692aff8eb64841d0752af8428f83d33a0b048cbccee01cbf1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
b6a4b59c465418ab3cc0fc8f7a3cb028

SHA1
e553121da0a4fe49f55bb14f1bb5817fda80a49e

SHA256
250015a84982d624de45fc5f4a52fb426b3adea1a8c305a0030399166024ef58

SHA512
25a60d3d3aae12e03e24910265d28318e102f1e33e43f19f7c303185727ac826df37277923241751a22db1dde754864c5d4f2295d37fff027c60daf71bb4c92e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
248c2791bb91f37bf48c714979d12086

SHA1
67cc20d2325cd1b339b7a07e0d5ae6ccc20c587e

SHA256
2d3faf45a9eed88f9d802f0c20c76438c3dbc89105166636fb684e8caf376ad7

SHA512
866c348045a271c42235ab0c13b4205b1bb10eb606ddc6dc35e74e40909eb8e3ad6a8c4e5424930eb6e8f6bc77142776756b09a327b5cc6d14e4075c093f00b2

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
4301a2aa963197c260bae990282f2e89

SHA1
db7efdce85bd9025b801fdaf0bcbf1c5140131c8

SHA256
5d176a4b49353306c405ea484109cbe857b292c5bf2a4bceed575464397845db

SHA512
6e50755abcec0d7e1372cd02b0c42b51dca69935ea8c415ba80d9c36a0c26329c7030ecf019a6453b7d573380aeee8600621580a3679c5722eb86480363f0a7a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
23e8284ccd4a4ba7292a1d214570b124

SHA1
4e11c337c6aae9d24607aadd782b07ab6ed2b3ef

SHA256
d25dd67055fba530d5241bcfad05e51aca4d7179b7fd389cb594327d5e2f744f

SHA512
c3247d3d0cc5d804c44fa1a4e0bdcb6cdabb3dd56535663f3f9c1807a81e06a71a6fdd454258bb6f245d94f58e13b80a734e6809b576966c709d444dcbf37fe6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
caa4b665027187d966a5b12bb96448fe

SHA1
00f2983c2d9a178266cdb13211027b377050f791

SHA256
27be7bcd73971a8d06dc887ac0e1f37dc4383badfebe4e63fc74c0dec5918ca9

SHA512
19a9df60c904460305c7fb721d9df9efb1bf1457ac0b1337223e14d7ff2abb426b10e97586a29420c45741395cf9df8ca4985d09c061f51a1815ebc8689b404a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
2617b72b68e37529081e375ad759fd55

SHA1
7605ff69cc6e98aae0a18538c3ee6f22351ea176

SHA256
c1c6a718ef36d9aa9541c35332fc9f6c4f1cc364a42eea9377d081c043f01bf3

SHA512
69d110ad9c993a79d0a646e04e729223de7a1106e2d7785ba38fa9ba61394481298cfe05467a602908b1cb98fabbac1ada1c24e7718038adcf3c03c0030e449c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
cb9dc24ca8e86f74f3b694aa7a627aba

SHA1
c3334144707f837e019639666ac119711511d294

SHA256
a3c2ac3def658bba16b0c4bdda95dbc48a58ddb96cf7dae674bf79aff3c0854f

SHA512
c0bac242975881a9e63b483c85e4e5ec31df8769d8a77f747a8959b17cd9a9886857ba82fff6cfeefa8be46c7346ba6d4a3fa47d45f4d0ffcc5a6abcc9338446

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
595ace98b19b57f551a14ef22160d667

SHA1
8a83ea818a3c020cc9dd11fa8ddfb303439a60fa

SHA256
547b0a74a3fb7c82a4044b1e6e1a773eed825db95cbcfa67028835a8f62ef86f

SHA512
ccd7ff2738c4118da235975a54c8fff7ce9400e6b83ac8dfb6119add02d913b6b81b2aac9c279fb73cd74f66313b43f1f2c28ba78ecb270771732853a4842aa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
b83b649cfa1bb92b2476a7528bbfbd9c

SHA1
f35797de571db068b67647a484e768f7557fea20

SHA256
74bc9a0f5fb33f9036b2b69b2a1b925ddff01052afe147549be86eaa4dcff4ec

SHA512
369a05c09b511a677eacaa9a7a4f7536510e9caac18dc089312711f2565bf8c37e7ba06801f436e5da3316118368c822021d87dfae82707db5da64091406d477

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
7696b0d6805bbc1c025c1970f6750dbc

SHA1
144f5394ebe2587e98079bca7663b1db67ae7793

SHA256
e4183c13cbd7c374ecc726722fbdf9f976c0c20f8ba4627edaec8075d5fbf34b

SHA512
57a22ed6a57ce8d9f5d37d4290c5cf3ba157fcb3f88ff627fdf66f26315717cad086b32b8e47b7d9a8db21b9292ccaac7d7127d5a39db1adbee7d84a05ff0251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
69a67ce24e989fb4b16f5af88dad854f

SHA1
261190cf886d8fa489eb6cfc82e98317ffc146f0

SHA256
7bdc95f4734c3a9e5445e6103db429a3dfa3242da0a7833b685d035704558097

SHA512
3d971b70a5d6387fcd90c60f19607319c033b48ca329448d7e0595ab0feaca9a192a08a6786591cff1796572dcc6996bd69f7c1afedff71ff5313d881e771892

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
c81ae394068553431dcc71b1b5709aff

SHA1
ef619aa826b7f97ad73a19964a962f2cd532f5e8

SHA256
574a9062324dc4998ae454d355a604719d85adf832c5e058119e9d2f821d64ad

SHA512
f4372d872d47b3fb72f86ef275e5ef67d3624aad217e70d53a743985dfff90d73d7f0951bec18c1cf3dcf74188d7aaab8b743cab2a34835829af6beda2f97a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
ef26903869cac23767103141fa089984

SHA1
454495f5f7149f4d59770e8e3970697165bd39fb

SHA256
26b7b5c4c96338e96c6efe59edfb6052518b4845eacdedc0d4c15d469b2041e3

SHA512
863ddd528df7045dd3c35571223aea0e73a249057345a869f61171ba68b24651cb0d2d074f86d16a10449ac9f36392083bb343a42972050791c4278bb28f95cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7bdadf0b48beecbb9ff6f04aac36d60b

SHA1
3b4069f712b7f1f9b7ce5162a33709d933bc2cb3

SHA256
102a1d69014bda0513d15194e940ba1c325deed2a989dd836c78b99ac7659ace

SHA512
c4c77301ec6c511408b764c76c37efacbf32be9ca9540f21c390c0dac7b593980f288247e861917557bda5f0e237adccdb4d9a9f24c727f57f6e00a0b6b49993

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
6175a6053042948d8aec5248201c42ce

SHA1
17fa6c4ba3443e3157d07368e7fbde8693064c39

SHA256
3451362e1e4d13b718da9c7fd25baea6a7fb7a365e0fa8b03cab4db15e2ecf8f

SHA512
b33282ff0a34c18b80073b17c0ed0f332997e9463884bf079447d2aefdc76b1c0a02f97b4cf0e04322ca89acdf9ad0a1bb3d48879003c1a9f259ac6fa7d9e01b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
58a859affe2054cdbecb2ab877430377

SHA1
1a5172ab384270a9c1569922449baa7d2139b359

SHA256
2254217346bc0d6d040c53dc2a3f7291abfa802a80a157d6b35eab5804b909af

SHA512
dec4500afa380b6009626f96147a3ca1141ab6802f501a5ac68c61e75ea0ad6401c8b47abbabb3e100d91bbb25bb850aa52abee55a68cb534c47a294727dc87d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
15140925d928bbc15ae756a20772e095

SHA1
42f4e3e92900d54ea847475fed4ceddde4d16253

SHA256
c14e78ebca87ab58820915997ef0291de11ff3ba43ee9436bb8ac0d77dd68203

SHA512
6f64bb75afef9314546ae7a53feab105200177f16d5b159efde9bbca846635bb0184abfb7ce6d5a8356b4264ac772043711fb7feb9adb8e7eff1104e8ae8d125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
55a24199b12ce3f67690100bd7d5d2b3

SHA1
55ae31c6fe6dce4244ef848054214ca0be9e75ec

SHA256
97efc6418de4fa5a2e5ae97807c469f5dbef882853ba1b567a5d4c19b013600f

SHA512
fdd84cdb95a394ac27b8c06fc85ebb6d5417c16ffc6580a881851dde93f37b9582c3a99957bd5b0c980b8e325e75da1405830b905d52ffea69e9cd5adc8887ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
ccd1d833d94ca6c7908003f067c979ad

SHA1
265ecb04605574718799e89c2f69fec8a47ad2c5

SHA256
09043f2736b15070343836ce0eac5d419bf3ff93417496d74f02ab8bcd59178f

SHA512
706cf81f0b6b119698535a2c20d724337b03d04bf6389660717c695d8e353283b8c511772acf2542c923840e664fe40b60a31620ca6bd7e46f84c6ac2cd123fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
db436dbf53269972aa1bd76fca70dcce

SHA1
37d7ca5e375f9d901074d560d125108fd589f437

SHA256
89faa322a6cb6803a8af122d29821c276d22ea0f24d9ec7b07ecbbe50cda56e8

SHA512
d4a0a386f0c0064c6ce7c24c3bdfd9c76f5d76d6f11225f301eede8c8d181ac75c010555f4eac839295925bf2278d967ac612a48404c090ec62ed52e0ec3c0fc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
304ab3975fa2017f5d779c387fa5c44c

SHA1
150d8b14540db83829bc8533dbe887a07fa48c8a

SHA256
9b280e0a19a40c9829859ae4503b3b612f4c05b2ebedbe4d829fc30e9a8f21fb

SHA512
ffe06934e0106426467e0f5a8b49702c1decb94ce94c04c987122ee6331ae7a348acb577d0691630ae0c0917738eefd795e2c44fb482122021f7d11ab71698f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
4e2cce1bb28f01f8ec8511572fa74851

SHA1
ea236fac8ed084b62dfde4335571e32db7845115

SHA256
e3f73a74264a5dde9f53978ae6bb9974fdd9ca112f32a72c9df3573562e6fb2d

SHA512
bf195fee0e3b3f5e0cd9414a71d731322d961b51fe22fa61de008ca7d4e6e4cde12764050d6080ba03d1a3bb19d33b17064063db01b83f775ef72fa199100e29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f3115a517e21cdb89338ca095f4a1396

SHA1
9a4132bfebbcfa6851fd7f7c6fd911e07f5c3718

SHA256
d30fcc126310a2ced248eb8da3b2c11f79232846c167729d9fa05239e383de1f

SHA512
e9531f83647efa0467b0ec621e38dccec2fda7c8edf57d75f0374c9c8d4d62c0c2f181611a1d2051bb69d46a5514e2198d401517ad3b025f0814b32eb659bd60

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
8ad96326de4471395ae8af4a97d5c08e

SHA1
0e01170c6eee8403af4521ee89d944badfb0deb8

SHA256
c46139ab76ab0508f26240fbcbfd1b63fe00cd9ed830aca4f8be32d49f381ed1

SHA512
9ff76688c2187d4c27f42cdccb5f439c565f5743d91e26a9bdbe87f5f939c7e69b0f5671737595d1539b4454c88dcffd65a28dd86fecc0abe26e9096430f9ecb

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a9f97c0748bb950c3e779b841f0af4b3

SHA1
d257f04e29cc21901c801b7f150131de31622261

SHA256
d6cd6e4796200f82b132cd99d52eb476d148b9c16d50068290a5f5af67bfb77c

SHA512
3300c765a465837b1af7ebe2114caad046cb799295d05b7f5146dcf92925e5bd5b254b2ac571dc22db9c58154185daafd82eb039670a77cb688d024cda5b4375

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
18c92929e664f79207ab370e7670137a

SHA1
eaa96cf22b25e66c6d964b8f548d27322235fcb4

SHA256
bc5e4688418d739e0ba51d9be1807d537cc64277d1ec1bf3c2c12ba54cfaccee

SHA512
b4b06fd0ca141e4e70443b90a7d2c1bb7ca1d65436a1ba2a38c439a9e2f4a2a09d923ba94e85886c6a24b2d64f5657a35617d409f7261d1d137e074b618ddeab

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
6f79678baca3306cf7a2903d11da331f

SHA1
e4dbeb3534fcffe88f1b5cc53674d5397a9793e9

SHA256
87699d246bf5118e0036977d653bcc22e9bb7e4cbb28d34c5f3b5a14f5cbf28f

SHA512
e1390dcf27c21811067929e799ef44bd423a0d6f0321cf1c0a98fe3f3e183e2bc710d225dd87318e25e03d5185e165e9888c4366607c5126ea141f563c35a569

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
58290389cdf50f8c5aec649581e15012

SHA1
869a89fdee3a70b9c10666a7b43ba107e122ccb5

SHA256
c9140c41233572fcc5675fd432e635c6d5549a4c3c63da258b3a0053d8831ce9

SHA512
8e66097604a481c949a839fdda7460c1cff3c7245850072ce98525cba7bfb11ff2f193563363f14d98382bd4c34bae6e19172a44c87590a27c8ff15e7b9b825f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
9720d4be5f613083a41fe90e43e73b71

SHA1
013cf2b4b7a7bff53cf315eba86775cee3267de5

SHA256
52990d631af709012439daec7d0dbd9b8e80d2aab60a0be6506e67f20c9e0e81

SHA512
831677aedcb7ecbb7e7d2f73100fabb37d8621c969a10b8e4e0dd20c313b61901413764cd8791f8500608a90bcf10f969a8bb3d581419a3ac040564e9b1c94ad

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
717ed85d4518b98d9c196dc54adf870f

SHA1
c472fd3d3dc11c68c859a528d2988dda3995f40a

SHA256
3548e60c43e9d547ebe26fe6151231c89fc46966a57d3ef77633ceead73768bd

SHA512
d96731659cfb33609f3cd7b57f4bb94be6bae4582f54f7f9ada82e7c38254d0cd1afe75e5bfbe0d972470242c2aedf2ab7394d33688590cef7f94c58e136d86e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
ec59a5b3149fbf7e84551d5df0965a5c

SHA1
e59ff7f828e804cefe4dbee00ae079156d5767b9

SHA256
7c85ed1c79b354cb18e58fee6e28b044a1ca40f04875260f9d629329b5a2f6b5

SHA512
8864a6b2ff00d0044ee8248b6b88d4c2086202458c0da25be17f593c9c19b5987d9cd3bfbda4954ba9671011ac65f8ebc7e6a5a51ae0f4093ea9809234382144

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
a1f0219118d66ddf5a9bc93c5382ffe8

SHA1
d77f633806021623782b381ffafaa580b6bc25ac

SHA256
5273bc91d8be0d155bc232343cc7cc0fabf8a6001b1d6dba5e5961bf269eea23

SHA512
1dd3e2f06134c41b65ef4313e170df657072c26e1b1d5790f1387d086e826d65b3795f0ad3f07125573d63fdec24af565ea2d86dced9ebcc09be6390e47b34a4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
3a11766efd0e6e9f80ee9d0e894ea9e1

SHA1
56afce53d105bf1ef0b2e14babbea3f2058ef823

SHA256
054eacf266a9b29afa1a02712e154b34dd81957b0ca257df0951a2359573f312

SHA512
bc919809cd4793d4192c29372b3271937eb55298cddcc28cb4b994af097fa6784961907ebd7106d3fb93f8398488424930ce97312eed70872c27272e45ae4a31

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
790dea894d05fd06b6f3e30f41567e21

SHA1
dc6d4e6b11cd665b997c8a68052ce949ded92532

SHA256
780149a256a9fe5dbf92fd13ae76a3f40c74ad445324eab8f06d82ba9f11e45a

SHA512
5c49de4c2137a16d53b6bd8d164a8bbcf907fef8491c85433b88c955b5de138a1744ee4f78487fd2041de6246f6e623eb70060b0ff427c604e1445d334704134

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0838075c581841cc81762bbcb2b6451b

SHA1
5d61aab77ad9ab6ff7b19d10186ef5a431a1b6b8

SHA256
bfd9d825023d6067e746bf3c587e032e8326411dca782806aeceece2200542a9

SHA512
1444d96ab75c5cf169c8b578504ae806c5e5023a4f45387b6d847a7693b9443fbb3abc95d050fc9f09160439705f0b8650085b666b81a798e633b73b570523e0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
de0337e478fcbc00e05923eff4137efa

SHA1
226ba40249dd3f3a494dfb2118e24456104138a4

SHA256
bf5b7ed2fd2702580b653b578e1764a892851a39d496cde8eaf90c66dc0b5112

SHA512
1bd5c65427b93eb9f984540c631919d9440c219e7e71f684958fec48bacb217968a1736fd4a89591ba3e20b4e5eea70f064a4aaa93df29dc9991b4f59dc44852

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
24e873fba761cddfd2717e282d251501

SHA1
81672b813d20f1924de7cf3f3e539fc4263a8062

SHA256
33c19b3e7f6af82d49ced9aa97692ea8d3f4966cfe0420c31020c6628e9e371f

SHA512
a57b20f638b24835bbb5a3492296a6f315ce6617b92d2e79c6c70463c95a565af204615bf84be2882ed6145b537ad4d8be07923ccb39d3c52a1e51fd63986f53

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c3646358e0a47e4a4a1e111898082fb1

SHA1
c5960ee8ed231127e509e3b254e55d376e0c78a7

SHA256
a073e849ec438308f7d165b90d09dc2a0e625e28b0b1666cf8cd5071b767c070

SHA512
f833b072540676fd63e45ce2c40b28a7695e9979480dbe29d12ef170a8de5d727e512269db69eef7ae07d5e3125a322505285b075200c459e6b9a059baad1f58

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
9256962b53f3b010cf6d702ce9c7ba14

SHA1
69c67df67ae599b2ba8a613f919b4e7fd4536f0d

SHA256
c953da583c62cc43c0cc2b5997bf497c53403ed73eb1a0864d02eddbe20574b6

SHA512
0111bf1819f7ff649e129c950182e63fb763999482312a477b963139258b077d3b0c11662cc1b0a16b26f5716bd139e15111e55871b2e139f66c75a87784dbff

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
35efa280d5c32690a5645273328763a8

SHA1
0d3a945d4d0c470369125f81ce8f28fd55346313

SHA256
284436817d78ad8bccb4b9eeb79dc69501620c23ed0c71ab04cabc546e67f867

SHA512
a54553e2ff5af6654b1a9b8140dcd882d4fd5cb4c320edcf3a321f4f9f8e5565460355dfe4848e02c7ade68c327e0ce17eb4ad95fed488676d9a303aa6be106a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
c4593d9b9484aed936d63f384fd96613

SHA1
5ddfabc079dc695041776b4d9c6147f8bfa772ba

SHA256
f805db54d4273e27441616d9c1d345298dbeb7fed7991fb6071ce72545c7d96c

SHA512
86af602026ee4f299fbada4740729745860514b350ea7c8e515df1ec470b870348daa0dafea2baf372946a39a625b1948eb1d349fb6f98c72067359ce56ee29b

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
140b670c055a63df8859e615a93548af

SHA1
476aca47273bcb2bb3aed590e64cb0bc8aef8be0

SHA256
bc4a7c911daf289a911a4246bc677430b2b466f15212bfba7a26a2f473d316ea

SHA512
0cca642a41ed0cb49fcf03f8cecab44bd31c3bcc6e9a972ba395b7096c29f8c551d41e41cb89f6bec2c2a02485ee844bfc546fc3c61d5bc13983f21eade16a9a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
b6f70d08fbfb984195eff45ec644e6ef

SHA1
08392e03080b85f3521cdc3b64f1135704b63c49

SHA256
6c2bfa260bd6fa503960806938280b9300cb9771f76719b799d2d0c8c3a18e45

SHA512
b0d106b75a75a4c41a8a7f9b687172f4b48ef6d22d5a88fc3cf88bd4f65519daa9180060db8ec1f3c92c66909c541c13086e4c826333b264d6a2ed33c67cc775

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b800466774257b7f98c055018586bbd9

SHA1
f9ab49a9fee18c39cb2db12e021c7a81bda3c07b

SHA256
b3f8ef51ea8244adfbf948e40794c2f34de8eae22a71bfae39dfb8075154e76b

SHA512
0ec4e325e117e36d74219efc36ad4df1403672eba3bc639a4956201c3295ce0fd9dc24848f171c086feb899e354e8f19de09a8a59d9e9882eb815a2087725861

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
17e7907f1d7a9afe0a519efde60fa81d

SHA1
9a0e94f8de3c0cb73610ace8127ad30cf3dc6726

SHA256
327544facd937ccae625ffc2c91b6c01208035fe431ed868b43c98febc884fc8

SHA512
aad7b2ca6b43f87772ef9f7e6ce1d7ca1107ad745f4d590447738f4a578e845bcd1ee826ebbe2ad91a650cfd519d4a7293c743c3330b5fbadd1e575bc26ee530

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
3a4171238e94acc8478ac7b9bca74d4a

SHA1
6d9fe57a4fc30c513619a969fc35741463bbaebd

SHA256
dec7a6c072924c5fcec61715a573a0f2c21ddbfe127abf1100c7aa6828e05714

SHA512
780a9fc87f21b5d4b8b907761aa4709b3642813fc67db94cbf241910c93ca3f673ef63c5180aece8b2e5f80d79a7fbbf84d05a28f043cbfbbd48f8d6869c528c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
b5187a3bc97c808aa0bf9af2b475d083

SHA1
3e0e0e66a33d924c9d95927908774f7cc4ff1f0a

SHA256
366625183392b682985c4b1750e9f3b42bd816076d2daf030fb8c64aed9fe930

SHA512
b326cb6bc2cb94d1dd55961ce1ffcda92b712bdb8c9b9b1401ca813d44808100adc53c35a8b8483235ebea38e8a5cc14ed1adfee46f89347ee936817f8019523

Download Submit
memory/368-263-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/708-587-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/708-267-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1096-253-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/1512-261-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1520-196-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1640-18-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1640-439-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/1640-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1640-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1640-19-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1712-262-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/2080-303-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2224-87-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2224-270-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2240-250-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2240-586-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2240-50-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2240-56-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2260-254-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2596-266-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2680-251-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/3012-458-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/3012-7-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/3012-269-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3012-1-0x0000000001EE0000-0x0000000001F40000-memory.dmp

Filesize
384KB

Download
memory/3012-459-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3012-0-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3052-39-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3052-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3052-70-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3052-59-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3052-48-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3196-256-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/4108-519-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4108-255-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4272-268-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4272-588-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4548-83-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4548-85-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4548-73-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4548-79-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/4584-304-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4584-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4584-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4584-589-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4880-265-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4920-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4920-516-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4920-34-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/4920-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4964-264-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download