610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21-02-2024 15:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
Size

1.8MB
MD5

8bc2a2211679bacc03a61b0ef0c2a42b
SHA1

89efa59b1dd4378fcdabc590a77bfada9f262fab
SHA256

610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c
SHA512

0bd7750330bc19b8f7bf0d68f8fd7c6dc7da2887def99fc5a3b3ed07253bbbd5d1e443a0c6a3c03add7791e4159c0ab6b11f3da71f6cd32d329556fba5969d38
SSDEEP

49152:AKJ0WR7AFPyyiSruXKpk3WFDL9zxnSFpAHrVQ1/fSNvi:AKlBAFPydSS6W6X9lnapAhQ1CNvi

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 21 IoCs

pid	Process
3748	alg.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
2468	fxssvc.exe
2612	elevation_service.exe
1980	elevation_service.exe
4108	maintenanceservice.exe
3348	msdtc.exe
3724	OSE.EXE
1864	PerceptionSimulationService.exe
4240	perfhost.exe
4384	locator.exe
2224	SensorDataService.exe
872	snmptrap.exe
2960	spectrum.exe
4916	ssh-agent.exe
1040	TieringEngineService.exe
5056	AgentService.exe
2608	vds.exe
732	wbengine.exe
2228	WmiApSrv.exe
1012	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\locator.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\System32\vds.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\spectrum.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e938218f24da5fe8.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_hr.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdate.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_fr.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_ur.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86593\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86593\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\GoogleUpdateSetup.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\GoogleUpdateSetup.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_en.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_kn.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A88.tmp\goopdateres_pt-BR.dll	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd009de7dd64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000445edde7dd64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b8a87e7dd64da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000d4ce9e7dd64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7d976e7dd64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005687c5e7dd64da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a3c79e7dd64da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
3124	DiagnosticsHub.StandardCollector.Service.exe
2612	elevation_service.exe
2612	elevation_service.exe
2612	elevation_service.exe
2612	elevation_service.exe
2612	elevation_service.exe
2612	elevation_service.exe
2612	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	216	610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
Token: SeAuditPrivilege	2468	fxssvc.exe
Token: SeRestorePrivilege	1040	TieringEngineService.exe
Token: SeManageVolumePrivilege	1040	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5056	AgentService.exe
Token: SeDebugPrivilege	3124	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2612	elevation_service.exe
Token: SeBackupPrivilege	732	wbengine.exe
Token: SeRestorePrivilege	732	wbengine.exe
Token: SeSecurityPrivilege	732	wbengine.exe
Token: 33	1012	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1012	SearchIndexer.exe
Token: SeDebugPrivilege	2612	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 1476	1012	SearchIndexer.exe	114
PID 1012 wrote to memory of 1476	1012	SearchIndexer.exe	114
PID 1012 wrote to memory of 956	1012	SearchIndexer.exe	115
PID 1012 wrote to memory of 956	1012	SearchIndexer.exe	115

C:\Users\Admin\AppData\Local\Temp\610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe
"C:\Users\Admin\AppData\Local\Temp\610a6cb79f35a26c7f3e8bd70f77899ef15d680df54d617ced7cfb3ca7e1069c.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3900

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2468

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4108

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4384

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2224

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:872

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2724

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2608

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2228

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d90adf50997c76e5078664263bc2b291

SHA1
16d662abbeba8ed9d4fcf78ed55a3bbaa00b4a31

SHA256
f0628be6472a1709bcb81d738f71657a38f132826a438cacc38086ddef961883

SHA512
2d61fcefeea057de1676ec3eacd45073ff2c0d3b3bf3131ca675317eb6c8ddc1baded1e6a56cd68f419af0db8d8645903c9ad197106ee0e920192accd841b828

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
24a7e3146c40c1ad6d2bb0d00b2394cc

SHA1
ca9364b0ea70980c4efc3506a6c8738cf51dcf4a

SHA256
4640d87483891fb76c21d9e95dc8e4ce59639e445c08fa74d7187e09a0947e79

SHA512
e7a074560060a963a906f9739829bcb6dda142cf7be0596c858deec5f9b59bb65f6fa23b7934e17906979e0250d75902ea3c8a14cacbf562af28614c9e3d461c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
d5edb1888e9c05bd9533c89d12892d64

SHA1
a07049dcbc80055f9487733a7926c3f1cd5eda56

SHA256
e89d38e18adc047d2cc294536c20671130e82f8bf310a9279b7e5409ccf6f195

SHA512
53b332ac40a06f97ad3fb2d40261825b4e09f9ef2c9ef2af609539a3a866ff7f291a5cfb1d9754aaff8998a91b33c9f01f3e75d15980c8ead5e92bed5c9bbe60

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
594KB

MD5
4cffb8dd078178812e7f5d7d6dbe0e1e

SHA1
6e740790dd49b118558a209fbe9ea99a2ea5a087

SHA256
a802ce50e9bacfc78e92748401502c483cf8e683da925d856bc49d9f8d5fe66d

SHA512
30e4f6cb65b499c6b0e5048af9f1b86680cc693b3d32a41bd6262339174812ef686d8555539c19199443566d20a37c6e84b9b0d2f8baaa0a5df53a76626cd586

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
576KB

MD5
565a4aceb89dd90ff1a34db9039284b7

SHA1
a5aa53517d56bf4322bf83f1c9afffa5d7782798

SHA256
dcd8b92f799d314b312a64b62b3f9501e31f7ab2e8cab5c3818cd5fac659db0d

SHA512
289e6034a1d4b791c4bd95ad505a067fd97089aef6a436e72111ed2b8e4bb9e7b6cc35f047287fd9c550d79ba73b99acf4c7942cfc9d50a8f381a4bb66116b9a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
454KB

MD5
a6c6b5d04e82e4920cb4bf62b4107da2

SHA1
944e3def88b968e2ad40192b66f829efe3587597

SHA256
8b8bdf82f631e901018941310a08132d727a3d102bc818f3a105d90bba7b9c92

SHA512
403141fb59fd02275f83120d6fa184f1984eb12a87209fec7ce6c263e3f7f5f19bfe428d644f52e4662ea0cc077892f509f10cf8d70c435d4499d9c2a6c19ff0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
384KB

MD5
8cf1658a96a8a028827c5b96178a50de

SHA1
14614a2ef5c71bb3f990c15217175ffd158a7de8

SHA256
8dd8bb619f0b67b685514bf0ea5f7cdde96de23d99b8a75a4e04d11aa87f79df

SHA512
ce05fa46abc3d474ed855746f6f9537db65a6cd674a961a20f4474a96961415277f769fcf731a29ced3a38c3c6926b8a92acfde9b2cd089eb9b04b7a36ba3bc6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
409KB

MD5
eaa58e1f51f803f4c7b969e9cf814ef0

SHA1
db14b906b18a9ad26258e5847f7c79cd171c0a82

SHA256
c351df6127edbebbdce1ded214a8483e708b12e09e6aac7e1a8162863d819e2a

SHA512
5b9c1937fa399af54b2e0c9da0c697d362db5731b4babf6496f409cca0d49d40ee6ed28946bcc28fd65a3f47d1853ee33488ab0f0dc3860fc62891676e50686b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
401KB

MD5
1e50acaac0149f62216e87f9648899f9

SHA1
14dfb3dc4952fbcd0aa97162ed9fd43f78f174b1

SHA256
42bf46e6aec5a3ea444f986a22dee30c957b7a68940d5945c58ad05adf88df5c

SHA512
af825a0ccee339fe82d7b820120cb85b99e91730289c67b5123312f17c04d7a7318cc9ce621fcc31e131686561950056771b461dfcd011747f262fe1b48e3ca8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
452KB

MD5
6a1df0eeddd67cb02dcb73c872cc1654

SHA1
862995ec31b9371314850b4483b3772b0053261f

SHA256
4dc411f21988077b565921f118e3c5a3931f9a6c8962982e7c0aa06140f3159b

SHA512
71030785cfad2bf0433fc518d68d7447bbf0c3905bd0104c1f90ea33be1429f1200d5f875a9ee0dd41802d84ac9a6284c3da9c53e4b8283e1628c997a952930b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
604KB

MD5
b953416aa371cc054880cee89c12c4d1

SHA1
d48888dc038e1e692588127740f5b72d7a646810

SHA256
4d7771b1837fcdeb2bbd90c602d567f7b54ec7f7c27b31b103970e9cf551ad10

SHA512
f6ffe88cba55f72169fbf9c0f38dec59388b70e1b07db96ebf41886787e5443ee6002acd9c0f4c9d982943e291f7844177187204593080f82a1512ba4a096020

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
59eb7f8c5717e0d00f7385af362e36d7

SHA1
4affa89ba7fd571daeb9eb94f05b84c5be1cce6e

SHA256
9b7a507a2563ca68936f2d66010a9013c245cab67258e8cc9156e6315aa1f5e2

SHA512
4dd079150e7963ebe685a2929135e4e3225f250f24d9e3d591903af1cb52709fb6fdb65f113d175bc9cf5866ec5cffba95ceb58be0b05423ccbd8631bcac410f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5e1f39b903f471af7f085b92f807e8d8

SHA1
1e658de514d6d8523dc9daf6b94c54c46745030a

SHA256
4e1acfe1090b96acf9cdc9899f0d81928ace2b2792e77ff53714a8f589c3e35a

SHA512
337b4a4e96c3b7ab5528eadecf628de313363c218ea65fece732062553d53793d75625801fbc0728649120c2468234de981197a4876bdadfa984c4e58f012587

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
da391a7af9556c6965d7b8b682bb8e1d

SHA1
ebc979f0b42a183252b88892325ff330db492cf0

SHA256
7f257daf4952c52a7f767fe40188c5ac7f71167217f81a4844a81786a10f322f

SHA512
1ba916888e9d39d07906e1b696c3542a69f89fac695db6f3cfbd8bf2be914b9b6d9afb50c70ee2bf893a5cd2731ee391e899d608d4df4a5d899d2c6a55a183b7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
1.2MB

MD5
d336ab2a2f82b2fb80be0ab60cc74c81

SHA1
6bc201cd112a870be3a4a793d25d4aef19afd19f

SHA256
9bf57325422c54f39faa0bb3790cd94b193cba11c916f23e2aa042f8220c95d3

SHA512
c74a2fd4ae95234367008ba39b266d8c6a8b507ae5f716a71e62df4741293bdced86aace75eeafadf16be202b140a1737475904b692b8f5b80c5cbf8a653c7a9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
1.1MB

MD5
fb7f8eeeafc294b2eb78e9844bedda67

SHA1
0dfb5105d8c0f9411ae9dafe824749ba5ffd9bf7

SHA256
0c555083005e06455e60db052565861d5b2f74d2064c0c8abadf244572b56b4d

SHA512
9d0e74882a9c44b245243fe46bd1da7ba4415c45488ba3387b323a3bcec3dc4bb890f2bb489cf23c161fb504d158f0ca0200d77a800de9eca67be1ca95ad6969

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
1.1MB

MD5
71b9fe68a148438bec881188bf8fee0a

SHA1
56ed9800189cbcfb1e11a4d19806b001f3b76ef7

SHA256
40b86fb150a256143f5cbde81cca3038baa4d3637f34cba7778dfb13340bab08

SHA512
3d3b2312ef9281282689b598c5265b45d7066a27274e976bfbbc1f30242c9fc4d8f0e17eab6251f60d8389beaebac5ace6685c7f54ff58617195d6d87bb6f6ef

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
670c61ac62ff6fcefc04017f65d7b394

SHA1
b0aa86cbdb906fb5c650eb97d57caa7a6fe10a8d

SHA256
0cd7fbaf6d16d5e083356fa21ff8f8ddd0a4e04c1625945de846407463af41b0

SHA512
e7cf7ada9990fb0ed6716c474cbdfcbc80124168be81f5c445fbf8935c076ec1133150f8552008e1b624626f4e47e361b8be194621606be8ce9a441037d41a3c

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.3MB

MD5
77c74f28db2101e2cc54901616ed1a60

SHA1
441fdef20a39aafcadf3d013cf32b0e11c48dbf2

SHA256
32d2b1415aee656d04a58c6a8e4fa77f24ccecc6d64d9de7ca728aedc88e70ab

SHA512
3840678da1f0131020d4ced3bbe3767f06dea2b749d34afbafd7ff69103f86788483067bc0db6803d35e21e01f8e7e6fa802ee040825f88db5b7f2700b609f39

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.1MB

MD5
35d8b79cd537c25d77d9a2e9a7322b77

SHA1
2341e206f1aca7cd701dc99136611d0b3da5f01e

SHA256
f4cc31649253729696446f2b851bdef8d09ed272e1b2c72abdf3864a697c99cc

SHA512
9c7805f0906d2cd5526ee6688d827ea9af70c859ffae98c1219ffd3b43126008451d088dafb7a251d43c07a834c57d07a713734c07684649c508ed49d9ae4f0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
0de03efa843efe8504ef58df3f94b4cc

SHA1
9423ead15bac86ba6f25d8a53c2381174e9b8898

SHA256
ef2a3e4e9d732a09c3122eea12e66c0ce9d6cb2cb3ffd145f8afb4067bf6e15e

SHA512
2931497a675d8b47836b9f0bba27ce5c10a7c18b0ca9643aa73099b1a9dd8fe16726fcbda694b1fb951ea20f1624721ce33c3337d533f658456f3a17c1d56ba6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
70406db7869b3f9db6c06328750684a5

SHA1
cf905d861118f2b112ab9ac6aacaf1d11c891811

SHA256
c85f3257a457617e3039f13cab824130645a8c168cc04f7579e2566879c2e183

SHA512
e2bb959ea9797a7723749e19e33464c424f8f245a8523021e2754b0ec267bce6a5038fe5da3b6bdd8208aa4626a5ac6f161035dc1acbfbadf629b47fed294c8b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
cc6984e852207f7b5ad15b90150b5c05

SHA1
e5b90d6aeba36f36a036eec1b52acec27dc79a64

SHA256
3fe4f06293b9ea3ff7d582464e9bdf7040ae68f1902aaa21ac7664a0402c5ea1

SHA512
710236ec9953b344bafdb74ad0e324f2ea3bb7c9b9f5c17cb27e220336a462256400fa7b101408798b2f5170a61eb238ea40621560bbf1877eb95d5f320ddbe6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
935KB

MD5
631507803b982755b1b18c2b4175f91f

SHA1
8fdd2bbba60321aa6b759b3afa09d33ea13cef18

SHA256
d007c1c2e71556d2a0cd9120754d9b756d28c945be4e0732037bbee148c65875

SHA512
5c347ca85050871452332af6918c415d5ab6df8c3af027448c6b5319452c5e909022a9042f85989ad3be896cb89b65661320481b68eec8b18bb8a88d71919cfa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
36c28eaaba8a620a38a58c69f1fbe2b5

SHA1
d56419fc6ccf5ad2fbc551ed2bbbd2c802753c78

SHA256
890ec055233bf83496b389be62fcff09728ae8cdd96730ed11f4604461f87844

SHA512
0048e61346f740767275868369aab9bdbc13c7e92f58c1300ebf4b24bec4c0c5a4475c0a0bba0dc41afdc923ff6e02999d241d13e6986f60bdf61c7d51a198d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
3f9c80d43673cc57b24bbe35563379f3

SHA1
0652facabc800dbf86716fcf7ee62122a118b13d

SHA256
a4b735954d9b0cc6bc46489f8530ed435b6a0d8767f2f9ff4158d26072413cd0

SHA512
0d9f25e0a4eb92bd7576cca2520413e91320d3cdbd60f744557aa05359f9ef510dfa64486be051c65bc8390590ba8e5adefcc75a25989e00067a94b0971af90f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
901KB

MD5
6e3f443e2044d98ee2177d53cbdbb6fb

SHA1
4ff6e84eb8f4a5676f9dbd5de3f36d50a6187518

SHA256
75917421d443cd66808d458bd74c3d54d8c679a4ca985452398944376ef1bd91

SHA512
0fc36fbc90b48a956eaed8765654530df4f57787e3ba65cbaffb949184ad82bbd4b380aaedbc1cbab3d37f5c8cc90ee6d0d0f93b05e3b6c68ea512d8a3fc035b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.1MB

MD5
4fe5bf75ab19b31d1f255014ed3232b6

SHA1
3dd7840f547f4b7eedeb4ed4941df457bba29f8a

SHA256
e181fd3923cce104203e6f6552e15a48eec63173ee00805826c7910ac9fec719

SHA512
cdff7b97139c3cc5af398e1465362211b9d9016e244a655d441c878e23fbe29500da32a1e08fe1faa85ceb7de3939022ad88e3db9dbd2cb3eac1ab0e4feb0ee0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
858KB

MD5
75c48b5b08f4fbf77606d308910b8ec4

SHA1
8f235070d28c2d66c56c6a300d922c3389c4fae8

SHA256
719fd063880f688af752740486242e01b5f52219da67109ab8da2a2c9126b2ac

SHA512
9ed3e62dab4f67b26372c91d2c07d8afb4df5bf740940e8f2a70e2436b8f0b85e9852780f7e9e830248b1ccd25e2ab69823f59cc942552c5aac4943b1f5a0cbb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
927KB

MD5
5996582b5ba1594b97cd84a0deb49aa6

SHA1
ac99d2c165c139736b29fee40b841d5cb6420c74

SHA256
c5aa9c370feec49434c3ade4335af2ca3500400c5d37a69f6da5de19320b13d3

SHA512
9869f48f6252e7ccb13097bd8ac0b8d97de92859ba34bf12abef51843b6d5d0952860f470307df36f489c6718f9c82e303ceeb724aa0c95c5592f9ca7e5ce5ce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
879KB

MD5
b3ba045238e78cd17b10898ff477b400

SHA1
d230026f54cda2f5fe74cbb3eae9fd4af2fdfb71

SHA256
e6777aa44c405fd039822a8293ec1a1bd3e41405f6a373bd076d9aebc6a81881

SHA512
f7b5c0e6cf4256a6ceec82966f7af014f2520c302c1a22ec8724f1a00b7eddae3bed1cfee851059165652be7c33fd72d06a0222b45c0a09232cc307d26c374f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
878KB

MD5
e86464ab36fc84db2c41a4ad37f9e933

SHA1
e20bfce174cb6cab419ba8a449dac81e74837688

SHA256
629dee3dbdf3e67ed7d5f79477e92eae99a45b370b0952d414b1bd501570cda2

SHA512
d18fe9bbb4e61d74a67da77dfb35d83716c11eced71b950a4e49416e84e0fc6672eed05b49af26d08437713da6338effc1686bc88108c7165015ac3842876134

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
909KB

MD5
1632a41a1425432efabd1b49f8d24704

SHA1
1f5f21603ae455d6535b889b295977f09cfce184

SHA256
5fd2c9bddadfb1ec7fc87c509add7ca2560dfe757783c9a33826258c820e9189

SHA512
66ca1613dd5eabb8002272d949833f9d2d10e5a39437a7757b89b2aac7fa10e233a7a7395e3f7d0dd3902e4fe0af40a7ad432fab1ee3ddb06f8d10f47a9f7da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
83KB

MD5
54a27685cc904d6853b7d604b9241eba

SHA1
ed825df45b5df8cbe5bb0696d1a9710bfdc85441

SHA256
af5fe7b8e5cf52d262853fd030c1ac50044681ad7f71b46d7a7dd356fcf3203e

SHA512
a9ad9965eae1c891faf85b20ec2252ef2ec4c2535217425ce681f2bc27545bec3ba025b68c6dc6250d36a6d0f71077ccb18922fe783db285a71cf3dafb6ab59b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
64KB

MD5
456cbeaf62419fe4316e8116cff00e11

SHA1
979fd414e25826befd219ca715f34a8622645299

SHA256
7cc4076c2b71c3f910ecca6356b1ad2ad580a352f6a267f08e6dcc57cff08b4c

SHA512
3b0b2aef366e2b18aaf797e7b96aa48760a71207435acf9e5651bb27c56dbb6601a8c19c769f8211bf169b526d00b21bf44b9ff88699d820bdf573f444099c97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
65KB

MD5
a7ff735c15b11043d36d598aa5437b98

SHA1
903c510fcd3824eef9f46aa927ffeb564fbb8019

SHA256
b9f450b3d328591e35f05c8e016a7c492e2e82bd8880d3c55b491af522bf071b

SHA512
240bc375ee91b315ed12ac68e6388f4f6444ead789ad52a70cc5d670532e28ceae20387cb67e2c0cc8d3c1c2605198dbaa24be11a12988386ec07df01eaa01a1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
623KB

MD5
2c22cb52b03fd5218cf7ad5411926b29

SHA1
a6b41ef0abfee0665c93ee14f3b6e4f7bb6fa3f6

SHA256
dba87e2d1628186981ffc537e70b45788dfebf914fa38a2fccdcffa2b6015448

SHA512
f79886bbaee4ccab5d8608c0d84397bc409fb5027a86663f26e96c292a87b879eae4f56d6ab65b8685c8162e9c3d26c88b8a8484079f33dadc9c40b5469fb3e2

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
363a736f918a2180c42f2f377ac9a87d

SHA1
7fc82d0d9869ed3dd73867287097611dd17f89ae

SHA256
477db31d3242df424d442a4003e3bc8935f57ed60a65e5156579511191d35d5e

SHA512
a68965f498bd4491f7e709aece2e8ca975bfae420477f188be1e7375076eb1c24649204998003a9c0b640d8ba447b805172f4bffc80317436851187db2e5e75d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
384c8931086c230b9a5ce4d81c85ac2e

SHA1
e05924591e10397bb9a4fe81d7fc28eb590f8c41

SHA256
d8c902a0cd5e99010ecb6bc08f6cc9612a7776275628b7d5645dffb2c82b04cd

SHA512
cc8a94e3fc97da825d298be3fd1cc035ca654d18ba8de882e2f67bb3f97381b6a52f5608f225914b5d57b85b4bfeff066049b637915338a89c6654ad919a9124

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3f99bd3e4a39c2650d996a01bd4ed6f9

SHA1
909af1401f631a005d2c8148b1537634cdcdca99

SHA256
4d2784d64e9f803e8771c3252b63aeedba38bf3dcb197dce023d7157aa152638

SHA512
5f3971b2789341e213ebb4320f225bd1834f914ff58dbf8554c9e956457d62dce72fca19b20620f9caa353208ef298ec547fc4f668e0752e6457e29723d317ec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dfc139b5bc5dd03fe9009bc120ffdb43

SHA1
cb3a5f3af30f0001e889bc2ee027da80d301c596

SHA256
63f8862f83899737f028005a8b9283f325f3cb0add01830a3217a4a99eea83b3

SHA512
d8e38f2b7043ca57baac3cd64776791d72771d055cf33daf65194da1ca49985ed4ed7356c93f777e46bbde3db4cae9ce32d632395ae0ddb795999c748f75557d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b1c031cb8c2e0aff6083094c57013b52

SHA1
6d95b90477e5696ccd4660fddbd35a8edfae801f

SHA256
b411a6473333145f2045437b94b862f10d4ebe56dfb23def0e77ee6632873dcf

SHA512
eac9cd0ff9868344452435e0c1459db6a89e0063c0408ab1b379d52aebb5bb5ccb008df5f4308eee778e363d98aed466663498583d61a78113f0d9d23171e518

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
6a82477de7289b8701ed7985126820c2

SHA1
d017c76110055186899aea4131b47a7e5a9536f1

SHA256
b9513401b1c2a35c79c570413e1629f955d2392149a7b06b1c5642da43fbd73d

SHA512
68dcc7fb4c46f7cee15c15a3fb02fa80b296ffd280cb2fbb55936e1ac797a4cf45fca5d736de6c6d64218b84cd122d261331b234ce3f4cfd0d7d931814261e34

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
351c1534ab80a2c4efe4ad391db7bb3e

SHA1
cc9fb69391f88a284b71cb6c9d5d5a0b85166fd4

SHA256
8c69743ec02589c278ce4bf1982d936df582bfad903674ab0a694d09ddd94cfd

SHA512
f7f63ff97937aba266a4830879f8a401d44bb142971450ab6ff8f4acab8b024b3f79d89b8c759f3f530f9b64fe5973e65549a22754a076e330150b586b54755c

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.0MB

MD5
6e1128d385e1e5d809dc76ad7dd71b77

SHA1
cca82d653389aad125c4528fbfe059898b44b3b4

SHA256
cd2c73dac2deb5c4bdb3e7d480fde4c065786bb7327c2f02e720159908c26134

SHA512
e97a9a7a63b70a52c43a6891727f2abe9f3205588c76164b5b164ed03323e615a4f8bed136203ea8504f6561409203f6499000e1b7d1b1104005df0eb3bf5aa2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5db6c8935d410ee3eb773164521e1569

SHA1
7394ef6dfe480e1a99156d153052c48a4efffb4a

SHA256
1e1bbc3649522fa917c6faaa10513df4613c23fc38f4247016e513c8f2103b7e

SHA512
ec37bf35e086eb48c3807cd960d9bccaf79bba9d9e98b06219bf485b56e12fd08a9ac1b2ecee7053f1088e6795a46f5d3368754934d0b72acb7fdc96846ddd32

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c9db395bb34c65065fbcb62657704a2a

SHA1
d287b6d040c2c2252834a0ee93e076e030ae3fc4

SHA256
cbcbc76d1130981f3f1d42d035bc61be6d871b647b512338e949678f548566c3

SHA512
59a2fdd41909efbadf74b60357fb9cd130c0cf62fb51173030e7a957368fc0f752414d7c0b30fabf6e31914a407404de0f3ef7ad64bb3efcefac296bde49ee04

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
b18e384d3d1064f6e6185164d66edc7c

SHA1
1239e22482ef90f977e3b10882f381b81ae203f1

SHA256
7b5cca9e01e63df0b11d3ca3ee906dfd67bee204941b584d5c64c710fd83396a

SHA512
bec4ebeec11f3c1400b0352b8166c2b149dea4746c27ab04c2c7362e53ef91eb31e1406e5e980af1a9516027fb0f0e978190c6d8fba362a489543987c5f1af64

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
b619bf771287b07202cbbf87c4d7a37d

SHA1
ae8cdf45bf448979f3089cd893d3038504d148db

SHA256
e9040dfa363bb5fa146a558d573a38872e34d7675ab85f269071cd78fe681fc0

SHA512
b108d1ca27d373476dcfc54d3bf1c75ba6ea360938e7197a6d2822b40f7e3a92dd1eae2526cd87337f6bcd9a39022930a7a4b5405aff756a41e9c83877beb72b

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a4cda74590440ac1a2caefb103ba7e10

SHA1
d9a766a95810410cc2715f17b2e825b42cbaa155

SHA256
f39385a116da0b2ccfe4df9e13b62a5f0e20d4e850fd0ad1cc5cdb592056f86d

SHA512
ce2e9ca42616f4e2094abdd100b4331e4865dff9659e9f791a4e808fa4de465bc3ea48ef42ca72daffa3ea7e8a8f4cbfa42099fcd81d411397c42572dad8b9c6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
1a24f2aee0b6cce4cade5d05bc1d9943

SHA1
50aba926a0c57c3513a4c0ee87b5034423c225a5

SHA256
94bf41913dc255b73dee7e07d9b3087b4ea9c5c417f74054a98ab3db32527a62

SHA512
93d9f4ae6c0be4badf5c02b97b26a6cfbef5ad096fc6dbca3caf7738099f4cd6696701859412dfd81af70d10b0360ea424bba7df10dd4d9ccc7e18d5936b8979

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
af15a89cf41185908557748e956c6705

SHA1
17c8c94d892d22869186b969556350604903c46a

SHA256
7fe2aaf78ae1d3acc2a81cd48a66aa351edf0f12639e1ea2f4f1a4d6d962f645

SHA512
c53f2d3e121570a7e1fe44949f6a0ef1c8c115cb27b8129e7655991d7a2469edc338ba424d89d3f2babead9edeb0300c81bdc204fd86e7a678a98536d26ce3e5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.2MB

MD5
3648dd3e37bf8fdb7ab498515f8c9a8b

SHA1
c94736296ce62b00e6012457fede664e96525c91

SHA256
06f092613386b2d365dcb8322183c171d71317167a1ed09ac80f5631d887e650

SHA512
d6a2862f8b761ba67511e93957bc5d60054fb55372a7d26725aaa7814f8366ad64950dc0d46cbcf1ce50329b151c7a605449315d3a4d445df19348d9f36c8662

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e53f0ca4c40028e07c497867d9b9832a

SHA1
1c280ed095b2c1d2b3f13257bfbc7b43fda718f3

SHA256
c91ad4aae1f9f472fb24b0fb690f5d0c045aeb1e7883e0aeeac7a0a0e9217da2

SHA512
265dca37d6c24ab1931d46bf0c9922b11640dcbf10dea80f8c3415c36581445e1264edcf4ac15f69d556cc980ac3faf51582397cf22f2bcb6722658da9ea1af3

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5eb91fc79d19fbad4e627a4830be730a

SHA1
9becdc4205e5458c3e2bec6eedfcd1ea3180ce09

SHA256
8f9238d7d96eaef8b2927721b8f42024a53a8dae246f5105e10e3beabf2ccfde

SHA512
2faaf64a17888a07ad8e7a5f3f67451e4ce954e5624c3bf4c479083d4f7f60b11ba89615c9aee6fdb7516272df432eff0e5472a87f3e02ea6051f012f62594b6

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
37f347743d214132614fc4db325ced1c

SHA1
8bb07a1dff57f08084784c118f1e796357d401af

SHA256
f20f9474136f4a60742b0446c3b22bad1955ff910f3f7bfbc9c1b46e3e790560

SHA512
5ac53c22eed7d28148c7540c6901cc186b309595201bbebad2fc1e7de71674b1c6176c553de71e0857cef6e86a6fccbca7edf9d6cc8fdc9efcf6f98cbf5b91fe

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
3dbbbdef638cf4687e5d75005ac47891

SHA1
8f6ba77ce89da6f55e323411f2b46e0daf8582a0

SHA256
da76072c5f3033d8488d4f16b6a15046ccaddcf41d536585b3f375b8ee1f5830

SHA512
798225edcb25900a1d1964838df716b2fe926eb13b70e9d499b57302bc461aafb68cbb78f114ab3e04fe89a8b173474689d0ed04efe8e4df1646a2664ce47f3b

Download Submit
C:\Windows\system32\vssvc.exe

Filesize
2.0MB

MD5
e50faa0895c1c1cde0878200a09e731f

SHA1
269b92af00c0ff29d5540f4cb30289d32d6ac7e4

SHA256
7d5d4a94fbc36ab15eb415b1c887e5dea9207997d72d14df340160a0236a66f4

SHA512
8b3a5f33d375d53a1a10450f073e12ca80a9c18f59d4dd76a53f53232b0f5224b0726ade3068a610c94e827307a1965c8e443ca5cee5646c44b00bc75aa6fa8e

Download Submit
C:\odt\office2016setup.exe

Filesize
581KB

MD5
a0b425641c79217f6b43a17f76a9b9b7

SHA1
b8bbedd84c874bddae0e590d128c37ee355e0f8e

SHA256
c130523c8839e06dcb06218d986ff617b76ac3e3457bba0fcc66fd2f63d74257

SHA512
2dcea0b73f0d2778bb5880ebaaf528c1785dc9f451985a95072a7440a36c60b72709ce6c7beaef147c15a37428f8b1d0d70c5064c733b2c0f3bcb0ffd3d01e14

Download Submit
memory/216-316-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/216-1-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/216-7-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/216-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/216-6-0x0000000002470000-0x00000000024D7000-memory.dmp

Filesize
412KB

Download
memory/216-121-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/732-482-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/732-604-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/872-469-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/872-189-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/956-568-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-606-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-614-0x0000022D7CD10000-0x0000022D7CD20000-memory.dmp

Filesize
64KB

Download
memory/956-599-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-600-0x0000022D7C460000-0x0000022D7C470000-memory.dmp

Filesize
64KB

Download
memory/956-615-0x0000022D7CD10000-0x0000022D7CD20000-memory.dmp

Filesize
64KB

Download
memory/956-562-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-589-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-563-0x0000022D7C320000-0x0000022D7C330000-memory.dmp

Filesize
64KB

Download
memory/956-588-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-613-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-569-0x0000022D7C440000-0x0000022D7C441000-memory.dmp

Filesize
4KB

Download
memory/956-581-0x0000022D7C460000-0x0000022D7C470000-memory.dmp

Filesize
64KB

Download
memory/956-580-0x0000022D7C310000-0x0000022D7C320000-memory.dmp

Filesize
64KB

Download
memory/956-590-0x0000022D7C460000-0x0000022D7C470000-memory.dmp

Filesize
64KB

Download
memory/956-601-0x0000022D7C460000-0x0000022D7C470000-memory.dmp

Filesize
64KB

Download
memory/1012-489-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1040-219-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1040-474-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/1864-160-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1864-159-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1864-214-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/1864-166-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/1980-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1980-111-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1980-117-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1980-110-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2224-467-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2224-185-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2224-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2228-605-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2228-485-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/2468-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2468-156-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2608-475-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2608-239-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2612-100-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2612-168-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2612-106-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2612-99-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2960-201-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2960-193-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2960-470-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3124-16-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3124-91-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3124-18-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3124-143-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/3348-140-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/3724-144-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3724-200-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3724-154-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/3724-145-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/3748-13-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/3748-138-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/4108-133-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4108-122-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4108-130-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4108-136-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4108-123-0x0000000140000000-0x0000000140289000-memory.dmp

Filesize
2.5MB

Download
memory/4240-222-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4240-172-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4240-171-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4240-177-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4384-182-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4384-426-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4916-471-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/4916-216-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/4916-206-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/5056-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5056-223-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download