e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514

Analysis

max time kernel
156s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
Size

1.8MB
MD5

990ad1e10e32eb29e04f4a0ca157c7cb
SHA1

d2c109c438e17ace526caac4aed7761ec9b92e8b
SHA256

e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514
SHA512

b44a4911fb174d9a1d91a6346ebf08b81582ee4d7fc7219ff576fe861c59bd4774e28acb2c25573593c28fdb2c1423f2f19bd1f4f54786ff937c5bdb64389e25
SSDEEP

49152:ix5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAGxlMPdlR8v4UC0Eg6ET7M/I:ivbjVkjjCAzJ1l2/V0cETQ/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4196	alg.exe
808	DiagnosticsHub.StandardCollector.Service.exe
4592	fxssvc.exe
4956	elevation_service.exe
2040	elevation_service.exe
1012	maintenanceservice.exe
2668	OSE.EXE
2360	msdtc.exe
804	PerceptionSimulationService.exe
5020	perfhost.exe
4492	locator.exe
4652	SensorDataService.exe
4728	snmptrap.exe
4048	spectrum.exe
4544	ssh-agent.exe
2352	TieringEngineService.exe
5076	AgentService.exe
4532	vds.exe
1172	vssvc.exe
4420	wbengine.exe
4664	WmiApSrv.exe
1164	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2d6a5d2ed8c8c63e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_lt.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\psuser.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_kn.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_uk.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_mr.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_ca.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_fil.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\GoogleUpdateComRegisterShell64.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9829.tmp\goopdateres_es-419.dll	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c54e8a2f886fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f276262c886fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081812332886fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e1eba62f886fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e32ceb30886fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a850130886fda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c7438230886fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c519832886fda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000083b1ab2f886fda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
808	DiagnosticsHub.StandardCollector.Service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe
4956	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4852	e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
Token: SeAuditPrivilege	4592	fxssvc.exe
Token: SeDebugPrivilege	808	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4956	elevation_service.exe
Token: SeRestorePrivilege	2352	TieringEngineService.exe
Token: SeManageVolumePrivilege	2352	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5076	AgentService.exe
Token: SeBackupPrivilege	1172	vssvc.exe
Token: SeRestorePrivilege	1172	vssvc.exe
Token: SeAuditPrivilege	1172	vssvc.exe
Token: SeBackupPrivilege	4420	wbengine.exe
Token: SeRestorePrivilege	4420	wbengine.exe
Token: SeSecurityPrivilege	4420	wbengine.exe
Token: 33	1164	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1164	SearchIndexer.exe
Token: SeDebugPrivilege	4956	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 1992	1164	SearchIndexer.exe	133
PID 1164 wrote to memory of 1992	1164	SearchIndexer.exe	133
PID 1164 wrote to memory of 1540	1164	SearchIndexer.exe	134
PID 1164 wrote to memory of 1540	1164	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe
"C:\Users\Admin\AppData\Local\Temp\e6189c3bc93ecea84f65b5fe8231faa615f4e8ae9f4c65298f36adc82a200514.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3020

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4956

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2040

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1012

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2360

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:804

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4652

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4728

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4048

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2024

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4664

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1992
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
90aa43ae17daa4f0d0db18a5be74d9c2

SHA1
d6bb6fd27716ae883c0c191da1018d151e9abb2d

SHA256
ef85188d67bf74a4ea60d0dc308b315c45e0fb0425764180e906d024e08d96d0

SHA512
8d2f434f86bd4084b5846215754ccf474569c63a5a3c8a13d00e1e08c9cb9680855f56d093388d24d6308c27cfb1614e3baca9f6fdb1163d78e3c2715d020c3c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
10b5eda062d36909a84355b262c0114b

SHA1
ee3e280d50c57b69c97e8d524c9e5d8be561fb58

SHA256
ade2d14be34e1e03ecb27a2f5c14e4adb7af578f96e8368aaab28499d0aa6ccf

SHA512
1f7cd1732752fa045ca11a8d305da0a09488f39255876e50856471137c458ef50043cd158ad32b67fecc3c0efae0e9c20bcd46e7e653cb71abf4a8378aeaa733

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
512KB

MD5
d77cb29808651806715f9a15f4d49441

SHA1
7a0e1e5cd53f8b4d3c04183522b09040cfb57dbc

SHA256
56e8c5a840b0b8a518eca49e0dff1413afa8606e78569a33dc81e1974e125726

SHA512
49e2a37e03feaad5efdd71d169f2f2fc9304f73f97b53b4ad025d828a0f6b8abe3987b69aa5d68a4664ff3e770fbb1aa46295d0b56e618b8279e074b15f3c66d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
448KB

MD5
4d4dd8b5902b8d44e13ae528719769e9

SHA1
7c44eb2353c3b6d136f92a345f792b796d1a9a5e

SHA256
850500dc08d82338809d6c3b8b4aab280c2b8b66ff2c65aa677226d2b65ea306

SHA512
4b6d56916160affdf944d2694b44c1d3ded289867dc108c3ed582b21472e08f8fdd51cd6028b1251c048e7653fe841b2d5ff3b03e1242f96d56ac57e24c21442

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
457KB

MD5
93b110ef79074a6bfb70762bf842205d

SHA1
a8ec69498a44e58f13c056ebe44e78d06c603016

SHA256
de1487001b9c3ea9610bd508c641f748bbf9e57618a23840711b260725461e66

SHA512
7aa2bd01fef217cb03fc0d9d31d26ab0d89ba8686d586c97e51cccdf95baf0b991241aea2cc51809b048dbc2838a2ddc59f6f33e2cdbb72379886c415498d8cb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
448KB

MD5
e16160fd8ddb168adefa88e79433f199

SHA1
265685719450ce91de805cdc95dd5b388f2f0e6f

SHA256
9ffc650f0f61bbecce4a1db2e25750a96f3b4cc1851fa30f91188885cbe9b30c

SHA512
5f53f576de6b3fa626c12b7c7249d344cff5c773c04692f3b764c56e248b5b45c8210013f7063fb69900ea1e218256de721b959c84b77b327ec876554f4c397f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
448KB

MD5
a958f2ac7bc0c653abdb10e5322162f1

SHA1
e2dd7379e5892ac2010ac0659713b2e3d1f45c92

SHA256
7f627f362a70f735eb47f55a973a659f257d75749dcb7d30a3539c157d885223

SHA512
2f6cf8b2cd441869887a7e0ce88dae91852c3b2f5ec87261afc61247b370a47ec0acd79e5ce69ec0e828bf394156c5877a0c77e6c2959a9da431382ace3b3ef3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
448KB

MD5
3df37aa1faa4d6ad5f273f02ac16a52f

SHA1
705c8b55eb3b8126daf3ec63a89f57fe6fdd0805

SHA256
046bca63594cda94d219c2854e3b1837e0190aa9ca15b35ee23dcfc4483d33ad

SHA512
2ceff613695803d15f55ef228424032bd3e97c7d01725eb09561ba5906d32a7306c6f7bbc61808d0f7f4c568296e411d40460acf5f9320a758bd76ece6abe3ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
448KB

MD5
8622000b53814efb5435500731bec72f

SHA1
e73cb810e96f3069a59e128e336da890c99e870f

SHA256
5e7ac4477b7825bbfaf1d0ae8efe320ff57853ded7e61f8a497652c2566260e9

SHA512
7710bdf2238d6b7d94ec9a9a0a974bbb5b695d9e60fa31fede2b6efde17ce7810eeb778c1793e5ff19ad65f6cbb8b0f1acc0ad03fc8d81805bd4e382b517fa23

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
448KB

MD5
24005feeb583afe70750b8526b7cf93a

SHA1
692331b94678a0a1dc2a45662c94ba24c5dabf91

SHA256
beef6148fcf85ba2a2eed26dc66303b4e9be3735dc7e93a3bd5e97ab33ce84d1

SHA512
5dc8603af850c50cd5462fabca54d2a5d37ca614a5010dcddf89afdaad5d1fd433bd23f841bc2237e0546887a4593baa49907372c9b30387f1155947f2bdc5c3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
448KB

MD5
b79cfbb2c89d9257279dbbf776b82b02

SHA1
ab2e51541bd0dc2849ae2debcce4e825e7d5dcb7

SHA256
b33554bb14351d179ae14700d3ce96dc964d34f54aee6abd2e072a89119e167e

SHA512
e9ad64130853e8d500797cac9fbaea20f53a156a7f6d2341a5dcf3701cfb771e3964005259b0d76bb001a820e3ebf09dc5b80bd139cc3991a639afcc6b5d5911

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ad8b944a3fa782fd8aa25a27e1c09a4a

SHA1
5182f327f15a93008002ad611caa3d40dd16007c

SHA256
e6e2613cf03548b5ec8d5ab8022776a9027447d13ddf59dc76683127723b94fe

SHA512
0b8940170c049c02e10a691dec2a609b8c2aec6303d6f667b61928640dbd14d4b1283381014f1ce935e3c3140becd05621712ae7e473f7807836acf48ff56f2a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9087c9bf3575ec0ff0422c52504df03d

SHA1
7c9a12d1d5318c481a26850f8510dddc74098e58

SHA256
791ea11476869f6449b81ff4d30806aa277e06839891bcbbd343db6f862ea838

SHA512
cc08f6b7a293fedd945a81a57edc578425beb84445ceb76f4450485ac6b0829a6b89a408bc0cb18014ca6c2333a876a9c0561d6723c16eba9b1c07ac018eaf1c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
a13bc86680a45b33db46e66ecfd3b758

SHA1
74aaae1cacd1e6e9e9e16365451b45d38e02fabb

SHA256
9a2ed09a60a6c7c440e840d9cd740aef0d5c1774b6726e298d90ebb2eed838e1

SHA512
2462777c29d9a6ed2ae0bfc7813c3f56d3fde7b6bec7e5b7ce8c9b66ef19a1710617c5795be88647640c7397f438ac1121d11eb8a973aab29c4e085a12acb05e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.2MB

MD5
712fbefbb17663d5bd3cfbd100d9cc92

SHA1
2c9782b026bbf75e4a877c54fe18c7bfa1fdb467

SHA256
aaf3d7a52e4ba1265189aa76c05ca1c798207aaabce1bc13fd6dd911dd418c30

SHA512
59a4364cd8dc5146e5382fe44ed6035fb9807be6b6037f4f0d30b4d1e156bd7b599b9ed98de8a6d61184e2d4b940bc98477a6b1e3e681b64e16df2b36afa0d39

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.0MB

MD5
df7accb53188dd2a4fbcf15b73302534

SHA1
ad8db420a3fcfbde14e7a72c968d74de6527eef6

SHA256
6ffa6aa9ed88e6086f769a9246dab0b5b6df6445179533c7ac2f514f9b01faf7

SHA512
c905c1a2df7847ea538044f1c8d4688c55944ebfd3d8cf2608648bb827e1f1c6b62602e1afb85fc68bfc4b59f41b12c8a90bfd412904c8030f0c22908386f6d8

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
8a4f3007b181faf4d4f729ef3dd94c92

SHA1
848c7b621a9c8c2170ebd8beb3c24c51f5a33e86

SHA256
9d2e709dd77ead0c79cbf44882a2c478c15c2908fa13677561356c3df12181bb

SHA512
7b82dc2e0b3ca06a40645cc61e0e8f309e65a8207b99e8ff2946174e652c8584849bc8bc446809805a3ded43812fac67d1a9144930024c66dabcb9a89a2a2334

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
b491eae6b4c4c9808b14d70881e84dbd

SHA1
3003f45d3fb83070d7d63937d80ba359835bb64c

SHA256
365852ba36f957349daa726db6186cfdfda57b1268bae096deedd47129348186

SHA512
927830d6375a2ef8bcdf97b46aea6b2869e4232037ea25ca7bb78205a975b2f1e8a64c8cd371a333904ea39e03ce3854048dba87a233a24a71e3d2e327315b06

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
384KB

MD5
28a2a549239c6dee457095ce395bc515

SHA1
3dadb56cbaa8fd8f94d05bf87fcfcabae7adf11a

SHA256
4f736ebfa678086fec270f61420dfd7f348ea078a486525e4b5852919aec0281

SHA512
5843fe7d78b16ee95d93759c35c8140410efe2ef8a8bb2d1da58589891cf2732d3aa12068f038f434aebb5bce72dc3f59a2e9473c1b77674d7e063369549796b

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
22442eb85c01afc19c2d5fd310908044

SHA1
cb5e66b08fc9e40a06f496062c50c73de64080db

SHA256
176bd39f58ddd41e8d91414052b1266bfaa5f367badf9b0fada00b5a0742cd3d

SHA512
2fefaa71e1c31c153bb15effefd13c1db664babd737d12a0c91db89205bd6564963ca6a31a79dc8d5cc9925d4204954dcfeef9ca58c36c2ae2130ad79b9e3bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
c7132485172c1112ffa2d4b091358960

SHA1
c72c3609562da1889143e858f0e149cfa935fca5

SHA256
1b7ea03971dd5bf9643658b71d5b6235a734c80574e3bd6138c5af8a34c7f676

SHA512
f4209fef78059b681f9dac2f528305b427de5ef74c79c0d6d73e2320c917e8da1f96940464b75dd96fe63a937a8c10dbaeb849c3f76a4c31be581f159fecb0a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1d2c30457605809b265d1ac273e82278

SHA1
b63e9e428d857c78d3aff7dda3078b315933024d

SHA256
a803ad0cd29404f1d5f7643565d33c1c76cca0069635ab7ae0898df957e03290

SHA512
aa41cc0a07dfcb25929119ddfa534bfd2408081492fa8d1ef47241464cd639841621c2955dffe09296f40fa5602e77702eac74da46086925f23b3fcea8e8af29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
a8acf77d5ae41108d9f7082aa85ffa0e

SHA1
4f9035d93f0f2e0ee69f31695fa7fd1532a5eb69

SHA256
087362a54226b2f6f7e25145db1b1b56ec16ecd46f07744e93851ef9619dd1b6

SHA512
9e8a0dfaa9e7dd1c0cf9fabf21c6ce66536756deebfbf98b65d393807af9346dffac83db83cc60ea4838c7bfe50d5a15a230787bcb47e8354c6080016316a6ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
3708477a9322420ede8dbd3edc1479d6

SHA1
2715aba946c64d8f5c04fe8c236498a5ff4d7ae0

SHA256
a3f87de48b6100befe179a85aecd8d0b7ac8eded8abf625c07ba668fafc75914

SHA512
a63b4855315d8e4050f989465e113146c390514875cd306d909ef3e9e76b964075206222ee983f7958d61cb4ccb1c393c4695ae731afd6e0a1f0a8b0273cc5c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8e29acb7681362a574a0c1b4a4e71af4

SHA1
30a5599061afaed9e7255b5554b6fba5bfdb07ae

SHA256
a50a3bb300957c3d04498877a18151aef3cc7f102d4778ffc892adb87f341c79

SHA512
f98b9fc20c47f9ef6ac096090074d8d4772d1329eef945aa3d0cb44b0549da7081ab44110f64fbbb49f2d9c68d0b475c4060dcc2074ed70004ad39fa424ee20e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
525b99e9d9c64b06a8e14490248d5aa4

SHA1
2f4f5a6c642cf1fbdaf2667eec10fe0584c88912

SHA256
f1f6a7f5438d66ad60f31792f840b8df399cadcb90e691f8541f6cec43e97818

SHA512
7408170fc5aaca65e76621acfd822ac63b8c3ff146f95923583a512d9209049e9ef831ef0a6c2fc426e767bc0db39b2593b764103a62f52c649d5bd17deaecc9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
f65b763226e82179cf7b718bafc2a373

SHA1
11725e34e90a6fe9a1c8393848010086d818eb82

SHA256
ab392bcf0b634787097f76d996db91b26eb7a5d1752f43d4d5bca272c9136d7d

SHA512
e6ca5d8eba518d7e2dc21433e9beb4ae32bae1e5b9243457cded16c2e7428de4daa1a6d4bd3151a8aa4f6d84f4a4d7fc21a076acf7ca2f00ea65c775f204619d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
6158f83a554908dc77c8ad4ad45ce046

SHA1
22c283d80a9502e8d94087f4b6f7441a8497f697

SHA256
13a18d252484b38388c2efaf60ec8bc601cccc6ce0ff26370b7129f743f410e5

SHA512
e95f26b98323a6a3d84972816cf27076973a9bcefd19cfc3e026ab669514dde9987fd1facabd0798eab68b664fc40b91567fac7c7a9d5461d0784f7e8013809a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ae2cbb2b16e928402f042cd3e2696479

SHA1
e7e7be45db8346bd218cb68e6e1189d4b8371a9c

SHA256
4e20e69bf5f93a308e8e245d43635094690888949ebcbcde1e892b73168267c8

SHA512
5266f7d0faebd72da3dffa409ebd2f17a6073702ebddbd4e63485c20494dd52db5d43a698db701b5a632e17596c94faf77f7e8e4a2f7d00d69ed502dcb54f2fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ef7db9440baf10c069d531f624aa9098

SHA1
396186776191aacff7ee8451ee8565ae09a9245c

SHA256
2e4d3fb9f27a26c3a5b54e1774516b676af76c79e7d99cc9081ea132291b602e

SHA512
03e4dd55395d09a75485a3d64c27968b6cc4a703ab29ec29edd606402f3a0aa06f920305081dd115dd5535379c9c4a965318dd4eba6297e2e15cb2d79df35da6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
56bf8e32c6453b93ad786021ce98ee3a

SHA1
5e6db92a096188b722d62867e0299131d4278bfc

SHA256
f3a940d27edc9cff89cb6e0e12d35831333cb4b0565bb2f36e35b36f5713de98

SHA512
bbc78a440e4f98981cf1dc4d02aa4870d2d0746cfd03bd260b33a748fe105595dc585543d24a5986b436c3dc58b0c7ddf859b71462aaebcf79c66e12ee972070

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
8ebe13eae4d5ca02231fdfa6acc514ba

SHA1
d6f0ccaf7f18cf9b4b842ccd394a82ca10496b37

SHA256
9d38b294f5231325139d1181fb2b36920094d615850d156c8961addaaf0884d8

SHA512
2b9570146571be21394f1b48a046f7db6516fb86c95b37122313852a73613377ac678a6bba3e5f9818b8d8da858b75843343b0e15ab5f5cef564cfc951cee6d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
6631179455b980b431ab6c86c48f27e5

SHA1
7417aba0ae926edd0123783262f8b8fa30f29f9c

SHA256
d2e8803fc1373e79489dd73c42577d9a2c5b1f72ca8208125410f4e9f8fe72e7

SHA512
cf863af915b8b0c5ee21e0d2ceb8fcd6e5730c8e5d733822f8850e6dd341a12f3749301330f8addba2d0034ddb97f019eb1066a44ca6f7b7eec731a881fb4c8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
320KB

MD5
35c197c596d112d9c46c0c9c801edfec

SHA1
83baf215c3a4b11386f4283a1956cb4c4a97123a

SHA256
42b7edac2c0c773ff6c469fc80dc4fcf72592eb85d95f3878a9a0f5d9ab9c202

SHA512
265c016fc8fa22ee20df5d6a042651df8328efa7860847bfb97e954d49b933fa9f5136af9949f6f2567a96b305566c55e803c2fbd99a6606e91b35cd65f7987a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
320KB

MD5
e4a04b4d09d072477ce0f708a7139ee9

SHA1
b27f358f73c46ec3d71d6d93c446479c33e32188

SHA256
282440dbcda22128e2f759030ee4b55b0e194ec57de697f692cdd18be7dcb12c

SHA512
33514022b32a4ca53fd892a3ca2ea60537d342d1c2b2c7bce20c1a4e8b2ae23342f5ea6570d7b9f52c7abff8be9105f19a8677c05dfc47bb39ff2189050c3383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
320KB

MD5
34c18780cbbed8f15763bd096cdf0fca

SHA1
de0fcbfffdf5a1a231b538160ba6102e2a481d2a

SHA256
63163c562ae37082ff1b60a581d2f368aa28b6a315ed923325ab1cf788222de9

SHA512
fa896fdbfa30a80d05b8cc355f4d705a5e9d2b409fadb957cbb829f6163e81fc8770ba30a95bcba9eba721c068471c3ce8479306a34e8fb740fc0bc079ff9fae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
320KB

MD5
cfa47c7da2807e7045ad6a8c55c5b223

SHA1
89cee5c8a230f5811f2aacf82e6e2534f1672898

SHA256
dba16178d19c78b2004c94aebe94eb26b2233395a241374518db4c12fbd1a836

SHA512
739ccdb5d71b63d727b84ecc4f3446aa54f22858dc294dc8eacb6cc5f047b03df41745ab0d955931009b69f3d59bd5a73d53731383b9bd6f7ef2d351e80a5b6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
384KB

MD5
25afcb2939de3cc948b5d1c693d8e002

SHA1
153eea8522ff2751cb18da298e51dd5037b9b2c5

SHA256
5f8bde11c0e1649309152eae30a11fb50cd9c0f096cb8b81bbd67173aae28069

SHA512
9ebb6f43fd6449b547326ed777c3d1a32f348b0307380f52089841d42e2affdf31da3bd73ce6ceec12891ac2dbfcf59c9cdd2918a5d9658bda03b3cb3dee0a13

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
320KB

MD5
5622d3675bdc81cd0de6505ea3ab77e6

SHA1
6758f10e985bc643ad15acead4da8af4aff8aff6

SHA256
e04d15c2e69ce49a54194b55139791901bfd24e346b6223b4633a9d79424381a

SHA512
0e25f5d3b455eb0b7340c7503b00c904c16428cc821f3bcf0b63b221793184b219488a40b9aba6a5c9c3f075c82510a5ab1b3f6406143027508fe079bd81b157

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
320KB

MD5
e9e950e04526df6a8a45c1ed66f53a37

SHA1
a664466ee352541890300559b568fb16aea4f7da

SHA256
4ff2d59883a777293654ac097bbfa8abfd267e385cdafd925b44a3a6af34fa17

SHA512
260a86e8d9fcf6a89c107643100131bcb336761f6e48bb9a61c319ccea6e8b9281f57e03a619615af33349d002853adfba5ecf151ef51396efb17296c0a0955a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
4ce6fa1e148ce7779cf99474a5d8374e

SHA1
dc39bfffe60c5199d04fe41bbcee53e49196057a

SHA256
c07704b7c637ca0f6ff15b6c3dc57162ec64ec3ce7491227ab292c7c62b607a9

SHA512
3ab4c1ab94de7b0b6189e888b442d470ba8d94549aa1a5ef1b735b277f0555ea67932c30e09b19a81f4d14b36285bf3c2b9559e6292783a7e465f619f479270d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
83fa8dabbe4ccda303f0104a0cdbdc5c

SHA1
1a7ff5f8c04d6e9b9aad81a7707c47c946ef38f1

SHA256
8f4d6cd0be4632589eecc9c5d22e2a6c4a11fc4b0b9930fb7b5b61e83ffee257

SHA512
1b139673690ab1093a5ec32d136a06947d2171963902f5cb86e37b272885a39d5dfffd7e0117a0f2940bdc428d98c77daa462069df7a1b877ba66613de02dacc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
915758e239c9a5e47cf6268ebf61d588

SHA1
f476e87ad91b76fb34ca924501389b80519e4214

SHA256
10c1defd34c778b6d33c60f6720a7749b95780570180cce38a0292e70d610ee4

SHA512
5653270c64a6662abae03168ed3023a2d2244380df5078f230956371321c21ff7286214e1eb2e8dfbe55587ef4317b8d3f7b0f16edf5c414981ead90ef932852

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1ade98eca7c69f50fc8131e972c25a72

SHA1
68d802da21cdcf9c936bf12a4b5a82d925096b7d

SHA256
ceb778ed4faa6ef378d79dd242ed55982545ec2eb7f434ac167e1c01405e71db

SHA512
174fe73e8298426d2f997741e6932006878440c4d756098c218716fb6b3d4aa5d182fee60e8a1978119ad171b05a74912714d97e085b6bc05155e603da031e6c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e0cc25be0b0bfeea9dc5b7570fdd4d8b

SHA1
70b14ae9060b1e6b0ec6fc8f7905474601ea6e2f

SHA256
fc2db53baa51ffc6294d21ce4ad529b12e25beec52a43b468342345297bc1165

SHA512
e126521b2a8dda51c706336dd1701dd8af3d51ea45d77378bd71a78312b4e29c5f4afc787f188b9a099ee88701ed2e908801107eb7c1a18de504de827717483c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
26771d5c8ad43039f0b1f0ca613c8d12

SHA1
5975e413c99295aa8c8ea52c183f49070c8ad948

SHA256
19521242bdfddf7e16e631dcf02ebfcbf51356c511c9624075fd10b3fd595dc8

SHA512
dfc9584ebe74f77cc4cc92697909343a704a2097989bb90c0bd98b28d829bbc4998f689d9e17b799a2116e9789166ef38102397d28a70b8dddecbdeeb11bb466

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
87959db2f275296b823ddb0c3c9b4e92

SHA1
97d799f14ade8814211a91e7af587215365212c3

SHA256
8475e6cf9a09c6a211abbda4df5634d700e31ec91710bf84f996a2b767a6c962

SHA512
87eb3fb898dc2ead8755efc610cdc196f925ed1490fca9cbe8f6e35401e792ac0223af196c9246abf71dde67b18237171112e0d1b76c547c10ddc4a7daf09e6d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
445b8dbce0e1b727bd9b4a10ef4b77c8

SHA1
91fb72e94dde4c6098b26450a78105ad301b1252

SHA256
b174c08bc3a3c9307a266bfece31f9f185756dd178e221fe7922937bc3d4e520

SHA512
9f35c0dd67ff70f3e07cc3e7f2ebe8ca6ec6b4d7614c53f914048797fdaf9f333794c05db25864631d09a3f795fa64e74f316b34795b62dcba153833b5b63ad3

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
960KB

MD5
c713d372303a2c2f5a47f05d91689b9e

SHA1
2d806711003919d5606f751f52228e051d681ea3

SHA256
cbfa5f2c4536d189648d6518d19eacd358b01ac3e278d78570a4847f73389787

SHA512
d0504dd94c17b21028d766350b02b5b19d2a464edede6f746178a2b46279728cc34fc6e6085d65e96c277541196c6102ddf47c3f7add353d1b3a54f0b5afd494

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
384KB

MD5
1cfa3e1c6df15ab0fc1c7fd2261b73c7

SHA1
12cdf8a2ce46a15e277b9aad6bed4b337d97cf38

SHA256
2486a2470e8ecf967e4798b54357301101bf57351616b0dc658e8c374842b64e

SHA512
e3213f8a11b0d5a2caecee24ad0f389a896c10d73c9e2e1e39829ffe0d22840faac194bd23e822ed6976aba121631b3a036d81b46e3437a7a7f13b70458ef47e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
d737fbc170291a4ca8b4318efc96674a

SHA1
43bf972c6335e5c256cb0ea615a2385904251329

SHA256
e22892ffb1c4a8619527d0e2a0b71d57f34cb2faaf515b081cd0e02ca8b3d9a3

SHA512
8c59d7b5ba25056bd161cbfff3405f7e5cc992fb6e1b6f3a7fc0609285858ec0db389a323ac65d70fd2bcb118407a75d0001b91e33b177ce3131668879f78612

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
a47b17fccee0955820c9e4c0c782eb34

SHA1
f356b310ebbc5723966a4b97f31dddbec5ebd305

SHA256
6f616348f32cff09b471cd5f1e8b0a3a57745b78d0ff84ae8f71aaaf78310c7c

SHA512
116180a7e7eba875e5a05faaa7d4f09fac9cb63fd446f6c570238b158aa2071ee98c16aa1021ba0321bc252b569c0770a4281d84ba2e7fb91a7a48b383ecd9d1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
0ff7214cbb2807abd4eeb969cdce8421

SHA1
d4f4a00d8acd26ae41a37ffe57058f3d3fe37814

SHA256
ae0ce0b3fea50811e2319cf223b4090d7519787d631f2f92c35785a48bb3658d

SHA512
2d8aa223eccb4c7c55c5b5325579c35c6584bf56dc2ebb1812a885ecf012d8ff48c50d79ff65baa1db9966cef47b77ab634630f72061ebda821a798f5e1c7641

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
523662d549da632f8707bf092dec99b1

SHA1
d72b997fc1c4e3ab345ec8feff57a600d0fe17f0

SHA256
a09608164d3de73b63f46d09e894033ce5c7902c52cff3ec039133640f309603

SHA512
8de8cd7f3cc542b01f6f5c7142eead666e4af0b920e3d459ddc33a34b5ca74f312264adcfeee851a2378c703a027a813257f9ff31914ddcf9e8ed40a6dfd3a45

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
703cfef8c60d8ad11485c892f54613a6

SHA1
4e334cdff150f87d109bdef5ecd6c7e4c4206658

SHA256
30c4ef9d34c466061ff66140e192db7383559a35a1c69dfc6bf26e1d4c3dcddc

SHA512
61d27d1fcfc2fd0167aedc0aeb241945b7d1480ec765ee5492292c559d25a93df8136c1089fb41e5a820eb3fef8ab895dbd87a8770f143b7e4b0af83c0763489

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
40560b6b9230cd607265c4129a1d6ef6

SHA1
185750d7e599cdd57d5d48df57fb6b287bfabbed

SHA256
4f41f39ba3b8dc4b8e89153c44f6fa6e9aa046b9d70c095c9fae5424a47b75ae

SHA512
0c5ba3e4a8bdc130e94531fb52d76444a2d121ac5a2f251e46bfcbc0f648613253d3d16e931a23610e82db72ea2d8cb0ce82bbd7aaac259de7b5de384cef9393

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bd0c6be24ada73969e49d63bb322a43e

SHA1
1f44525b757e1d957176ff26d94f143a96d722e0

SHA256
4929215740554c8f6ff1ac6e94bfebe26d07d03763d5457a72b64688ddc03cf7

SHA512
ae5a7f666e42942feb582199dd5bc7da32670776725c36d8b295af5f218f24c4334ad3835ffc556ff01bae80237b2fde269aa924eb8b7dfa736ace129e0f96c2

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
de3f5d4823129f6a90cbe49e3f99627c

SHA1
81e6c1ea8dba947f2b98147c84e8617becbf2548

SHA256
5e82c745f3a6d84bf6bf4d2acf0715390c74a1176d50c8c144857b21c1108601

SHA512
9d62e8c8a1220df364c8fe2a3032f218af84e2b228587d4477cd26a69c013b301d83dbbc3a8f38c8b7494598a03ef4557df2b1f937d2416a100e1999b5917b7d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
4da26104eeb1f438b3b4a411bcb31546

SHA1
7996ddfd72acbc3f738ec5fcb6efe37c0d8af491

SHA256
0a9d625cc39d7166c2c1f83a066ded3742b2cb0ea91a6a34bdca6e52890f1f0c

SHA512
dae8c6fe5972dad9716f02fb9fb3ba8563a1228de1938f7313aed2830193eb32cce0c9712486115fa0c407f8f0dd7f40a9d2280e170ed0abc95516a3a147bed9

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
653752987b060ccb8fcb2babaac22bd8

SHA1
c72c5dc6b17a1b02489448ffc46a95af21211949

SHA256
e2afa478f74f6ae1a236ea39ec44ac28feb61a9bae9b71539b5c6569051d498f

SHA512
b2242dfa7c4b1baed3ca4ee84c207632b846da8c2c45afcc70f8997122c4729a128856c49071b602eb7011a1d699bf2bef58ec972106d3019dceb055e8466d62

Download Submit
C:\odt\office2016setup.exe

Filesize
960KB

MD5
9b58a05c9815b268eccb4ad47db4ebed

SHA1
aa691ff43fb438ae71d41f7394fd9cb51cca77ca

SHA256
13660aa38d0cfe8e07cf7370776b1fda2d3f20c4a050fc25f2db6899eff4876a

SHA512
ddc7707606bfd9b79351c62a953d13258107003897c6769bcf1e702dd86fd6fd5174ba9ad99f675e86b1858481cabdcf43be9b914b8ab061b42c0793fcdfcf5a

Download Submit
memory/804-457-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/804-407-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/804-400-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/804-399-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/808-92-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/808-69-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/808-64-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/808-225-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1012-210-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1012-207-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1012-212-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1012-200-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1012-199-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1164-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1164-590-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1172-473-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1172-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1540-591-0x000001E3DE610000-0x000001E3DE620000-memory.dmp

Filesize
64KB

Download
memory/1540-594-0x000001E3DE640000-0x000001E3DE650000-memory.dmp

Filesize
64KB

Download
memory/1540-573-0x000001E3DE620000-0x000001E3DE630000-memory.dmp

Filesize
64KB

Download
memory/1540-577-0x000001E3DE610000-0x000001E3DE620000-memory.dmp

Filesize
64KB

Download
memory/1540-592-0x000001E3DE630000-0x000001E3DE640000-memory.dmp

Filesize
64KB

Download
memory/1540-609-0x000001E3DE7F0000-0x000001E3DE800000-memory.dmp

Filesize
64KB

Download
memory/1540-572-0x000001E3DE610000-0x000001E3DE620000-memory.dmp

Filesize
64KB

Download
memory/1540-593-0x000001E3DE640000-0x000001E3DE650000-memory.dmp

Filesize
64KB

Download
memory/1540-603-0x000001E3DE610000-0x000001E3DE620000-memory.dmp

Filesize
64KB

Download
memory/2040-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2040-183-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2040-190-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2040-361-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2352-462-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2352-564-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2360-395-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2360-448-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2668-223-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/2668-215-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2668-387-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2668-216-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4048-436-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-442-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4048-485-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4048-562-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4196-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4196-219-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4420-477-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-571-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-472-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4492-425-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4532-469-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4532-567-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4544-449-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4544-563-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4544-458-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/4592-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4652-429-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4652-476-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4652-559-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-482-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4664-576-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4728-432-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4728-480-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4852-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4852-1-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/4852-6-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/4852-196-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4852-7-0x0000000000BE0000-0x0000000000C47000-memory.dmp

Filesize
412KB

Download
memory/4956-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4956-109-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4956-102-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/4956-360-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4956-108-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/5020-465-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5020-414-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5020-415-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/5020-421-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/5076-467-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download