229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360

Analysis

max time kernel
144s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
Size

1.8MB
MD5

dede5d599abb26752596cae577ad86a7
SHA1

3e6eac4f7c38ff8af356577290cbd887ce92faaf
SHA256

229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360
SHA512

ae4bc4ee659b2e06add165633709004bf9d58591e6bb1216b5435ece2a0c99ad3b39b86ace78228e6c943320ebfec779aa5b2afc37241ee2d79acc0b7f6c82e1
SSDEEP

49152:Ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAK1DUg6J9wh6+w:OvbjVkjjCAzJhDU5J9ws+

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4984	alg.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
2732	fxssvc.exe
2596	elevation_service.exe
2664	elevation_service.exe
3144	maintenanceservice.exe
3140	msdtc.exe
2296	OSE.EXE
1080	PerceptionSimulationService.exe
3852	perfhost.exe
4360	locator.exe
3260	SensorDataService.exe
3696	snmptrap.exe
4376	spectrum.exe
2520	ssh-agent.exe
3428	TieringEngineService.exe
4888	AgentService.exe
1740	vds.exe
2968	vssvc.exe
2852	wbengine.exe
4536	WmiApSrv.exe
1188	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\155c992112041754.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\locator.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\System32\msdtc.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\system32\spectrum.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_nl.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_tr.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_bg.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\psuser_64.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_sl.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_sr.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\GoogleUpdate.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_ur.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_ja.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_fil.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_ru.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\javaw.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_ro.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\GoogleUpdateSetup.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM786C.tmp\goopdateres_sk.dll	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_127765\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b13ee730e789da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015173a2fe789da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b7284d2fe789da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d5d8931e789da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016579a2ee789da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d1edf730e789da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6bb5e2ee789da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
3292	DiagnosticsHub.StandardCollector.Service.exe
2596	elevation_service.exe
2596	elevation_service.exe
2596	elevation_service.exe
2596	elevation_service.exe
2596	elevation_service.exe
2596	elevation_service.exe
2596	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3816	229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
Token: SeAuditPrivilege	2732	fxssvc.exe
Token: SeRestorePrivilege	3428	TieringEngineService.exe
Token: SeManageVolumePrivilege	3428	TieringEngineService.exe
Token: SeDebugPrivilege	3292	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2596	elevation_service.exe
Token: SeAssignPrimaryTokenPrivilege	4888	AgentService.exe
Token: SeBackupPrivilege	2968	vssvc.exe
Token: SeRestorePrivilege	2968	vssvc.exe
Token: SeAuditPrivilege	2968	vssvc.exe
Token: SeBackupPrivilege	2852	wbengine.exe
Token: SeRestorePrivilege	2852	wbengine.exe
Token: SeSecurityPrivilege	2852	wbengine.exe
Token: 33	1188	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1188	SearchIndexer.exe
Token: SeDebugPrivilege	2596	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 2076	1188	SearchIndexer.exe	119
PID 1188 wrote to memory of 2076	1188	SearchIndexer.exe	119
PID 1188 wrote to memory of 2808	1188	SearchIndexer.exe	120
PID 1188 wrote to memory of 2808	1188	SearchIndexer.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe
"C:\Users\Admin\AppData\Local\Temp\229721b0294b95722c7b1ee95381df25a78d3945fba62646764ce33229ad7360.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4984

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3292

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2664

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3140

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2296

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3852

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4360

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3260

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4628

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2968

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
17eb15ff1cea8541dd9575b478df5f83

SHA1
582d97b5c15f288714b39de20d72bf94f7ae8eb8

SHA256
091dc92e5d6373cbeeaecad10cdef14b7d86460f20e94e87939a56bf2673b4f9

SHA512
fc94dfe365f21cd62894f8bdc121b704ec86355ba5406bf21af6f360124b1bfabe25f93ed9c69126dcbcf220abf077fe8a10200c3a2c21853ec7b35f20584645

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
fa9d0ce9fd880bb068203b14788df011

SHA1
acbbeb5f4d8d00c9d17f572a91380122d810406d

SHA256
5d143e75b081b09ac9a238f0a2d69c5567b9178b67f6b28596eb736e5a88295f

SHA512
c242ab193c3bdb3b30b82d313dbaa4233b10bd021082bfef554565aafaca52cb17873d208edf69d07265bee4c18b1448edde8740fadc693353c1d4aae7e3271c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
492eebcd54129d145aee09f4645f08ee

SHA1
4895d208125e3bf66e73c0546d74512f3b12bfaf

SHA256
2f96c7f608a49c797e8a5d90d6ef1ab9f0ed5b7c38f11f7c711d7730d64badca

SHA512
a87b9b87c858977004211f9e351207dae5f6982ce868e5ab9466699d629bb071a8c7c14b4805f75d64e36f4a6563b3b6dd8964f5569ea7a033f5831538a77437

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
8ec67c6e922f4d67ba3f5208ec24e910

SHA1
3dec7d2463915005449f3ec7cf97ca42987c6f42

SHA256
00b238766e8efb43ded4e63cf8b2cd3526ed076b17e3cc992cafff47f3d65c56

SHA512
216f8b3f91cdf709817272c4148dce461fa14feac6f0e746603bbd8536d40a08932631a1534b1485d2fd827bd2797bf0d22a91f1aca7cbf5daa83acda208091a

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6fae24af574075296ca506a90155e24e

SHA1
b6bfc29bd3cf1213513fa7754255d44d22e567eb

SHA256
d5334df93354fd69c21d9f14d2ceda86c031ea37a226d88bdb0ace559681d2c0

SHA512
2ccb9e13c0892320d216fc268c486b66f473f8f42d913afb84871303317c7b744be9c603942bf4041359f67257db803a4785d89c53be74a992d99a86fe218388

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
5bf890e28ee35ff56ab392b9842b00ed

SHA1
c6604c810ac25ff86f53a44eb08ea30da438d3fb

SHA256
9fc2af449ac6e0fdd5d6c220767baa85afd93a8da54a04b0a2955cb9be60cbdb

SHA512
92e4d045da89e67b5731d6aa24f1194c076613152baf0b7d2b0dc9352a50f100f90e6e22bc6355e5f5966105d98894389430b9365b434d82a6fd9aa8fe505146

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
ccff6101cd304d96436866f378d0f1ba

SHA1
fde8ba0638ac71b71cf943c993c375f748eb6c20

SHA256
c7e64dc12fe416ac35116aee1a03fe1427f9269dd1a62e3d90090e3f838dfa74

SHA512
8a153d6d987451333ce5e40d2404a602f3693ff8220e2359971b55eb88a86d113d9cf56a01be4275d85bb712e086f28643e64289b54c6c4a70f56d54c6e2ade1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
5a0c9c04acbb64c83db0901b166817f1

SHA1
83abe24d0f0e3acc3967c78aaecdd6191fbad64e

SHA256
270dd7ab194819291555d250643029254cf5c96f61fcc2de091d0ac807127715

SHA512
31ea73f16821cd24af4718d6fa3beb756a785ac48be783ecfa2c51100a6f65bc0172b1a117eb67693faae4b26d7a71f8f8031ebb1641b5c85b8ebba628ae8b71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
525cb5ab449a97aa45aa9abf1e389bd9

SHA1
717146ff903606161ec1e5720e3b9fb6295f63ad

SHA256
f62ac23d991482e874a7a0b74a68bd8f5410bcaeb9fef844e325c8fef6d3e52f

SHA512
aa8bd2dc9d27590564f573583af611270ca92718196e54a2796902d1561cfadedf021a11116349f20a596c8d4244e4e2332faf202abd957b9627352eb1ba25d7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
9c75de99f772943377eecda7e072b9df

SHA1
d72735a80fd82c3d9beaccc68337081e7fe15b9e

SHA256
bcdad94f64b34396a91f283588ff7c56b1e22cfccf4e03b655a5cf9cece9516a

SHA512
5e742dc8fb842c4a7d8d6fc05bb21bbfe2154268698c7915c2bf487730450e01c48c5d12414f1f31d90bdda248ec17a3447e68e98d4d7812c7dd035026fa8996

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
83c4937b317fe87e304ad66264777961

SHA1
c940be0a670b8a2e7aab920ba6f60dfd3e4e8624

SHA256
c503b0607135c10a25a254a03851e768f7b02e3fe2d47e59bcef931ba916b1d0

SHA512
59cf1279afaf9986741cd2136a14440a8a1ec5a37f2667d356ba7e0cda9a903445bb12280335da702bf3f9be3097f2af32fd99815e4e8b67c9cd82d82fd9c9c6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3e86007c508c18147618b4c0840b0f68

SHA1
8982f5714e0f50a88febcaa1a1bae4b5b77be5c2

SHA256
c86aa5a76420aeda271e1043b30c2a20f9e6e77f1813e76549f1f2ebcbedd311

SHA512
bd8f64e69de6f625bbcf94a77603f8890de11a26318a59da243217ae096e4e833c9b39453cf4d01c1d02d5f91fe5231421610b01fd670343b3cafe348f6f5efd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
83de7d7b4a7db5feaae6e9f5c489db84

SHA1
cc0400f8969a26f97a439e6889578983edcf4a80

SHA256
cb0c3f0274392a08f58a49e34a3cee8376625c162b52d6d3d239a361d20c6549

SHA512
7cfbed73d4b0d24097041207be7ab5e2830df0895ff62f64d981ede5079ef86c84725fadd2620be7148cd7cecf48470b4d864b06aae620e605f0c88232dcd707

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
222b1fc03094f2521dc5d6290fad48db

SHA1
13760ea51ec3c361e15f1be1da97f24012080a44

SHA256
cffa653be9969e1c39651cc77d386634bd5681cc6038bc2a3f53f50098433cb2

SHA512
61d6b32513c8a80fd8d122491150c55a64fc4aa90b592b93c36732e346246bdd1f590019f4a2a69b0168f71f406d496ae2d19791b304716ed3a65c67f364c6a2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a87588b99ba897694575215ed0dda37f

SHA1
ec35b4352cb87d3d99d299ec7aeb8861c534d62d

SHA256
cad1e328c1b6beb81c79d1c88cd05dc29de5392a1d7d5c7015949b8df1060d2a

SHA512
1c83395b75be496119fe83ca6b0dc17aa4ce56d56d5094165273ab2cb8c6430f5ff909bedcbc76e5091afa3674e2d91880c3ef2c1a9dff20eb29fb8fa3e2de6a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
7b37ba61fac711a6d607c78e89326794

SHA1
84e8878cbec469ce27915ea8d4314c74cb905736

SHA256
9e00b03a82931c41afe568d48e0fa18f2353cadfdb1a71211ab0afaf77e6b335

SHA512
1cfc3b0c44307c23d66701aba0251671b9fdc66e918ef800abad5d073036d27c000c692f6ef6df5e3509f863724bddd1a86d8e9f80ab503b456e3e66a01ca0f2

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5500617397c100315c032ed4a19f73b9

SHA1
63699c70a57c09859d47f20a4b46bf6917048bec

SHA256
489eb44a937528cc1de2b9e1fb71fb5cb7886c8434e6225fad567aa87c50a276

SHA512
95219d949e1b5ea584f58ea8285aa69165f5d8218f51292235075f888c0e0991696dfd76352ca2e1ada557ff9566240acce3336d888523c0f8e8dde58b026205

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
3181480be918695521b85fed06d96a49

SHA1
b1f318f005bc03285faf80bbc04afd9bb6c2f895

SHA256
93b276779f9d94b857e664e63e071fc8dc83b98e412e9304f33c24c465e87d41

SHA512
cd60ff11d24807ab9ac9d74dd2ec619dbc7006eb3b24d4da731ddb40a505bf1fc6a31e94950027411920c6719e176fe132193ed56e5da50ac123edd4bbc096d0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
77ad78ede5f3def28b96d3e519dd604d

SHA1
40778a8921d2b93dee23a434044f8141be73c181

SHA256
2dcb730b350a30503b989571e27ac2fc0f55155eb277ba9c511d72b075f2db63

SHA512
207974b92d3f539324565d2e77dd27115b14f8742a9879ba987291dd2cf00f46c207ef5f9a9c93bdacdedb89e1f1050cce91679bad22231d49a95ef08307079a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
e40593c7c935e0f3e8fa1f2c4d990803

SHA1
7abfe4b962d5218ee09de04cd25e2f4006aac29a

SHA256
7d17974342fd82939b2afa888bf55151703f46d240d7ea77192ec55b370b6edf

SHA512
55c3c21ceaf5e1b87883478d57ea64cd9e50a205def27d8e3fb508f04b97648e491934d8e99e17d7f62c63eae6438f007ef1529d8a878e376d5996222a1bc467

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
895860a8ebade9c54a23823086c67ccc

SHA1
298d48226be5623d299e2b78e276ef4679f84c5f

SHA256
3542479dde21ec4032107fee86292158e2933c600001cf32559074cf7c67be16

SHA512
c1bf48eebd3ab43aedce27a43b35c53b14c307bbd305c5403246f5d5426d5fc14c34c2786c1406f62b6950442a5f4cdd48e5d16daa065a64652f8f96cc8f2cf9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9be4a19bf20fcc5efc6eba15239e46a6

SHA1
01f8920f133711c64cd393d6e1100720668e5ac2

SHA256
957ab404faf664bf2a7db9f358ded301f39ab853655eafb39991a30f3bcda3a5

SHA512
cff00ea4b683850bd1154b3334bdc61d5290b7dab6383c3dff90a6f56e469c86f725a50ea41dc74d5fec5795f606a1cced9b8f394c0904054d6ef8aec006ab2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b15e6648449c1bdb4d4e3a184c19302e

SHA1
7cd7c53d0f66ab58b4825a145ac47544ea921a66

SHA256
d2aeba520016696a1c9fea4ad41412f7eac5338ef2955ef5587f5152ddcc300b

SHA512
ec42a67be9933a0f0243fa51d6e71c8bbef5e73354de3b4147a0768cf751bc5c433562665514bc73bd67ffc8d4278057b4d33dcbc7adb91228221d9b6fd44309

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
c96b0fde94d207a6e67141d0daad0560

SHA1
f44a21cc1dd8240dade4b1b188bde71ddef74fe1

SHA256
7fd9c9958ea4c684e400e06b22ca43314516c9148f412e7fe674edb98972feb7

SHA512
f288eaad5767b064bf95dd88a7b5cf48502f6b5022d4a646e92c2f9e6c9bb4a8201dac60c14664c22ec5643dea083c7879cf7840be60d9548ef03c1d042cd060

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8654fe97290dd2857c3c473a4d53b256

SHA1
10fe8a29da076a7f5db7e54de215e15621fb7646

SHA256
387db6ce9e4f7a39ed53d74d4320b7d8bd309064fbf7c72c4b4f5145bc5d1146

SHA512
3d55db6024ef6c606c5bea18188aa3c0ec7f22800463b27c23c7bd0f3cc6f70c2308069182583d160ea105e333eb6dd390b03e8580a81c9461503802cb8b32f7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
8bbabf1f64552afb52ee80fc564935e2

SHA1
4551dc07d89dcdcc771a3cc990bc1b225d5f826b

SHA256
0f26419817913db3b143eb7b9a4a66656b878514f773e163eb175f9752e004db

SHA512
75e829b04ff6f503d8c17d3d1e22e215638cbf01ce24885e675a37b798675e980c16215d28e7bd30dcb297662fc750a0c588dc9e54971e9d53bfa315e06e8c5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
696eba3216d509b2bd9794df736848e0

SHA1
d4cd88cc3a7fe1c2868cd4d2a24242fe9b33e277

SHA256
3a199baa41718fe0d1c2e54ddd6e0e9069ff31680e6dc45702c6edf5ea8e848f

SHA512
821ced9a4f94a5df2925f8701b3b8a5a2f7f541cf5c67bf9b1ba24ec02bbbac947803355fd10246e39b2a6d73ac5854fec1ad98c85ff901be7aa6f1b8c71a48f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9c12f0d340b65314c03f7c7ae42b1305

SHA1
e0df2c0cde71071f2bc4f8127c0ef7b3959cebd9

SHA256
df862b054907b2ae3a492949158c10b190ad604169668eeefed96afeac8eada6

SHA512
bda6d191f103c07d07502f4687495568bcb1862c07805168723ae7fed848a93ae1586e5b3fdb5def4ee1de8aee4cb38f89652dbac0f12af704a0a31a22054110

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
575f0cf9b871c0d41f18890ba5bfbfd7

SHA1
1e95f367603dd94614b65eedf5e9073733f9674b

SHA256
93ca98de7a8e2fb8f6cfa1090210bb9178418dfce2bb47b3713e29cfcb8672c4

SHA512
15edecbd3f3af7e4fda8427bef850e35447cc8d23ba763262265c6b7d3897bfa98f617b9512a4ee4b7f3be921fa20600dfb436f647a878eaa2d8d9cfd113b48e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0594e4f83d02f756b2df0df6f1ee4bed

SHA1
a9c49e45a7ebf3117eb227045afc4b7ea833bf40

SHA256
e3c7717a87e55245edee1bf2a4d493acd6cf7d18400715604ba85cb3ba1ac729

SHA512
f8c54203f55e8f2a6aa46d9ff3907ed875e3454ec130284511d392da0f1c049bc5f543c45375fa64ebbad885aee73950805db5f29a312f7b0941d7fc0fd5b50d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
48c402d60657711455175620a76ed792

SHA1
1cf709266b2d249ed5c99dce89897d349b435c0b

SHA256
9e3faef4638cc0353c0b0d680bd0741610508b165574fc1fafc955f9e0ddd14f

SHA512
779fa265baf982e9577f63bf289f1daf4d78deca19093d745a41c171d838655ed80bdc0bc283dea7e279136a3a3f862105ab0da991ea9f854d599f0c3d421b75

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
f6760fbd8dbd1d6ab00cc2f1210b6043

SHA1
8973c6705a2629f6c7e90dbc8cd5a6439364e4e9

SHA256
e5ba24ff387f4c5799f9f47be68786a72f7f1b40a4a503895b79c7298680ddb0

SHA512
231da8a38c032f24b9dd0d743ce7594bdf91fa389c86a1a6830c38308febfe37dc954fcfb81d1c74805c441c2c0c65a4db1e771fd9f81d0c7d6bf159da08b314

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dd7bb2b79bcdcbec69f290094e871c43

SHA1
4614905dd6ba2d8b37293dfb72c0f8b0a78391db

SHA256
0ffbebeab2c585f3be36aff4b940b0689211f9cbdad14ffb83b1e0a7af98e4dd

SHA512
6db462b7ce26cc2a30a302a1dfc459126647ead3a7dec185a4408fd2df979a97a0a52d354664ec05af738efe3f14a0f9a949d5fd97b9d5d5f73b870c2d71b59f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f2ce44476a622f565beebd7da226bc54

SHA1
c53f9c2227ec0b9c890e7e5c4cbb50c3f11575ef

SHA256
04c8d3b850f00ee6b78c4f9f627fe8214b344ff3d4943b23a76faabd26ba088c

SHA512
7b341d24ac0b414eef1f747937b91bb74d4cf5db36ccff9afbd4d812134ec4a09f26b1524821e2d2fb9d4f71f2f2c47d8585a404e5c492b6f01c9ea2b381981a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
51ead3d5204621e503289985f9856eb9

SHA1
2e5630c37a0b15a20193b6d8802022b69e4c2bbe

SHA256
e4f0d7cb93501ed5a2ed55387323d11ed0555f7ff7e8181756ec3524e717e46d

SHA512
ffd1efb396018b7fd35c76a262988d889de6e9653bc393fdd54458ca180a882680f7b9f7c47dfe4aa2264dec4cc2f54950f3a12c9542a08188995faa800436b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e33bfa5bcf012d5f2d9593ad5d807d89

SHA1
676f196beedf7b6f7b8d24955e68600d68edd2c1

SHA256
a48fda7a6375edc921acb8d59a9cb4eb536560f6a94e60a0c5f2800a11dd53d6

SHA512
8d5791b0c93c3f60cf33cc878593107df0c431dee1aa0ccaf9bec6bff1f6c747080085bcbec8bc6523edb7ed3eda292140652230deb190c8547d1d250ad36162

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
63e23028a9334eb01b20e53bb5eec18e

SHA1
5c4ba97268a316961b60c268fa174ddd2619d041

SHA256
ca196b113d14e428e6fafbfb9bbaabde548cf005f3a338a16b02ca955f92ac05

SHA512
eb50eb601f5ff84e6c9af992304107b1c356bb371d27221924df2591fd00830d8e78a8ee641523cd2706a88981645240e00c103a0012660164d9ace10e45bfb2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
696KB

MD5
d2039ce6cdbcbb0109f37ebb1d87d891

SHA1
e488d8a6b76f44e6a031c1c503d615c6bda054c3

SHA256
d584d05e974ab83d8e59bc44002416d34b8f43d824114bb6ec04a9b7f7f5afad

SHA512
f4a031e29578a98d35670c556ca020c13b15bb13ee11b8f98b4daf592b43ad2eaa564f79750827d8b1109f02abb1e4e15dfbe4d433d8324f556115b739209017

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1b9feee03347b9fa017aafbb0402af80

SHA1
d7a0ac99ec828953ba11db4806eab05b74f9eaf6

SHA256
0bebfc77376cbf10d5ce9a7664e7d06a98ee4654e928eb5831763184c0a57a22

SHA512
7f42928401210b908bc3b5b440b5d92b71155be973ba548aedf5d0bd7dc46ad793c6b5659912ef1c2b1fe5400f8891a11a2591af83879462a8bb3e41c62f2a7b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
3cea59a8b229ff5947511a6a138d8b11

SHA1
11487a18b411a903698941ea14bfdf01341af840

SHA256
d54e2c811d65075fd8a7abd99ac3b09cfc01303b1f025d20fd2859f59c17109c

SHA512
361c990ca77ba00863fd074d44219dcfa5a1c6da7497f6689a278f88c3896ea91e8f0af34d040f67cf1b11b05e9c55978b087b2adc968b30a20514184a2e0b27

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1640b0a8aa78ec970361114e1e568c5d

SHA1
03c01a79f40e34bff563ef2c50fe014a9ae4bd1f

SHA256
c8c5b7b5ea21a89afbe35fef3d1d8ae78fb0544bbe0a668a2de73d253e9c38dd

SHA512
91323022ffaae6ee3ac447f6191054aa47264d722cd3ac3ca080b42c9b60e3156fa9895dafe99eb4b8fa1dd443c59b3558a6b3d351cfc6531e0bae58cd232257

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ffbb6cb16db5bc8be78af0547d19c9b7

SHA1
04616059cd2b3934c790b5a45fb2a3be394e6368

SHA256
b11a07934ca94314fb437148bcfd7d97d729086fa78b89130e39422ab9544688

SHA512
463f8e06f124f4f610d1ba2037ede7a2ae874a437dd66f8031d421c0849e25f180b28b48e14dc6ecf9e279d4e304f348bc8e9dea0c17be9612cd87dbbe753b42

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d1fbdcd1941846b7e2074562d037029b

SHA1
72e1c8c205ade8b86c841b9c5a5c14a065762804

SHA256
117d6194e2f1d93b5ba248a8acbc33c4009a9ca3c70357a6e97dc8bd4c58a778

SHA512
bec6aa46edc5db4c43cd5b5ad140c23d1efa4d8438791795d03f59b94bc0318b80516add3ea16cb9c63f350b079965ab6861d815d75b84b2d9f0ec022202f9e8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2bbe150892cbf5e52ae8f416d6e14934

SHA1
1fd93b287dad06888b2337583d04a180c9b98f2d

SHA256
7c96ace60ed60496d6a8680deb919081e3a8f7e392cec85965cac0e01a7fa983

SHA512
12a9d0967631630f63a08a9790d41f7e8a49de089aaefdba0f8ae63e026c1f82af8750e3f97ce3ac7855b170c3c8aecc8d4c0d8d0d1fa4587c4f11ced8fc642a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
d323d453d71c05027c943ea1fbd0ecbb

SHA1
50dfbefca52ce3a001c4ae071d42b0db67bb69ba

SHA256
64bf84421add2e210fff54d0cd5b6139ddc1ebf19bdb113eedaab3bce7846494

SHA512
a8eaf218118e13a395183bf188a0f080d3c1157f7ff78c27a0221415e85bb676be1866f15e407cf0515f1ff4d574ce9020d679cfdff40f4b5f44ee091fbb1744

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f414b2b7f1b2c22c4ae1561f69cf59b0

SHA1
517b72434c769dfece56bb64e3062f8becd916d2

SHA256
1a03207ec3e9e9b4afd8530759498a1e3196dffd2aa0df924d9c93bfe2da1cd0

SHA512
1a3cd92de33926b5d982a06d7a3ee2e3ee123aa11dcf9e843723b6771e950286a645e093ec727638992f35eb218c811df02d0869ec13edc80a199ab9136a4f0a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
9c8a38ba2c260822d751d4df1ae4a525

SHA1
9f7351b1f1d0504a1755e7dc2bf7c82e59ede01f

SHA256
a3b748a028b7e12942c9d230939ce310b0d80ecb100804bb5b2b0157ba18c353

SHA512
e73c1cd1483e29abc4b8696d58561b1af260ac9e6a007823fc2ec05bed5c14ea741c50458dc3ac22a3ced3ee6dcd7889ddceb18416b3f3d92c333a5c30682170

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
193bf687f010c48fd270a3f6ae93b144

SHA1
38074557234b2c83fa75d74c75b02f1add3721e4

SHA256
cba3e5d9ba25e964124baa07f0d789d161983497510ae085922ec2da00eae885

SHA512
a22d5b345ae5bde0a1129b612c9a18bb27fa9682275640f2af7f74dce5d6975072afa7f87ed42861d27cf8de639c3c793f3ca643f18eeb92b2c708f60fb8cdf0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dcc03fa81e5981d6574e2647749bb6b8

SHA1
f043c38321385d46f7e4f4c06d58fc6e12d167b0

SHA256
a03bc1c6d339786fe37eb72cf94be6f129437a3458f6f600f501e41e4f21c210

SHA512
7969f71d581ca32af54f1ab159b6a98910caaf6783bfa11eb3a4fc3619ed05de706a34603a2b329430ec57395f617905f15606304978d035e00480f104b096df

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
69484a8d81bb21468676d1f4b37934fa

SHA1
3d72ddbd604e07300c14b475fa9f008cb79e60ff

SHA256
209f21f2cd42f25c4595cd0eb697bdb68a0a5e04a3e22f362dcc5f676ee1abfa

SHA512
94271a27b9dd5402320d3bf5ad9ee114e4b0d90e4df5529545d23e56cf19eecc00aeebc81b9e12665e1ebf50243308914f064183181d56267edd4fb3812e2292

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
973c1bdfff3aa27e3aa377842ba5cbeb

SHA1
5acc91dd499e411d3a6e70022b7185f527653e81

SHA256
59257faef0c1850675e77a5590fc985913a434f0f2fa5fa30040dc44e6af4b59

SHA512
cd36e1b091d6680843a66814563f79a534581ccce7bd3eb9167a21061c953dc5b1ce8ba00bcedacb990197ad80bee514c621f911c32af68205be5359806343a2

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
4f495c471828bd932dcd0e37fe9c3481

SHA1
38f01d164462b7efcc81d214e0c03846a9b2943f

SHA256
576bd12edc8a6fc79ca43fbc40227fda253bc058bc65009cf5f6fa333ec35c9d

SHA512
0187ef5d7b1a4d3bd232cc5371667e9ed229a6e2a2d98c74a1828695c5d3d7e2b94c821015bfb2dd123c830f64fb2b0d65fb4be087fefbb06c1c90e1594fcde3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
0ce06ec2bea33f8ca77b5f5ac2a0865f

SHA1
0693d446484a9f14bada6fc580ae83c231e4f98b

SHA256
c749dd25205fa075c98883cf6ccf1e7378571c65d15fc7dc66d5662d5fe802ee

SHA512
6cac0a0916b8cb61fdf875428edd3fbbca1c311ff561e8892c3e43bf48b4292bd8ad6f243f5d15b69cb90a36b53811fe7dbc8df53fe936aaf8ec422401848c75

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
55494f2e9ac248301bddc236f14fabb6

SHA1
415034ef2235b46633a6683704365c4ec557418f

SHA256
b6d3fe78a1dcdb9b1d9f2849249f260c302be392105ad6ae3a49c639e2d0ed87

SHA512
44f4cdae1f2c389ab23d985626eead6c8624f1def541d9065d2c0d1f62c83f6af7c1a46c663489e111fb625ceeb3ca74604f7e1835e1b286022969c749e33042

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a78d2e36794d65aed2660ff270ab87c7

SHA1
2479983c42455e67f41dac74247afc2f43ad89a0

SHA256
784b6f63124e64d96e481b4d9f48773db379735d8537bd191d797b756c16e2d0

SHA512
8a61f5bcc4f11dc04ff2526f716575c0b73939473b009b16a247543b57bae061d8c6b4d5ad1009899fb8d76415d1a4540d088944e2cc6539c4a67454f44fa9c0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c37d52f88e34018a99c11f5e6bbafc88

SHA1
7a215ba74c35f5e28441a7fe0e573cdc5ecffacf

SHA256
c2b5e9dda01f8bc4f983008987d0434125bcf3b810f304517b24aa7c8cd00f74

SHA512
c57b4bf6920ca72a460a9f5f35f2cebd536b0f131628dfad2ccf27c3a1a304bf110e54a81b39663edf7d0213536c8dbf55e663d4b6c755a1ad7d1bb59e393fd1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
dd7ff59aa19bf223a5db8524d7f71dc2

SHA1
ae01fbe4e560ba752c8fed2a133a920ea74e582c

SHA256
855c6d337d0f5f55d4488bf571f215ad429484b0b49da084523e6cceb491a71a

SHA512
c485c12a44ac0bb14c787e96fdd31b271ed8b5a439790a69960f6a52d6be9ecb0f4cd408007138db2bbc57b716169dd010f66e3c5369290b6438dcb793030fd5

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
3df791570add6f79f6f3e100d9b54ddd

SHA1
16d6e01fde2a8ec2b2dbb5e4662b191f902ca319

SHA256
9ac2d89310981ed3e0da35f95d84d27f712a02fb59b73073aa7217caf6e32d0f

SHA512
ed68c2802562e9e6d293967ccf11e5263deabd1925b773555a42836c63c1f63a48409e6418f8803e7ff871a283a0b6b8070857c0dcfc3975c1d7013078184a50

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
5eded722440f0d26d163241fad92c2d5

SHA1
019a314ddaea64eea7a5df067651dba83b29ce72

SHA256
a976b254689412138d53b0a6887cb1a42920dbd6cfc7e0a909580df22e1bb9cd

SHA512
13925d17369a4077c1de45b1573ea1fcd36f5d5b1107c479e3ab1ced76c301e5614056962c32b5959e63cbbe886f948af423f8bafcc6867ba4392e7f4661ea52

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
584996c6e17d242bdaffe96874dd4ba3

SHA1
1d95a3a8b1c1ec4bc5f2719418bc171ac8a7bd5a

SHA256
8c7b7b8d03725b10131d5d0cff74e4e733dd413ef13d490308308d052da5288b

SHA512
1747906964777259a3f34044e23282c8963f8262747e8778a36bbf7ebc0f6094254b40c5a31cbb51db9c4b3e193ea0ea24f2365c20956b459b221ce9db542756

Download Submit
memory/1080-216-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1080-162-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1080-169-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/1080-161-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1188-570-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1188-491-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1740-478-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1740-565-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2296-157-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2296-145-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/2296-148-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2296-204-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2520-218-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2520-464-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2520-209-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2596-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2596-100-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2596-108-0x0000000000550000-0x00000000005B0000-memory.dmp

Filesize
384KB

Download
memory/2596-168-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2664-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2664-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2664-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2664-112-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2732-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2732-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2808-599-0x000001D49B310000-0x000001D49B320000-memory.dmp

Filesize
64KB

Download
memory/2808-590-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-576-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-598-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-580-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-583-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-575-0x000001D49A6E0000-0x000001D49A6F0000-memory.dmp

Filesize
64KB

Download
memory/2808-573-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-581-0x000001D49A700000-0x000001D49A710000-memory.dmp

Filesize
64KB

Download
memory/2808-589-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2808-595-0x000001D49A6D0000-0x000001D49A6E0000-memory.dmp

Filesize
64KB

Download
memory/2852-567-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2852-484-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2968-566-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2968-481-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3140-195-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3140-141-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3144-127-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3144-138-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3144-136-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3144-132-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3144-125-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3260-189-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3260-458-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3292-146-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3292-17-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3292-68-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/3292-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3428-467-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3428-296-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3696-462-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3696-191-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3816-6-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3816-1-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3816-124-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3816-299-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3816-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3816-7-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3852-410-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3852-174-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/3852-173-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3852-179-0x00000000004A0000-0x0000000000507000-memory.dmp

Filesize
412KB

Download
memory/4360-455-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4360-184-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4376-205-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4376-198-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4376-463-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4536-487-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4536-568-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4888-475-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4888-474-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4984-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4984-140-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download