2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22-04-2024 20:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
Size

1.8MB
MD5

12e36dae115bae1edf3ef802285dc12a
SHA1

a56d18565c7c77373d47a51b5eb3bbf80e090d4e
SHA256

2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314
SHA512

9fb8ea6317176c55f06fb40cb82f18d02d063e2c40cc26801f731d3e554bf86e36ab15e46d09a2447419c03823af77b823710a12d694032ee21bf4bd0a016ff5
SSDEEP

49152:Gx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA+/snji6attJM:GvbjVkjjCAzJDEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4996	alg.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
3404	fxssvc.exe
4856	elevation_service.exe
3632	elevation_service.exe
3604	maintenanceservice.exe
4432	msdtc.exe
5020	OSE.EXE
5032	PerceptionSimulationService.exe
3216	perfhost.exe
3028	locator.exe
2784	SensorDataService.exe
4140	snmptrap.exe
3404	spectrum.exe
4912	ssh-agent.exe
208	TieringEngineService.exe
1684	AgentService.exe
4672	vds.exe
4280	vssvc.exe
400	wbengine.exe
3140	WmiApSrv.exe
1068	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\d71a4aadc43e60d1.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\System32\vds.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_ml.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_zh-CN.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_kn.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\GoogleUpdateOnDemand.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_tr.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_hu.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_sr.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_sw.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File created	C:\Program Files (x86)\Google\Temp\GUM35E5.tmp\goopdateres_ta.dll	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e41f8fbef294da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000efad3bbef294da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000054d2bbbcf294da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bebf8bdf294da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007784adbcf294da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000351fe9bcf294da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000077537fbdf294da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025481dc0f294da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe
4908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1400	2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
Token: SeAuditPrivilege	3404	fxssvc.exe
Token: SeRestorePrivilege	208	TieringEngineService.exe
Token: SeManageVolumePrivilege	208	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1684	AgentService.exe
Token: SeBackupPrivilege	4280	vssvc.exe
Token: SeRestorePrivilege	4280	vssvc.exe
Token: SeAuditPrivilege	4280	vssvc.exe
Token: SeBackupPrivilege	400	wbengine.exe
Token: SeRestorePrivilege	400	wbengine.exe
Token: SeSecurityPrivilege	400	wbengine.exe
Token: 33	1068	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1068	SearchIndexer.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4996	alg.exe
Token: SeDebugPrivilege	4908	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1068 wrote to memory of 2192	1068	SearchIndexer.exe	115
PID 1068 wrote to memory of 2192	1068	SearchIndexer.exe	115
PID 1068 wrote to memory of 4188	1068	SearchIndexer.exe	116
PID 1068 wrote to memory of 4188	1068	SearchIndexer.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe
"C:\Users\Admin\AppData\Local\Temp\2ed57289f857aa6703b91f0ea07ac1338ef4adb784b909852f09d13db9670314.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4996

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1648

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3404

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3632

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4432

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:5032

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3028

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2784

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3404

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1204

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3140

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2192
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
338887f2dc3466ecf0996c748567df2b

SHA1
cde408cafc868279444305bdc1851d53e9a45a28

SHA256
8487f381936d9ed2008e9fe33de339ae0afa71c942576d437bbd556eaef207b3

SHA512
236374f3623f4bd7362f857b6527c0c2ea3cb97a025a1c14cf4f883b6f9e666df3e59bf703ae67c9b5d6285bb029cb46c8f8c1e61c1c441235d35f7531577f84

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
cc31b2c31bd89d1ebd872434ce38f41c

SHA1
06907972882198248f83ba112f7beb75c22e3d46

SHA256
f44718d0da2a6d2bdbb3855ad1308b171cd1bcb8085715fa80bee37747bd57b8

SHA512
b738381194206234e106c809c98e25cf8e692bae39f84655e464ef3f0b10882d2ab964fdabe73e63937591f1d55543d76ab35a71a4947da66bfec3f6e3522c86

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
0ed50bc9cea05bc6826af2767b482618

SHA1
67eb420967549bc4db31f78c0f25abf12bc7c9c9

SHA256
ed5b020d0c97db7720150cc41db5e1aebc4f2971b97ee7186f56b6fbe4665bc9

SHA512
96cfba726fb339682569b6c67d8be6687519f8d7af0edd0d6b28113260ddef19e558ec2cbe4a2e0a40dd476d5f89332b2f2210881e9a9a6a10f32b65b5f73eda

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
bb0298b4fc7b107d0c217e2d324899cf

SHA1
33c5790f28ddc2505315c435cb21a3335b3d5f3a

SHA256
dd0528be2a697ad29a1faae46a110352e74173fa1102f794cabc7f35517342c6

SHA512
75ffe3d5ab1540c4cf8a594159beef9eeb7cbd0f4bc9c9d1391240204f4ff160b12f505a9d738b1ea310a673379ae5ed003e055937be861ab5b9f46365ef632f

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
78726b884b592f45905a06ef757902d5

SHA1
5bd7827cebb9da933abbb88c059e6acdfd79efb4

SHA256
01b8d86a77d743282ea28425df0c30696ed9304b54f1e0d5872f94f039f34fde

SHA512
c2a702f002eb47089efbf66215c86db9a9ed3b8b5404fd51fc127fc16f2d01e363eb35891b536b0f758f21614dd701acbb1357d97a6b1213a4c0f18f391150a1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fe8f7a4304d2ad351d2414f300b39c13

SHA1
3d209fc86b07ef8241ba40f78856d1de29602c23

SHA256
9b9ae8bc36e37000f8c7a7c08750057e401bf8db938a2de31f19e237b41e4811

SHA512
317bcf5baf0887e6ba1d3b43c1e5441265eaea2c4298694d2dc5772ac7dd9762cfe7d1b7d7ee20539b16f6c73c62023b7a45a92adcac8e053797c79e19e06064

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
69af19430cc03ac75cb1a5ae5513e55a

SHA1
54ca66bdf569ee2ea3288c2eba884a11c3089f7d

SHA256
5839688ec0ea41f22536f181057d4c54ade7c36b6747710599c7b4267497a44e

SHA512
6e4af687a6cc56761d69e6b030b082bbd63de90215d1b9b723576eb71aa66bc10a9a493ee1d2961b99fcd36b46ab60cf4751e81e935226ec33ee80d6e3cf7315

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
e89b65a07617c63cdbf51da9a8099d3f

SHA1
5edb709d0cfa837822b7b2c4999d65be0299b82f

SHA256
59168ba48db1f0479d3b9f42a3c86d6bc8c4aa74f50880335466c427c9abeab2

SHA512
8a1b0cfa5b23be64c85d2935bddbe7c99416b5812d3c2922a8047ca07f039e0310d0f46236fb3afa3068e88db35a4371f1b53b9370f4663d6d06a0abdd0c518a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
47933604bded8f4865d726770b6e13aa

SHA1
132d12d07d7cbc9b555afa916aec3ce6bcbcdd98

SHA256
4166179236ca7253a5a4c15cc030c5066a8bd0ef64da579eb29725c6d16cb0ae

SHA512
6e50fdd01b262157088b5853f78b497866f6d8d165e9de2ce81587812be13e7e3b56d754256638b9a419f5b0bb44cb7b5f93c2df5f6de2174fed29b735132b52

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fd2f2c82b2ee80621215f66bb964febb

SHA1
74f111be61750522f93db4c62b8d25d8002e326a

SHA256
3cfd4ddbec0e07ca3b08461c8b17d6f1d3990c2a819f89069fd9890931c89b94

SHA512
6d6ff7e8a4eda9696ecbaa684d32f90ba83c6dac3f0c1d08f1d2952dd8f6af8f75fa2cf17cc86265596ad89711225ca61ba91e40c326a9a7ec67cbf193b8f5fb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
052300f00f4579fb0c0f0baf538bd704

SHA1
060bc01cd2fb23ce8532c18356eaee7ef765b7d5

SHA256
f7cd0250156f763f7b56e7da067b082a328e15c31fe6a59e4a9d2b64feec3f6e

SHA512
1f15b0383b9732e47c64e20815d7b232b4f42b5a2cedf4680a39ba4c95f70226406f033221af10877f2054e63c6a7388d3956a11e8c79d3c46257980b84c1ba6

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ea834902a00ce8df4772fbada336e796

SHA1
99d9926005f326d41e646e649973e28f598ffa75

SHA256
e29bf133317ff0366970f9434315033c47c2c4a58169a831d01916533a68cba8

SHA512
db09ca1ddd567aa567270dbecd77dba452e5b4315cba1ddfe06a265c3378ee3f75f93e660557b0c9543ded6a9070a6338d3e1780c8e380c7c1d71ba04b8a338d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
795deab8c806a41b2338f1283758a4d2

SHA1
8ae2a040ea704a8975e2649652d6af28e10d4728

SHA256
b09d89f606c22aa4090b50d7051bceaf5cd5bf6a559c55a3aeea81a3432b4f66

SHA512
64d92a4a508d022aaddde6a55456d4da5927360fa97b4aadae1763eef2d262ece2f5eb155fb9887deb5568286f7528d281f7f893666d1021ea84108bcc8e67d0

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
8c323b3144f1aa7560765bb5e2ce5595

SHA1
9cfbc727fb5badff668e3b43287336d79a9d8531

SHA256
ed200e220813c094188543d7fead9d60fdf05d287978d1248b7afc5bf29c3d29

SHA512
21b249f74f510df2c709bec167c9eb99eae1d8bf0bc8c43a8b0fa4e0f67362872ef05c749226733662df47420e7839b489778b570fd2916a5a25e67d464d9cf0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
dcc5912838fbf1d76188f1c86b8802b2

SHA1
bb01f96adf4e969b1842f0772f295137bfa6e4d0

SHA256
4858a10b1025b94b99f87b026b632a0e2df7195d9642a94ffd98d27230c7f239

SHA512
62eb639539219aa4cbdd9c50b331c4cd83bd3015e128421cca0a9ca67054c31b19e47ad933d21f9fe78614bc0f92876dc749a77a3732619f1cc5c38b768e012d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
d6a009bf99e5d6f3108a4cb8120c27a4

SHA1
1af1bf9c2e099105ddfdd2494d14ff9cd50cd071

SHA256
30578a85760e0fbb1482f899dd8d682fdf667baee1d3214006d3f3fa106acd56

SHA512
d7a702c6943c8560cb2be10ef63bcf75a83f854f761f6dfded461c32f43cbd83c5e0f8ae32947fd51a8d18dfd2ef6bcbcd034dd963cf846c51fe39b078bfcd2e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
85df81b354cdc0b2a55edd6e74958370

SHA1
aacbc06d0f3e85c051aad9aec2b5731aa38a364d

SHA256
d914acc42c8696626736c7e2f6cef72b68679a9b81ae03e4149ad6201d2a8e0a

SHA512
f98fd4d37f41304f8dd523b96d5d5ee9c0d99556668339923220db638b6a40e5215e070d3250cdc4b594c9f4ba76d07dd66d3819222209ca7961058cd83e8e21

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
cdcb0265c0ad86af9bb4e8d0fb9307e6

SHA1
34443583aa7d423e64f8d57eb17fc03068c2d1b0

SHA256
7d64b6891d2b938b888ee544f3dabe5b028df6cc2f70a9891c987448579e38f7

SHA512
615a257f98fc89177dc3e45e08e776524376be02f299b6d0148062c4e19974029baa203ac396f2a890df265a8a7b0db8f54bfdea7b98f96836bf2807203e53a5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
beb5e2d78e1a1ab5bce69475eff3eae3

SHA1
6bbfa31fa9e82dd17f7c595140773c5c5d24874c

SHA256
d8019cafae2d9395ea3437b0911bca2b113e06a11d0343e362a9ed1c3f415014

SHA512
9405a1ad96e986aab6b49e68aa32bd80e6cbceeb4e7e9727ff3f9174d445bb0983a625617156a539083169c014e0b638f545ce9d7e60e9c5bbf87cc95975cd71

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1be4ae0fce8a62b52178f104209a16cd

SHA1
aa88aaca113ef3f4c2330e8396bcb423a6170d73

SHA256
7723fcc51d42fc41016605ca1fe9ad73f8a442565c724361ea44ce477dfaffb3

SHA512
a28ec4e3705826c45cb29b2e9b8edd005195216de7b443ec23004cf6783751aa8d49c69b2c26dd75acd61fb4fae98141a1927a0d3e95d9128883811c7781bcd3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
9de7583d5638ee2c4a34ac99ae3cf528

SHA1
2d093efdb6c3361690d6effd2afa8731a386ea97

SHA256
b7ecf531a359a5f0ac42fe84e92ba58ad41e68ab5cb66de91d9324232c232b4c

SHA512
536ff6d829cdaecfb246cb96858161eb9ba14a5f75fe5e4d0109d71da61d75495fb2b47b8b76eedda9f9afa463a46ffcd75b6f52cd75ebab8772009577daf159

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
6b3c8728f2307879682f6b0d704f8a6d

SHA1
ab075ead36ceab356fb24d3dc1627fdbe4453a93

SHA256
e3f83d1dffdaa93ea123d2558c384ab5d52b605b18d41c001be2948a4e88a8ad

SHA512
b8f8debaa564c5aac5a6da997f083217c7f48c556d7a9896097f198142b27a35c9704981f94a25baa625a299928a636a63f47c3dd43082a4a563f8517c3a460e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
fff0456d4b34d0b80ca772b248e8c3ce

SHA1
f03ec897cd021ddd5ff32de58e9f88c352c33d79

SHA256
4294b82a1c87cb887847ca8747a9fb55bc276d9558a7a8c512f095fb588d8fd3

SHA512
d1a845d28d46005ab0a83aa45cefbddba7884301c4828e836a921c92e8b7faeb723d9072cca4f5e5645cb436893b0e0d95c95778bd044412ed983b61e404df23

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
dd47ea73ffe5638eda704f5d314cf1bb

SHA1
bcbae7961abea59ee1b7822a061678238de53a84

SHA256
0fb3355f1634ae61aae5c6bb705e3faa583514bcf3d3474ba344dbd61a4d59bc

SHA512
48d469263b5eb6b5c93a0233bf60719b8ff46701055ee31d974d479f3538fcf1f5a60aaae456c6cfc0e546004cca383c2da98f36fce40983925a840655b5baec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
05619db2a575d77f7fac326f7f57d905

SHA1
f2a2bdb5ea519f16fb25f050bdcfc7ba393c691d

SHA256
b102973843cf3c50d947ec3be48ad5066c350544655866ae41721a742297897d

SHA512
2e3c82d722cfd53db1cc324e79e19e512e9b5dae2ceb962358a9465a36918b2866e2a72dd65d9423212434ed4ad706c50a5e2e220df130c361ac542f0fbe2fe7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
e5ea3adee0f7342bc67aea273b580c80

SHA1
96e05dbe18d96d288500553b49cf9cf9aa6fa301

SHA256
b771a5f4a17b1d27568172227bffb7405616b16e1de8d53e5a7aba9072404f97

SHA512
bb796410be12fc61ed9bbd323f4410df95c9d6b45bc118b9786fff53c95cd6444f5363e39415638568a36c39ecf946dc0faa14de99622de5e0796b1b043f12a6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
858cd4e7fc34c101dbfdd93970d7541a

SHA1
75545ea69199ecb6e57de6c9dad7953b6d073c02

SHA256
d53f10e686b7cc159292896190646eb973547a2c4713f371e9eaa36b1ec5080a

SHA512
3daf25fd96e5ef0a36df32c3db4a97631407c078a69d26a5232c388fdfb768fb06835a44d7dac8110b14d90f8e3e399aecd76c4bc45cdf98bb1cef733f4e8bc2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
f234db62783be81b05b349c5a21f997d

SHA1
411191fff1ace5666e3bdb2fb839ef09a0a2eacb

SHA256
2a9d7676ed56f9d7061396ae32b3e70f10991449ee01e1b8253f0d532dd5f680

SHA512
a871a12df2b6e2ad4d7bcaba19ffdcbecf65215f2397b87a56b91b7623fc7e844136220abcf72b37b24db2236548d04cec122da62633204dfc44fe4de70f2c9a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
813b30b697b13e718f1e20152af324a9

SHA1
d57b9ab5c7b044c22ffcadfc151efce068746911

SHA256
1b4312acf9d91a5221fa160918a1f7ba69411f3a993ee070356274a01154368c

SHA512
5db2d1a6e207718e50340290fdc01567626376d1737263ad408e2336ea2bfc4809d5f8e4b1c9215e5f7043bc1afec17d64a055818369defe872cb9a450f92d0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
0f9d61b771c2a0c54a1080ad82b8000e

SHA1
c1dfac8494168c81689e303799686d646ae8bd1c

SHA256
1bc7daac653a462fb7dfe86f097b190dd8074dcff6558b79ff53ef1a0f8a81e2

SHA512
0b0fed505f73d637e8a64b6569aa198de3d5ef4bb6242082fda300db2fce9d28cad0d7081d08843a825da54c5e17a1ef44388de1d1174a6803a8ae8bda7bc10a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
cb22589183fe519d14435968ddbf9f01

SHA1
2d9c4222d4ed7edb080e9ede18c906d28c7ea49b

SHA256
69a38e189b189b9848c1f6ed056b60971ca3f3ad02938d10a65b8e48e292a8fd

SHA512
d7c6fc6601957332e988c35fef881123619e9b7fc8aa5dfe94f1276f7aa81bf7eb537d5f04ae88c160148f3fbd60c69af41057b0e7a602179447cce3519e3fe5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ebbea56020c769c825c76f6a49988f69

SHA1
710dd88085a2e32c3b5a20d4c612006470ae9103

SHA256
51662a7d6a8e2fda05699fd452ffe386d6092f5314237f8ad5bc99e7c570e07c

SHA512
a4d3ff2235c430a1e799b5c387474206f664d37f81ede89bafbde08e74152747f73f82eb2e1d7b24e90b4cb788be9ec9897bf093f476f7a51fc6cde15595e9a9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
f2206800eb150bc220119b55207ea632

SHA1
c32847509d672fb3c33eb6beed2177d89092015a

SHA256
df09cbac6633789a507c8c4c65ad2ae6261e964e7aeb46649483469b2df13d92

SHA512
146d373c9cd0cc082b5766add44352f60b30c8a394fa82c784f6eca3b4ae075439392300956dc75f1cf2a26269af3b44e4a3c5d58751f582052df9c5bae326c4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5734ad803cfce3d6906debff9b6d4eb4

SHA1
a086dd3b58e82c7fad66e85f2d8daff449b6d1fc

SHA256
c4499b213b031fd0f79be3b10a269045ca32062e8d5e282fb0be14741f9a0ca2

SHA512
67e6af21a126a6cfe7468a6a15334e544f3dd5c22af648dafe6139a082b14974352a43c8e8bafe1bd814d460354fe74cd392d5d5fbd16077cc8847f745d85153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
5782f8ff0c3fc5d3aef793a6fc863ed6

SHA1
a9f27b6553b52f608335a42472a5c31b2f7241ce

SHA256
3f066f78e036fdcee74841f6e6388d944c89c0536030162ed2b299f65ae3a16a

SHA512
30de4ba526a09aee95622a727347d70d1c8a6426c213f0a27f3d2160edb396f7cd39503d01f4b7b65713b3d1bca8bba0d6a8b085673000554fc48b48213d985e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
19c0871a72d591121298f212e42de223

SHA1
6a490defed61e9684925b1553b478a33fe9216a8

SHA256
e602ca48a335fccdbdec402dabcab3917e6207f8ba1b75febf8c714cf7584672

SHA512
99bf7cade85a29941164927eb956648c857599ad399091f39a59c92b25c5af38e316b290f72a6f654ac1c0831b4f70afa13293f2bc9dfef086c43f1d34f76cb6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
536b2a99923198314485658700311075

SHA1
e57da97a55adf7ed9608cdabfa61a92a68d2d915

SHA256
436aaf393bbd909aa9405ca9aee50fb2f1de9e50f8f740ac03257a28147befcf

SHA512
52745fd01fad4f8c726577879a51a0c5e8783d339b72288c603a217dbbd992382ed5112a47639b061f662093e624f43334076a3fffcd367a6e00cdf6c33e5e2b

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8f42c8d509076f390241ce66c6f79562

SHA1
125034f4f93304c27efcaadc970ab5ad5415926f

SHA256
b5052b0a5c116878887e3cfe0366d72cb167d4a8e3058626b107aa2398f8dbc3

SHA512
00e38cdfcc89682c2a198d05fc6b46bf7f84ddcb1ecc86de9accb9f958f023a49c32332acfc7c29a78482ac8fd98b8cd1bedd096e72806199995f2afb1b3df5c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fa1fba108dff17d68216df14e0d6a82e

SHA1
36280ea1cb1d831b00c6ae36a35804302026025d

SHA256
89967003d3fd1104e5d0b283b11b75c31dc4f748ed05e814a75f3907e3163347

SHA512
8b7d25afc2cb30ec46dac93bec34a362e0cf1ce96684d954e0a4017248a8f2448cb28924a7ee78d90ad05258601947e5b7ab84c3e83ff044ce7c2718ea3eafa6

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
7c62bbeb407d0043836a31f2b25f132e

SHA1
4b52c890f811f4e986bfb998c1bc31e6840e2ed7

SHA256
22da798c800d034839ea588939bd7fc037d87afd89a67c9deb89a06ba9f0c191

SHA512
f98da8b774ad0fccbf573123f438c5b600d6c332eae83b4cb2ddafae0004b355781ec34548d1306c57baaefef91831548d06571b93f0082bffdbcbc85060abfc

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9731b63e7c9ce2a9b45e672f6ef5d656

SHA1
59a80df2169d169d409a162113fc424658c9a3cf

SHA256
551bf2455353c193b8284ddd60481236d9b63f7062c8947fd492e07624a6a682

SHA512
7fef50184262e1c284e964fe0a5542e3482b1a45eae2c3a0aa7c2dba35d87441c2e9a3245f69fa5d9d4d3aad64d2c91d24a4cc871aba705d1c5570491f32e764

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
eb456adf58fcb5e9d938822785199b29

SHA1
f1a1cd8735692cc77da8c5d8692400b49f3cd6c5

SHA256
bd6b481630975c1dfcd8d675b3a34157ea8defd4db60c41ddb6972c9c9772ab7

SHA512
76b28762f2d2c3ff4a996ce5331e3761479b6115062a3dbef59a63c15534704dba7c95fa83fb2ce5861578140388638b3c975960d5250bc6d074a9bc73278203

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ac256f8bb40dc9e9517774796a225291

SHA1
4c3f2e36f37945f8fb584df411a06a96bfdb7903

SHA256
dc4a53c44eabef001fe8acc1d194ba14ee4c79def01b44d739224311f481476b

SHA512
39d203ec66b41fd5da67fc0795389898902501d7eb2a51df9dfa773ffa22db0d821d53aa6bcc97201574d066691336c56f264af64eb79796052d21212b6c0f2c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
2a459531db1cc9b208fa152314075015

SHA1
af3465eb22cd5fee68ea8bedaf8780ec74f13543

SHA256
0432bd82b64be7e9951db1cc300c9a4b33432b1fcec39b43c7a39337aaa4c56c

SHA512
678f3da80082d4c086ea4d5fcf456ff6c56a517f078eb4c373124f1a5ca385c9398be7d1210909e33427f0b62384a430455bc943317155dc413dd838c21bfe7e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
ef4356581e142f52737e3a69d781decf

SHA1
0646318e06b264d22a4fa7e059a097933cbcc2ea

SHA256
3665e75526c60d63db3c56f02cb3240b59eb85bef6203ed230ecbe222d95f0d6

SHA512
c58dae67f7404d918b4ce1a1b3ffd85bb5424e785e50ed1aeb73ae9553062c981b580e6d5b46fb3f66d4d4f3ab45906aefa7d791d1d839261794d8d8b3e99a15

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
2c80b73c90e8ff26ef57d74aa80b6b2d

SHA1
e78effdee7d33b7582efe02d61e16ed6df4edce7

SHA256
b004ac748a437073625735c97a694ac209a92afee22f1742cd8cb62f254f80fe

SHA512
dfab8bf973fb189c6fc2749103bfbc2b8c0b38b669ee8854cdb5ed737220568e16c6a0c2db60d0c0696a5aa7eaf70480015c6649262178106b23fe7d90948da6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8505dd5981735d317d3dc409c0834c9f

SHA1
41d6c8af972bc8bcc639c75bde2653f94f4e7f56

SHA256
25a779229376b9a995423f50c316369bedb2540e263363cea3fa490ff900c94a

SHA512
5eebf8a7edb6dcb3750822e2423be450c33a843d0a824f8fb9168347bcc0d64ccd1eacfe0b286751264041265865002224f1afcff9f66c197575722e755ffd9c

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2df296e22e942860cc7eed91f03f0c18

SHA1
bf23b85ea030e52ef6ca6c365ad6a1629bff0ba3

SHA256
50c27d71291465e5edc0354d91723e47a54562d29791623aea03f897ce216d1e

SHA512
2190d09e82eff38e591f5365e5f590abbc3935e93784567a38fa28e1029f511afbaba65c36ba3b1d372bec8603465f3325e3b2628412e43d5766827341564457

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a07d02c99d838ea268651f86dfc253fb

SHA1
479f779c45ddb78167a69c872fef154b07480a32

SHA256
830887b42edcd14f69d3704fb3e5d2bc0518d2af6a39d25cf42c988b98c0ae42

SHA512
4bc29c7fcb4011e73fe11ac72afa1071d3ccb12f2e05030fc30d958aed40be6c0217808403e736a3ede492d0e95e068fa102bc509ba5adb653b3b852d03e6808

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
129f44898d6f5a4483dd6d83f8462545

SHA1
ac46e04aca3eb4e3659465e35ff47ab1e1fe22b9

SHA256
c0ae6b7d0b1dd0a942c447a2b3dd3636e65f052aca76365cc070709bc9f022e8

SHA512
802f84bf778e29caf5ceb3a42f4a00488c75283dcd29616638cfa6c24876bc2e6256e3df117a6bb6574189ff4149bce60055ce466455a376193253e4f6fb3791

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
af157b91c0217dabb0f4788a0ec5bbeb

SHA1
97a6587161c6cf8fcbcd466d387b9c7ccdf97934

SHA256
b5a7a4ab679fe39c4513a11ce764c58e1a3855db6fd40ed2d1fbcaf808b7f2ec

SHA512
9e404592cd1ef334c087f83e4521c579672328cc354b9fc02d47cd2dfc552320a8207db36ab5268c5ac1ec6627bb1cd463dd336b0f2dc5f50f54805b8bd46c89

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
9528a2b2247b19c9024a769b30049ddb

SHA1
e05b87d61ee61ffdda6b66c0bd9e369e306c4bce

SHA256
c364e4a1eca873277f56803c93a186cfb7df7030e36ea4cba3c4bb5c04a045da

SHA512
356c8cbba450be6a59ac19b664ff41a907823bd011209dd5e5d35ad7efd88dc6863b8900c0a4a080855eba751d4b785a2d25614afd04d3e759d95f05e2691ef8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
10df247f7301a4d82688539a24d5e51c

SHA1
49f6f109fc628f0551c55363be54727d050c8332

SHA256
3102bf787e7ef254b651dd3273b6c8dce5d84ece3b10b5c4ae06273d9b7df38d

SHA512
afbc17ccdea30d105e4548810c43bb4b91f2bd64fe13c6453938f39afbeaef81f355627721922256f401c4261b00bee31c2d1bdb264b5f6b33da392238faede9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
26a5481b2be7933dbcf21d919247aeff

SHA1
1445f17699707e69ece8d920a8e124a01e777815

SHA256
40e977a5c8c2b1718c28a6c345dabfbe20d304ee498c21f7fdd658523bc712fd

SHA512
92f2cbc4456a12039dd54d0e6cade3d335193884729d95a26ff455371f5c5cd9ae5f65ebdd42e7759c0595ac477f28f1377234a35a2be5dbcc7097c7c84e14bb

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a309b8ca6fb80481b40b9a3d26dee9a4

SHA1
e8c3c614d7427f36fe5d8aba0f98dfd490b1b1df

SHA256
658d2213d9c528396f9325450337cd42f4616923f312ffae48e9a8f20d7cce68

SHA512
74808ad46d476f317c58e9ceaa2c630c93cd6db539b0d12d01c75e7ec2b2757366c9d39c208a0016dbabca93c2130e0bb8fb7465a5ad540a0f12e5d436bcf6f0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
1b9f5b9789e14435ec09c25c383dd7b0

SHA1
b1d8c722cfa12a801cf4f5751820794445580b62

SHA256
5ca7098fc4ddccbc30ef22dc4e365c7d3ed26ec5373a256da10225a8c9b79928

SHA512
73b412d8e75c2558d57fca6b17ac35b15f21bddaa2896d7a595857c60c145c21a04ce056a8b307abc5ae5a54fff2fb09e022ea1d2dfdf60377634684103d7bf5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0449faae304c5cbae8e8dbea7f47b7da

SHA1
b4408b77c76e91314b12face330532cc05cd2d51

SHA256
c1c4b5559ef379bdc525c03eabb47fd91d5faf171aaf5978229fbd5d7c742182

SHA512
b1d98e69ef832bf3f2363f7960357d680e1394dd5a7c9729c83bac7f741fe7d601e1c62ae38608a6267a111a3f9b13b6344a0e83c49e4d09f000eb8c059411cc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ceaa04d1b6e9764e01b423f548e32465

SHA1
435afb7aabdbb5a09b199e1c8b6940550e014498

SHA256
95372ba97dc8f56ee0da6d06b1cce46b05f85b94cc9db6084b9e9f3408b5cd5d

SHA512
3eb7184c466cbbe497a67f2f0a8006558345fb479d454a7092ce23c848a3fb66172bdfaee48103532533da38e9edb0a647dc372f8ed0c203247ec6a215f0a1c2

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4be47fb1a5cf576f2b640fbed67e1b8e

SHA1
3553b9421aa8369c784dd26c24dbe403d71d139c

SHA256
b1ac09512de03c0803566f447b21fb8e9768490cd17365f297d0035ce2eda09a

SHA512
b2bae9755591b6bf483ad4a1eceea8ad210e4361df36d9e0a2cbf50f42666c1edca7a02738ade82a79fe3ee8cd547c75d8a4bdcb6a7fdb0f9de9832582f91c7b

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
d4acce635b3b60a894c63bee8b2afbf3

SHA1
c0c259a6cceedab48fd0f09e6283094fc36e6cab

SHA256
ca3b8a3e42ece1eeb021ce9b7a3594ed89bb238ee7a7bb0aa596f825ff8eead0

SHA512
8df581ae8942d47e0db50943375a5795dfac8d4e7283cdeaacdaa617be6655d1fe8e9db32cd6c1f828c506bd785722025cc0488494d61e36f0059a94112bfdef

Download Submit
memory/208-288-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/208-348-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/208-282-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/400-343-0x0000000000B00000-0x0000000000B60000-memory.dmp

Filesize
384KB

Download
memory/400-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1068-362-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1068-371-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/1400-134-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1400-1-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1400-6-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1400-592-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1400-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1684-301-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/1684-294-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-306-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1684-307-0x0000000000C30000-0x0000000000C90000-memory.dmp

Filesize
384KB

Download
memory/2784-292-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2784-235-0x0000000000660000-0x00000000006C0000-memory.dmp

Filesize
384KB

Download
memory/2784-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-279-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3028-222-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3028-213-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3140-349-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3140-357-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3216-204-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3216-211-0x0000000000520000-0x0000000000587000-memory.dmp

Filesize
412KB

Download
memory/3216-266-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3404-322-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3404-105-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3404-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3404-112-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3404-115-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/3404-117-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3404-262-0x0000000000560000-0x00000000005C0000-memory.dmp

Filesize
384KB

Download
memory/3404-256-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3604-157-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3604-143-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/3604-145-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3604-151-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/3604-154-0x0000000002A60000-0x0000000002AC0000-memory.dmp

Filesize
384KB

Download
memory/3632-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3632-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3632-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3632-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4140-242-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4140-249-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4140-309-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4188-669-0x0000029C87030000-0x0000029C87040000-memory.dmp

Filesize
64KB

Download
memory/4188-666-0x0000029C87020000-0x0000029C87030000-memory.dmp

Filesize
64KB

Download
memory/4280-331-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/4280-323-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4432-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4432-225-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4432-168-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4432-160-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4672-319-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/4672-311-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4856-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4856-120-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4856-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4908-95-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4908-100-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4908-93-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4908-159-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4912-276-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4912-335-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4912-269-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4996-142-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4996-86-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4996-87-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4996-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/4996-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/5020-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5020-182-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/5020-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/5032-253-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/5032-197-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/5032-191-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download