0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25-04-2024 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
Size

1.8MB
MD5

626c977d19e9e9a6ab57ca614fd3e465
SHA1

c73a16970558c67a21aa001d69225a9963cc2f82
SHA256

0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f
SHA512

a6d1eac310d62efacca5fd5021807c2fcfd5e7e2cc3a3726d6e5f1d481308b0e17b1eaf46fe67929e0c4926731ba16c082e77a91ed9378b12670c5d5971ee057
SSDEEP

49152:+x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA2f9Ckt7c20+9qNxUW:+vbjVkjjCAzJVfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
640	alg.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
2764	fxssvc.exe
3636	elevation_service.exe
4052	elevation_service.exe
3452	maintenanceservice.exe
4204	msdtc.exe
620	OSE.EXE
1848	PerceptionSimulationService.exe
368	perfhost.exe
4992	locator.exe
1552	SensorDataService.exe
3936	snmptrap.exe
3312	spectrum.exe
760	ssh-agent.exe
4056	TieringEngineService.exe
2928	AgentService.exe
2032	vds.exe
4124	vssvc.exe
4828	wbengine.exe
404	WmiApSrv.exe
2088	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\System32\vds.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\locator.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e24d5cd67d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\GoogleUpdateSetup.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_nl.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdate.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT373D.tmp	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_pt-PT.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_ur.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_hu.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_kn.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM373C.tmp\goopdateres_ca.dll	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a89d58c9bf96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003256afc8bf96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000972743c9bf96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060ba92c8bf96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ccda5c8bf96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe
3212	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4692	0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
Token: SeAuditPrivilege	2764	fxssvc.exe
Token: SeRestorePrivilege	4056	TieringEngineService.exe
Token: SeManageVolumePrivilege	4056	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2928	AgentService.exe
Token: SeBackupPrivilege	4124	vssvc.exe
Token: SeRestorePrivilege	4124	vssvc.exe
Token: SeAuditPrivilege	4124	vssvc.exe
Token: SeBackupPrivilege	4828	wbengine.exe
Token: SeRestorePrivilege	4828	wbengine.exe
Token: SeSecurityPrivilege	4828	wbengine.exe
Token: 33	2088	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2088	SearchIndexer.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	640	alg.exe
Token: SeDebugPrivilege	3212	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 5700	2088	SearchIndexer.exe	116
PID 2088 wrote to memory of 5700	2088	SearchIndexer.exe	116
PID 2088 wrote to memory of 5744	2088	SearchIndexer.exe	117
PID 2088 wrote to memory of 5744	2088	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe
"C:\Users\Admin\AppData\Local\Temp\0ece0f0b804b30709f3b8c8bf87e4660e10cf312f2c524b419e645032c22601f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4692

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2764

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4052

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4204

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:620

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:368

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1552

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:868

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4056

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2928

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5700
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f0ae7c0f126de6c2b24568beafc29491

SHA1
9c525f8cde653d821f770ce028672185dac624d6

SHA256
ca55ffd6a3b0303edeb5eb2e6979e305d9e6234dd04fdf2663bc1294c6adc82f

SHA512
29f512b19ed7daac0a1d0b25ddc2c79da2f11254fa08ad1eb82606a04820a16bc9c432494013dc115a90f3c4f203d9d1b6a637c33b9f6bea03c4753d75171e1c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f683377e79b9a07e88660c741dc2ab58

SHA1
c8ef15a7bcc797de08cfb5c1debd9cd27357d0d0

SHA256
a0cdd546165120b95bf3848755205f0675e301d049dda6ad9555dec52e7309ed

SHA512
31e1419e60d35946cb35f726e6f9591a06572be16e4b918030639a7753772989c78080cd85c651f22c52a525044a22ee5bb38741aef39b2596dda17d0406ee9d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c3eb29fd5d0c57ba238a681d52989c8f

SHA1
7f1762eb9c2b3141d51ed3c6c7b23ca40799a25f

SHA256
a7dbc961981a7e86a2891f63793132fe3c8126f09de9a0a2a9759cc31105a1fc

SHA512
42f4454c8c7efa6b9d295c07ef0e84b682705df1ce78135bcb47be85e76a1f3802a7f1128c20a29f41d84ccf1543383ed7529cc8020051adfdf8b13d79dfb967

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
544cd400e85a8b8ad42a08b239bce960

SHA1
396ba38447d430066b278a68476d7fb82fdf7228

SHA256
4c82b2c26f337bb818a0b8a0febbbd67111e8dd4e646661da41e7edb4c39e79c

SHA512
6640e5a91143004d483addb93b31d5cd14a9e1fdfd8573e1d070a9114fe87d76e80d795223c54f857fcb528ff22d0430c09ff716fa484fcb4191fbfb5f4cf6ac

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0c69b8d3cff4ffc58b537f6746ae8ddd

SHA1
c8b551020a17b71af7423b2fd30e7262a51578a3

SHA256
1419c9fde5b7cf46b9a546cf9b97bf33250a793a43e05f46fe73f03b4f52e74b

SHA512
30ee0b8df0a1bfd8c85ec859ba46109a11550560d0498385a13e76675bf1df1683b319d78e2582d256629e0edfd63427161999c8a412a731566ce10a9fe43603

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
e14e7a7f8860e8400ed2ca84d75c3e92

SHA1
d1518774a3c3c8ba38910a10176befcfc30d6455

SHA256
2643aa7fef985102abc59e779b2b8ea01f31175d170127bc95c1ff6f025a8037

SHA512
598e2b30a818821834c64863ff771d4394515bbd3e43779815fce504745c9ec833dbc166e7ed30a7dda8d83ea4a61c26cd36c8ffe53012576dfac978a252ee4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
f21d26440ae44ede57f619fbfd9925c3

SHA1
da0a20ef481468d1e31b11d866f625396dc3d089

SHA256
c4fdc7861a10f7d3520f36c9cdddbadd0b12fa7d10edf5a7165c18660b1490ba

SHA512
386736daf9fa1cd6b2f74c8111b16787c1b67b2a51a15298253f939c6bf2ee37848e18e7205d95a2e5d537c2582ac43f08516249eb822c095416fab4eeefb941

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b20dc9579b2a242ad02e0ca1d23b4222

SHA1
315469bf649b89f1f9a4009a16edad9724a40b9e

SHA256
4a72e7572df964d6d08a8f94818a310ca9071a590a16b7c3cff50b677b8edbdd

SHA512
de0c8bce22a97a9aeb1fac2c0f0946bca1de94ae12c9b2d2d831533ccdc682154ebd0cb4d7ac92d32b5331a43fe888c33bf9bd668c83ea1c2364c136ab49720d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
eb54f2d4d3ee885cb35e8fc4831f5264

SHA1
6e380209601205e9ef0fba3d58ef9a7ec2844bd9

SHA256
30b97b502e5fc206ba79ead5fee75e12f17190a13d2c3ad4918de22ad53e48d3

SHA512
851d1062f36bc80c60dca67f129be897488728a45dac97286403aa033eb515a7a9acc2f623aa8d22d8bfab859499cd351dbd12080f7919409933befffc6d2371

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
889b7e72c807bd43d78240a5ec9d92ee

SHA1
5e16c53801b2dca0c9bb8f97b958c5b7e7f40f97

SHA256
31876f2072e9972c9a5648f0627b3806a754c071d2f50388da88195b61272736

SHA512
9e4d5fecbb017c1777f7dd6e328d543b11ad80bb49e08650fa264bf0cf78a5c6540619593606cf0a64090987c3d018d6246a2e515ca003874fe897c6db06d967

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
b1480c4ce773e9e494b2de5a0ec4eb94

SHA1
7e79402a1e2ad43232fbb10e033fd2dcc8dcf459

SHA256
0845c8d12e1c21e01e332e799df7c5433f41039442053d957a7f8638a38a5871

SHA512
f690654503bc1cabcb095e4023b8535113c4c7c9a854a5a4bd1942b0d99c4bc7d25922e5096ded4e8e3c16c0499c97af9c582a46b03a1276e0df85843230d6fb

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a6c6b3137f90d70b88bd84948a871e89

SHA1
5f62c6a1d7e71ea6945a940c8e043ecd4442878d

SHA256
4b559a4d181c74b9e23c980adf80113f54cdeca216ba6bc98ff7d76d47bb5886

SHA512
251079fc8daff06623a4a73851d3b70edd40131e4beaff3f915c894efb1e84a64d001f26167263107cd49c97bcb6a13b10b4c9bd8d45a907ae557338bf4f572d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
a00a908706856f8f9d3fb7d27620b73b

SHA1
14c47b1436ccf1367a989552feb9812dab851472

SHA256
c32e10fda4f9b5b4bf2ab2544c35319b81861e375b8fdb13ca5cfdaf92ff59aa

SHA512
052d1a48163a24ecae33b752dbffba3ff6b91a543e9f0f8777f62eb8953071f32927791c05c34b8392cbc5805eda5b29fb165718e69e5a49ae53dabf9a4e1f78

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
370b191e066e59ed74e57fd39204df67

SHA1
26498116c07f15d2a6bcc4f41d7a133dcbef9084

SHA256
ee9ef7d4b35ff5c90ad55366de596c8dcefec4563130035140d6768a78f0b8c4

SHA512
dc4cb75e2dfc8f51376171bc12763decc5a59471d66cc0a8b0067a8844e89883c94d8eb38603a2142260d0665705211af307823c3f7339005004eb0eeda81982

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
b99e50af1f00c53363de514d27d7b9db

SHA1
97f9871232cfe3dd8f39879a9b480fd8c4cb1f55

SHA256
9b9b8c79b3c46106765c9973a7aee96b890c54411de35edcc9752209a2e236ce

SHA512
4586e28e7b67f65d2a0bb5fdcc9db54d1846db88c9507e4b1641e7c79cd99000ef7b57423a037015df41beef61a0deab4b0bce567476081c34ae68b57112c80f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
b46b2f6fe45d9d2a7d1ff9792439dece

SHA1
53a26d69cfb34a14df02f7084f62fa545fb1dd05

SHA256
9de0d67adbd22496349d222c90834308cd292f92c7bc55500738135e667695e2

SHA512
836dee4d639d2396b472f5acc8645e189b350547d0260d4a4dcc03de6ddfa49a953aff897536fe93e99d5a7ba1ec391b574df266c34c4b3739c226b0834f35df

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
5deb19b5b9d173d05e6131e266894205

SHA1
a896610e3bb2d081b072313886de88f6a0226258

SHA256
1f84a51641e795f100e6d788ef85085dffd64ccb123e70bdf9e28b9de48626f4

SHA512
26ba76774e295ac77e214eefa0876da602c36dcb58ff6201844cafb4498601ebdeb677cb0035a902020d1f4559da008534a39d328f51f6b50febda41ec6254d0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9db5feb0fa4d0c94387e4697fe376231

SHA1
bc18a6ae09a868596cf1ccce0d8effa4a9953f1e

SHA256
fc8336222462d3365767d218db4e56e9b3ffa7054054e839c2b9411560ee41e8

SHA512
ce5c67a6d32a7e3614f89a74d5c187170c3c1e6bacc52dc1fdf144cb6b97c4a05e994f3cea644ef206335995d7aaf659162363054af5d229c529fe7c300836f3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
a518dff9060433648886c161998ddd87

SHA1
fa150fbfcfd265d27bca563c07d8df34ffb461bb

SHA256
e334e17eb1b38b082cf1e111e50c263cee6ed6e55b404c7b407c7f051066ee02

SHA512
708adcc916c648fd180dbbf923a5c85eb0da1994ca332e1540cef24604ae02daacc15f106da4258751da938b0bbc6e132c386c5197c1ec25c46bcc0f5f04efb7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
8dd26b821026c0530e3d5c75b6f2282a

SHA1
fd80fe0f7255a3a6b01b2753c80b177e2c6cb128

SHA256
4faa4bf7ca3761f0901a8fd7b34dd2005eec77f2674f166d3647f22a5fb49a29

SHA512
41f3d373198815c9bfb18348ea6101ad5cb0a2d63b771649938b46d7a4843cfbabcd59161a7ef870c5a2b5aef338aeb24eef575f593f06c2d5f77562885a981e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
60cac8574855395119558a978b3cfa6a

SHA1
e84772c46a80cbcd123b0af6aaf1bcb8232e24dc

SHA256
844109d2dd7fbd54655a296fdc548a5c2c76b63b4398a8458887ad44524c13ba

SHA512
50b52b809210bf0794a4e77cea23b982ae2fd0a3094ea4f5d24eb03b2b1a9f1546706bb749b4d3fb5ed70d7d7ebbd9f0a41b49388ae68884d297e8d33fdee362

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
6f91cd6b15b646c8d2c047065a4cfe7b

SHA1
042db26f6f9132a3491dbcc13390f9cc7d96be8a

SHA256
34f6e43f914125b67c1c126dfb1e3dd241960e4b8be8f72a44f87a7e5890a41d

SHA512
6bb7fe069c547a7709f44a7e7cc962c23886e0609e8be7862f145ae15e8f278547a93eb676bd6186ad9416d3d122565d3e3788ea1fda67c4ef77042656dce33c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
735760063ee205be9f510d5448654440

SHA1
3dc20a1933c91e0859bff20e52ec8d1610a20883

SHA256
aedb5d8f1d4c60330234de692acc94749797a5b55f2aafc29b942dcb6950449a

SHA512
3834ba4c828f7196bb82a86a5fb4106ce482baa9e273aceb6b4a4b34c695b694d49bd77e73b9d59d017335dcc827b8f5f7605ed8a56d4a0138cd1a906b1a712a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
04afb02f2eba73d8f18144eaa98792be

SHA1
68cbeb7a0b65066d59460ab36073c487ffe42127

SHA256
d4414f2c84f0dc10b62629d5fc97a0d120e3e20cbfe3cdbec0198317565a260b

SHA512
3340f923fdd0b4e03be1c4fef1db56a9d613ea4e686c49757d88267309725f196d2c35b102cac71f45942ef724f363dfc1769976ca2c5d9eefd55f996fe4a302

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
53f48f49292d234070f72385dd3ddd0b

SHA1
a3e4a71efb1a514bf5da689b0f96215754d4db16

SHA256
591b0f412d1486bcdc2913d37f9afd573f35eaa236ed6d6c7e5fa43c87960c31

SHA512
9c9daf640da42d2ffa227608c9a47d521ebf8090d4bbba4b311d85432a9993c773e2d94e264c575032e04bc62c68311f549ae3586ac92da71608836621408894

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7aa7d014669ee68e3a10572a2a440c17

SHA1
9d1c1d7e049ae2efc9d9cffccef2418fb4f9dc3c

SHA256
adc92fefd0b29e793bfecdd932d53a8eb965c0547f117ec339d4620c7b439bf9

SHA512
768f6e04dff70a54ba242b5ad1c8b3389c94c177d816fb491b40ee2361fa10fcfd5f6c70dfa8d1e1525ba7fc6a0b7f30c8428f50bc621053d0ac2f1ec4f2e4bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
8f972cdfa791b55bd967af6476bb7e31

SHA1
5e9db86d8680801910d6abcff494d285a2ca4492

SHA256
6899e8a73a457f63a0b05af66ae8ec8ca3f3cca7aa64039c78070ca5bf54bd0a

SHA512
dc67bbd38ead6d497d360e8feef3da3e05897ebabf6119794c827220611e0ec2735780d6e85c47c56db0785742f317547d5d9c1cb5aeebbd33d8d6b1bdde9c50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
3b8f379197b466814c0d77b9bd64b243

SHA1
a756ebbff4de7eae0e18633980661a258ff57be0

SHA256
6ecd2476c3e1109f1db55e2a4bc76a58d1203b22d2392afaf6cecfa5964281f2

SHA512
9965ad8158511a8b955173ddae3c272b1804dddb61a044f00c2ece438a21f82390dd26c5ac958be7ba746ab178f8b5057049c7e83f6e62ec865c07ca48885c4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
186702516e972c7468b69ff5981178de

SHA1
aff7b4580913df8b77eae4a52c343beaeb0edd02

SHA256
276d2f2bce5ed2a10be21c86ef407aaacda9427cf328859d0f682ebf4c460e27

SHA512
97d1ed43adab7c6ec50de9aec6514d36232917708d8b676b5c68b859971e6029b7544abe857b709c098ff0b48e3708dbc67ffe89e8175622d48045c6404212d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
df47c9b567a3f51c504076db3df1ad68

SHA1
16df28dc6cac1ad3f51e1f2e5f80daa4bd17d591

SHA256
43f9bdd04445d217bf9e3fed1e231d02844066a719ff0bbb4226a2d927f515e2

SHA512
d15b895ff534092fcf099e38242c05e88d46641435f97981d6e4f96724c9c80d53a4c9c56570d3fca5cbedcecd758c980f440888ddba77aff47f11211dc229e8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
f9e5655bd74d6dc6a209df073bd47960

SHA1
3e3c9cff603f00b5ee2edaba1012fcf279c92132

SHA256
c86c1ef9fbaf90fc6a3df739ace78b6034925e421ebb6e02d631fc1a20958063

SHA512
581c5a9b09de0dc2a949941cc8a3194f6e367262c0c756b3618a3b4f5a0cbcc070f3fda653be4f99270f8dae71b93574abb849881de12911d8018c25e3b2ee43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
6a0bc6e4d837dcb33d9ada7f8df696d2

SHA1
7573f3ab68dc72afeae32153e45542cfdb259ef7

SHA256
67aaab4bf5bb1d823ea0fbbbbf73fe65da6cde22e6b0359e85aad1e4da08aecf

SHA512
855463aa12a556f20ce82f2d9d0ee151424e85b03b255a80803c720f7f0cb843ac698ae1b80069e99b45f6d84f7a8f3c31debe09ea3ab119caf97b45762cc3ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
c363e56df7a2f9d247531dd443c4d742

SHA1
023644bd9e2bdaf62522d6ae3a762fbcb663a4ff

SHA256
1cbae28f76e4035ca048826455fd28ac36c9a6651ce143e7a5ab9712b5c38457

SHA512
0bbe05c96c14fca25ac897d6bb539dd941d5604089e4a478d42612cc7c247a7feae15fa1b619f1896ac1cbd7917564d9b592b243aa8a58fc8ed42d40725970fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
079404eabdbfa5c8cde52f4f228a2205

SHA1
e0e443f51161758c8f94fff507503b2aa723f32f

SHA256
6cfcd8af745efb8fc13b346f255f059b6a70e7e3f32293f567e96071da116000

SHA512
b25e01bdc787bba32cf299e2407225d724c94af837e4c8cb4abac3d7adc07a96725fa6ec29b6042611db62578104a32020e0196baa7de12c6a91d37a4902d3ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
db12038e5635f921be0e15f01dee6b32

SHA1
1732b80a916707bd2dbeae3e544513e4b4ba05a5

SHA256
dc5087653f191dc8722902f13aaecb0a13b40b03a566b7d164913969beb61a5f

SHA512
5e7561588da7393771d0d611d4608ae85cb135452f80919653ee34ddc761660c92df95ff88a257827ec2b0757841784a80ba6e62a325be633e994503e075b225

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
0902858781c189a04940efe2771e9d7c

SHA1
76fb6c77fc2fc464fc6662303c64dd2d3c03c936

SHA256
9b0ac6ef64a5c83524d9d15f5d67ff362de756ee089038dfb14d80585768e157

SHA512
b45acac798d90b58651f5a779f78c68c10989e0a10cb76faecf8dfa91f28afbe2ec4af51027d6af0cb7b4c9a5ee8724cfebbd9ddc5f102618208ea7f1c247c0d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e85ce0d8ca5067d41b499ceaaead4214

SHA1
094bf218744f0bd8e97b7f56969cbcde42a59e1f

SHA256
29d0e06032710ed23589775f7a09740765abc236a03b2866735ec000347c1f85

SHA512
1ccc58ed5173ee21ca4a510149d83da3fe524b58de7f0fc58ece6f8a81c0e167cb00b705aa72c30e8197f2a8d6cef13295d1f2f145aedcbdb534aa5145aeca25

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
3c8fed6622fa99cc39c2561c431f8d27

SHA1
81fa688e7784ff64c38b97d0d7b78bc1969a9edb

SHA256
3a7ac304141270482ac8c24d783264734f411f88f1313779f8515b99fd10b449

SHA512
075c6abd70cf2251efd4947d001964945683979115234b4f432f4677ea606eb28efdaee730c2e19c1d5a0268006cffab2eff887299fd28cc27e8e6d155a2090a

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
7ae352e6044988ab7a914fce1abbceff

SHA1
ffa8a0b5c2a90957749175a4254d31389c9d1e5e

SHA256
b4ab3daa6b627b77b776d3b1b8cf13a259df7f09a5cfc3e9a2c7b6508d9f50b5

SHA512
2bd052fad19c8d67d039df2110b12676346635444d489753c0e3d935230d9f88dbe11721fff11bb5e198840b3eac6f0ac8fb959288a58d7b2508aaa0b130f89d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
a0e866c81b605e2f6ab0e7cc56982c93

SHA1
f9b4d9a00d912595d763a81884c4907d118b2f82

SHA256
eb9d8c3d89234481d6f283eb45938d22a737ecdcfc5470bc49235bc2aee544ff

SHA512
bec7953f22356c245c6bdc63136683b4581a09af373f3a449a21d47ea56782dcba676b31a9646535ee8cfd1e197bdc01d477e5161dd8f086e5a5b932dd54ce63

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
ea65676338e5e0ed50810b13f8d93009

SHA1
31bcccb41e247de52c62d06076f54e89d6e26e44

SHA256
fa9f0b1f75336a00a251e1f37171286dbcbd09ecd6a61c477f1a6743400c60db

SHA512
4b793e1e61f90a891d1c3fdb1b9d1928eeb3cf697910cbf21ba4494defaa671da0c22b394907857c95a2603f991b3c99bd535bd55f76ed4f17aab0a9e445d77c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8ea7d1be6cb29b6a94a4c0263be6e5f2

SHA1
e8c1043114a8855ef963cb98c98a516920769e53

SHA256
cc85debc7ca5dfc01233c9d10cefb9af15c1ec5fcbc343f1045c6f5dd4ff2d0f

SHA512
71a7c5fea0c09403281fd011f768a79297e7bac38a246ea946ed59910cad69ef520cab147ccb38b907c2c96a4cad72115a843d595112e92df789fc7e81985d29

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
a0e0c5790e1f4ff3498cedab1db3ac25

SHA1
b2533f257a0fe4c90914e57f63cde16b2989517a

SHA256
6ec32b6ec1f0a56e7ad8ec0fbec5c4433bb43fce6f589242ad6d5782405b58c8

SHA512
c504b981a6db9fdc73249dd161519904530d2dcdb9dbe9f58b4c0831f416d350251b3bcfd7d73f82f4feea2d787394b82472f4ce292504b9cb8af51905be2d45

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
55fb678cbe53ed73d63e5b19807a1aac

SHA1
e09a32b3e5868323192227d950038000193385a1

SHA256
dbdea027aa0dfad1d0947f93deca832a6c65c637b45155c73628b77a55fb9c32

SHA512
d81f5d85ad4589631d929c4e65a5e788c30a053c4e63bdf44fc717c3d8de06f8d8ca756cec6261c85e4b03e1353e15fe0a71a81651aba728516b6146bc04a6cb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
1dc40c8c1908af57ea5e04d52575cb6b

SHA1
9747da6dab9c909e63dd468a74a0b05e1cc14e12

SHA256
523f2e1b25a56ebf9474dad487b7e19f767dc53159e142b4d03332c75e801870

SHA512
1d033a58532ed55c4ef1b1fc646e63c099cf34853cdf4c7e8004d32dd9325c6220bca1b07f635613e80f859d89b7a40778356b022c0298f5e4abadd34dc156ac

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1431ae32fcf10644b25669020d3832dd

SHA1
66bb013d4963c82966bdbf6ba56b425fe2c8afa1

SHA256
5a214b1687cd10fd974fda6075d69e7642410ed5e1b7222f8e2fa0a08950252b

SHA512
dd3d74328472eefb204312a158e94875c6ded0221c5b63c19d7787e28d16e0d3d1e56339d1696cd622a4e3a657716232058563436a7cacea52ee93f1ba802b50

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1fa3c2eaef4cc4507c484364180d9903

SHA1
d44969e24a13b4757bb68ba486b3604ef212472f

SHA256
b97b6e9c34e9cee36bb88a822ba7652dcfb0c1205684adabbe223efc29d7132a

SHA512
5c0e3c001fb5e1552d8f4357c6fe9553f21a1da0c3f5274c22bf1cc100dbf6def320decce34183b6ca8dc223dada23c2c1e4654d4c65dab11664672e9b7b7a33

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
695c1b34432ffbdd5abfb9742bf9fc30

SHA1
6899331550bd32b13d9d179ee3e99f1050fed360

SHA256
d13ca0c7d79b5b0c99706f60b6d5fcfd2ffebfbcf1a2f19fe5f021388578b80e

SHA512
89dd79f7c1962313755612fccf2003a88a0649bfbaa1542f6a774199731362c4478cde079fe5e64cbee175425478ebd2dfce6b8681d94ab2c50f8ad240f70a7d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
55bc61c60f61b1865762e49d894108bb

SHA1
05338a43f50ec8e2614f2e87e939f78f73a965cd

SHA256
03cb48ff7c98e74b5b343a8d214efaddad2452681f964f13f814ca8cfbe45fd1

SHA512
ae2d008f9cd3796f5562863786eef3205c43548ccf043e562419d46d5d65b134b8f73de5b6509f7f3ec08a01b7f99c4c1a6ca64153d1904dcb24874b6bcc6b02

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
15f1c6b54d43d57daf1389c335104596

SHA1
c050e3b0f9f151fee14fd25de77f932aaaf3f110

SHA256
086a7be87e38efe12616d21965f1c8e40d485aacd31392fd956a1ac7f8ddf684

SHA512
8d7b5221522beb64b0eadd51bf58763c31a90d0fe7da617369fa2dee8b15665cea1a527e1ce10dd82c1ffeb40a3a37c4ac30f6fa12e4fc22f5175f3e311be936

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
8407f5c2c8be5758b21973b84a00e485

SHA1
2411ff742053b4110cb25a810da2a6c478f7677f

SHA256
b9915a0a8599d68f593aade2ba885aa6455066ba644334c1da0d4a033e9ee842

SHA512
c3e4ea535ac9a23e11070f8867b868e7dd39c248b8fdda9560bd3c0d4a409641f1f860e38c9c7913e8962f4e8ce293cb66c2fa35b6d947edfe177e3d97b6d2e8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
db7f865fdfd68a53053d5a865084798d

SHA1
54554708a7cdb6e891be9fca5f80915b7e1bd077

SHA256
b71b22baca0d441484ed1edb501976bcb3ec1db15dcfc96acf402bae91b6c5e2

SHA512
8ba027e979c4f269a026a10b5d33c9237b2bf439a725969a6c3c1ec0d193efd345721714f10c179b4a3370f0b08e140c6b6778a4a49d26c003ccfb0693f1e53d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
5f92b8e8f2af7339ec13af735b5082df

SHA1
27c6a67afcc0ce18a85fb54ba576969d47ed22c4

SHA256
09ab8c89bfb3637da48ad7651cc9627ab68990ad4329f826bd5f2e78b67dd375

SHA512
f31e1ace3912b596f6c1df97b7ddbdc5fbbf80806f326fdcdb6a63be9266b7ac37563919487f2d9cb420de0e38b4693b449746c2be045c780bad55a78921b16e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f1bb67dc8d8e9664802047c2dc0951c8

SHA1
784ec31c08a22d899e265921ba6cda237e6c9b59

SHA256
ffaabe9f46449610ba930194c05272da5ebf7dc93683a76ab55c6d29c11e54bc

SHA512
f95fbf4176fde93102f3ef22f666d22e4639b18b07fb326e18a3f00180597c419c3ee89672e627e2ce02606f8bd60c59d522fb67dbfb8f96e24e05dfb6961a12

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
c80a30d0740df277b06a2ca37b0f6c8f

SHA1
a3380260cc8c7cb96523987c25a250f0f755c634

SHA256
f9323725cf6fa7d4a4351dea4a78d58c60248d03cb4b49be3ad01752e4c1065b

SHA512
44b3ef6f3c8497d16204ff8dbbfd6eaaf37f154699c7f9e53004c1a1a7c8c1474598088ffebb97fedb593b20b831c1353d9a0c5e08b5d41001509b0cc25ff13d

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dcb1e3d240ee4b5aeb6c318cb7703c5b

SHA1
47d444512ba2b2e5efda9cdb5a70126b319e060d

SHA256
6f099da537af49a8382867ab2ca3f99d8f6fbddcbbe5b9cfcaeab5dac0b0f3f8

SHA512
ff5e37790a55736787529dc6b2c58f7173c7715195621410405929cbe50230c8511a6fd1a35efb278ca5f98a4aec4c3467f810dd232f9e6ae79879986f754041

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
47d22949c460d378930aaf73609b99ab

SHA1
fceb749bfc38a990328bd3fed28c8da18603b883

SHA256
9b6ef93ee61641f547dccd33f82758c3b1f3c2c75f3b0eee5468f998526a3498

SHA512
aaa314fda6bc7ff80d1fb1e3051ee9dce3333f37dc74c06b56878373013d8e03273c7e59f489d0c0aadae8bd7c88521f1941b793afda96f406280f411e4a5b0c

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
12cdf5721ed8527193841950b78eb93a

SHA1
a97be2b65e9a71d24cab4eb4fb56009835d3ac2d

SHA256
ed3a742ffabf473f956ac50448458b553dc9a0fe6866f88a307930a8bace1e52

SHA512
e714c161165c46bcdf53ac88a94c73f0e557ba405fada2d9678f7bb03fbe4140ad7fdc772a7472cb7e76b0678832de632c92e55b9e6475199d6e424b1e0cf493

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
962b0a566204653a13149d9b70c5805f

SHA1
193f2d280a068e3b8cf057cd836309a0a01c4792

SHA256
59ff8261636969c8b17f6b785c3207d6cc337ab9a9ec079ff030079252b24af0

SHA512
1fdd2050c380bf1b8b89b3192f13691b75b3a94b8a6259eaa55a51eeb0e2c3ebf7a34e5598b617bc3b2e00c00fc405eb1bf46935457ae30ccaeb94a54b9f2509

Download Submit
memory/368-202-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/404-347-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/404-340-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/620-175-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/620-239-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/620-184-0x0000000000420000-0x0000000000480000-memory.dmp

Filesize
384KB

Download
memory/640-142-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/640-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/640-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/640-88-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/760-257-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/760-265-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/760-327-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/1552-639-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1552-282-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1552-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1552-227-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1552-638-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1848-197-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/1848-189-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1848-252-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/2032-300-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2032-309-0x0000000000BA0000-0x0000000000C00000-memory.dmp

Filesize
384KB

Download
memory/2032-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2088-432-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2088-353-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2764-106-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2764-112-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2764-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2764-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2764-115-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/2928-301-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2928-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2928-292-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2928-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3212-158-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3212-95-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3212-94-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3212-101-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3312-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3312-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3312-253-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3452-156-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3452-143-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3452-145-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/3452-150-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3452-153-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3636-187-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3636-126-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3636-120-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3936-297-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3936-241-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3936-231-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4052-200-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4052-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4052-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4052-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4056-271-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4056-338-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4056-278-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/4124-321-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4124-640-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4124-313-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4204-159-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4204-161-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4204-167-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4204-225-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4692-6-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/4692-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/4692-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4692-437-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4692-131-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/4692-7-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/4828-641-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4828-334-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4828-329-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4992-205-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4992-213-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4992-269-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download