f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
Size

625KB
MD5

2aa3bebcb3ac123225668fc5dd2f1b38
SHA1

d749732b9568b7aedbb50ac6f4dbb61ec86cad3c
SHA256

f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424
SHA512

3c5870e093dece4a94253d8f97d4755db97b817475dd1409d55d7210135530c2cc696d4d0e40a9ee09ece8a491c4d2c919324ada58e283ce75d552a01e4d7fbd
SSDEEP

12288:/2DFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:OD8NDFKYmKOF0zr31JwAlcR3QC0OXxcm

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3748	alg.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3664	fxssvc.exe
664	elevation_service.exe
1648	elevation_service.exe
3796	maintenanceservice.exe
5108	msdtc.exe
4744	OSE.EXE
3080	PerceptionSimulationService.exe
1704	perfhost.exe
2568	locator.exe
2736	SensorDataService.exe
2412	snmptrap.exe
4376	spectrum.exe
2108	ssh-agent.exe
3804	TieringEngineService.exe
5036	AgentService.exe
916	vds.exe
1696	vssvc.exe
3044	wbengine.exe
3156	WmiApSrv.exe
2424	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\System32\vds.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\locator.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\db42ae82ad45b396.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba7c98b5b69ada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc02e0b5b69ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000917933beb69ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c3edbb5b69ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d01ffb5b69ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe
3584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4892	f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
Token: SeAuditPrivilege	3664	fxssvc.exe
Token: SeRestorePrivilege	3804	TieringEngineService.exe
Token: SeManageVolumePrivilege	3804	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5036	AgentService.exe
Token: SeBackupPrivilege	1696	vssvc.exe
Token: SeRestorePrivilege	1696	vssvc.exe
Token: SeAuditPrivilege	1696	vssvc.exe
Token: SeBackupPrivilege	3044	wbengine.exe
Token: SeRestorePrivilege	3044	wbengine.exe
Token: SeSecurityPrivilege	3044	wbengine.exe
Token: 33	2424	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2424	SearchIndexer.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3748	alg.exe
Token: SeDebugPrivilege	3584	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3884	2424	SearchIndexer.exe	114
PID 2424 wrote to memory of 3884	2424	SearchIndexer.exe	114
PID 2424 wrote to memory of 1236	2424	SearchIndexer.exe	115
PID 2424 wrote to memory of 1236	2424	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe
"C:\Users\Admin\AppData\Local\Temp\f29225d58017300eb1832723cec066841ed441f5871936c5b681a5ab349cc424.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4852

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1648

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3796

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:5108

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1704

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2568

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2736

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4376

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3892

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3884
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
36b21a72251751dfab306c66587f4a7c

SHA1
e0adbc23cb54b9d7bf3047310b9437ab38705a1e

SHA256
516ff95e471fbb6ce8b3400e93207ddba41151cb65e6bf80d707d02a8bbae6bb

SHA512
eb7a8fff838edef12032546921a4191adf4110cf586fe6a86acaa67c0ba112d6df051de426c93a6630538d5ae7c9dc1099340a3b3f95eeeef937f3c6a6198f99

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
cb0a0f7ed93230a3418ab2d2255d5f11

SHA1
e8f4f178e3894eb62d3144a222e76f7f6d2dfc36

SHA256
cb7f9d3cc73cf38e31a38136ebdd1dfe36c38b50aa66d5d511331edb60b99c2c

SHA512
b6cd1692b82be2fc39ea4ad0bcaa393a8c99716e62192bded90de7d9eceb0d0a7a19352f5711d1f093d1e0b6e72f039ed14d595eb27d9855f34755815a4d1d86

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
d682fb791e3773b5621429562f50f1f7

SHA1
d6d1f448d30623ec63c787729c93f8a23fc40af1

SHA256
6587768f23817ff5d1dc3a85295f721be736093454c135580aa94088cdaa4bc5

SHA512
2824acd41a57901a3931451903e9c2dd83b63e80cb383c6cf1d8ccb44a95bc85adbaac9b19b947ec2a77ee0d11330061535e7311ceb319d74853d3a292273fd3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b0b27659e13058be8c37821d92941864

SHA1
ec45d55100320ed7a74b6120844819d2d99fc98f

SHA256
2e456697ac5850aec14554461d097688b7fae97e23dce8bd63dd2cfa6f6617e7

SHA512
9f6de9a9885aff60f833931354c43d6dd856d600a153de1298c580b1be342f58e862a6828964f3018e261d17c4242bff45995d26f1d2edc57c773b1f718dd582

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
93df955bcdb2d4b3c957bcd5c2b2dd0d

SHA1
a195cf1f010b77487456e5c2e9a7f5f5af47d3ed

SHA256
21107a22629b1a541fa44f23c3f40144532c2383ca8eeb8a640f8efd53e20743

SHA512
7f7d15c1566efe2ebf9f67387ee2a769d4bec12891e2cc6e252fb022d9da24fff25f49312f96699295c54ba45ae6515cdb3314d63b7f5ec4e39a2796c2387270

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
4392a705f779ea6b8b7a40e78d07234b

SHA1
0ca872ba9ac59dc0538a06625cd064da83ce0cbe

SHA256
965dea3d771f07910fed6caa7e4ce49192587b6ce7437eef344a0df0bcf4d3d2

SHA512
faab90d0a72971ec0c92d889b7b9acfdc116e58522629664ec7ed0b6d68e20f252086ac5978f459d34df417fe7e28729928fb55f19e57aeca7b994506922d2d2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
180cc7d28bb910493451b6d87b0a0956

SHA1
ddedfee85c50dc2d9b89b7d9a95d3783ff73ec9f

SHA256
4c124b5fbaf9c7f938a8216caed0acc796d0ec198b8327609ac99105e3b82aa1

SHA512
95f41ba9aa3f675360ca8685211abaa16dd80f2910cac9694fdb4a1920d2b2393ced995f3f0f8688af359e988c40b3c96fe395d1e2042595f20cee4d70459bee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
10bf02cc5f0f23255299995b4b01835d

SHA1
2de5e5dad4d433116f5ee0e47ffdf268a7b5175f

SHA256
49bdb37dd58a77293ee9135d16c6d5081d5a4a6b73953176f9e43bbbfa8a79e5

SHA512
8c7e1427d3152b4fafcc13622b7b8afd951f8684d6ab8846345099ba678f7c2329bf4c8576bb61223d254f5001713b6ab647f2e72d5709f0529af19db728001b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
ac05bda04455ae94dd2e4f1ab1bd6fb3

SHA1
252f910b3e37b0c050f3f707fd8bb7990ca1e238

SHA256
79f2431890cc753ae9389ebd25e324c70ec864719104d76a56dccd8980c694b9

SHA512
608d25ad9b06982d1866d6621036b61a3071e22888a3c5bd8f287f4aebd9ede591e7f704a44e0776b0ca39a1c6b6ae1f04c6614ab52a2ef1d81c76d53256b7bf

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
df6fa77fa56e21fcc59a94b49724a48d

SHA1
e804e757a9435947e54f222b5c2050ad099d4f8a

SHA256
9bf1d31858d9b26f6898e96bcba852027885d20f3aa3f6b6b0bb4688572940bc

SHA512
7242adfa5c99cd70a088d049c6192fd6da1a63753e245300fd0225d3d6ba9b1e0ef3c7afeaea833b5dfd94c4dcbff12e421bd99266ccea77973c8d7e5cb62128

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e51a14a3fd632004d29003d5907fad9a

SHA1
2cac843ac10d929828c51517ae2d9a3b244230c2

SHA256
a25fc90c40a9f0a123efeb0c79d97a6acfde6bcec692ada95a33b1ffab5156d8

SHA512
52dc83440747df9ddcf4e2c33b47ac59449370541aae20deabb45b2dd493e0e5f471f6c47c262bf6d6b057e65bbb0b2010713bdd9b4dfa1a185199ae9f38bbb9

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
210b2c5cd426b290e85a008c96c9f0e4

SHA1
742f0fe9463d37761908be25e9b1404a4a2035d9

SHA256
e716b05aa9bac3154b3d7e1cfb1acf592a95f594c292966b739fdbb8012c82e6

SHA512
a01cdebf8475d3030e8dfb3bd1989501c2633fb773f17ce68ad02c21298f15b42f2298d394bc82e46c0bc55633944908fbc7125721654b0c3e42f12ebfd3232b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1ac014d9a1376cb17ed3a0d4b74d4e4f

SHA1
577a679e464b8e018c075930130970223afefdc2

SHA256
faba2ef2ec0e888511094dbea3b484130af74e1ae5b42ada7ae8741b3a3f85bc

SHA512
630ba940c2682fd70edb7dc1dfbea1ad60e2da9613b033d7dae78695677e8c3c13751adc5f1fec3559041ae420c4851e82f7700218eb16c014ceecf2c98d0a1a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
ee107bc891df37384b119fb69c64f8c8

SHA1
11b543765bf64e7828908c0c00774d980b8c4f3e

SHA256
4b0c3747b7fff0e22adebd0e9f7c477d6ac2b6246608bb122ed5f11d922b94e2

SHA512
40348f08398a3248c2ffe7df3c2a35899a9fef7a7845aad0a7158d0b7110d7e7eb86cc53d380efd937e135c48ffbca910fe5bc09dc23a0b611c0de61e39f4d0d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
72580a85369fd1a94b5a5102881059a9

SHA1
0d9ae2ce24ff18a4b9a1adcd5d0593c96bbf0b08

SHA256
b32c46b8f1c52c2371c46224bc03e30998fd2d3e5e2de064756c38cc82be8892

SHA512
20ca78eab0d68d61fab2f6adbebaa7a8b109cc8407cb30583ad4939837ca7b1644bb6d464d8521b4d6f79da31fc4f3ac33d27614b04deaa62a09d176dba77cf6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
057e5803c5c7569c4a9374690b09d3ae

SHA1
a39c42db0557cc475c7a8455a75865cd8677c3f3

SHA256
944ab8c4f84caa24dcbfe5f851f0717c2d81fb88595f64cf145ab06a4352d310

SHA512
102ba937ebb7f2c7517247424d5acce8dccdcb237f9a87221572b73fda63450788d02eb08959cef3bcb5b1836916904de3abd0fc95ac4c2a60b47296a6c09d82

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b75b5df61f66796affcde64502517b3d

SHA1
1d4f6a1f88b1b813eb478f55962c5284c4cd3367

SHA256
00da316357b217ec0c1f0516360e2c1d786e83d56ea1ac05ed42237ebca23758

SHA512
d1657e6a7df36d42e62db0680fc897a68c0631e7c285c85f5ee8ad35b86fa5ebdb2d39a615de1617694f2115f7715944a0897d74c03597f2662ed3a8330d0f11

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
8efee3737e09a0a2c449bf5ae5b4b4a8

SHA1
cd592a50137df245638fe683502ee9f19ff5dbc5

SHA256
9a4d95565059ee98547978fb1d7781b26419eb2ebe667ba81ae0bbe3f1b665e6

SHA512
88b44620184fbfc07999bea226b30260306c9d8191123f612c8ff8f32cf2a4d1d78d52b56e5bc2f3ed64d57a34a5c5ef01f21fd75d4cf2ed993eba4c7721c92f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
733a1e4bcf49a46d1278a2da8bbe1ed9

SHA1
2703aeeaf286353f397659bb9337a9a1589e127e

SHA256
e6a2afe1c581700763a3950c71272ccb788ef3eee0acf75bf78821ee0d31b643

SHA512
cdfe422b27410296b911e8d83825ca810e2060a1f3a61a0c641486ae7d2084a0a44ef8412a4d88bc2f46b0c75aa426b63fa53806ce17d8ad0b2b1b7ab104c20f

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4960ea8fc6984b4a7beffaa68346547c

SHA1
80922dbd4d1d771234357bfd92c41a3f527fc904

SHA256
16cf654d5f6bfc3234cf83a904bcd7cdaa10ce9c8767a3de8678fcdfc27ccfdf

SHA512
44256ee79dbd6609b1835b83d5fe081806690227704fa40a7665fb0d0ef295b3db106edf0b28579b33cfb10d462d0dd44b0271557919efd01c74c7ec9c9a647c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
074d25a971d828df4b68a9a17406385f

SHA1
b3597c9dfb2ba48faaaa5c0fc3ec082c2ac8fc77

SHA256
8f2353bca1226e5819471d245af54489441bef2244ef234d1d326812cc3500da

SHA512
5a714b82614840e806f288630839c77fd503cc88bce7959ff18b8e881de17c4c7a768100cafa94a721522082c0b83df4d8b1091440411547b667ff8ff304d1c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
cacc9edb9f15cb05d8431efe3c07b62f

SHA1
65391da87dee8f22630ba6d9b32e9f79f9c5a764

SHA256
ac671be2e03ba5bf8bf6c2b1a0a11f392e6f46b5e0a30b00f04d8cf3b0a07003

SHA512
96b3aae044438d6fd851cb3e04f494703364b7ade8b747f223cdd75b9f2c7944c71c2f928454744d939a73305be27c55c89d51a66d3dce9e9dcdfe19dbe82537

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
f10dfb74657154b4047ed6b1adc669be

SHA1
9591eea6b61c1f1f81504a2ceda6c4c8f5ac0d41

SHA256
a503be286e9bc06ad28ea66abd85a1ceb52880ef7ec213c737441d9e83d8d41d

SHA512
cc8677ba7d41a1fd157d0347a0097eeaeeccbcd3b455041118d4bca684172ab433b3f30ac30f57a8928a1c9863fc186e9e3801bff6a66566748ef80fbe362829

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
695435eb09f7115592b794864f130722

SHA1
e163e15639202e4251eef90f3e6b187f6f3d2a42

SHA256
85d2c1424a74ae54094d4666f7f4e2a4f711b1b7852fadc67c1bd0697007b914

SHA512
e0c22be7f8d64c5d38f5cba2528acde49c55d308f3d565403d61b7ddfd1529c5e284f09e09b2662def32498adf1a237aa3508876f19195670926ee53603a190b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
e46c491df914437c430d74d687eb5ae5

SHA1
e715624c2237e2ffb70321467811efd56d1350b3

SHA256
6bc6b03d9e428a0c16bf39160456ac9d73595c0ef2893b69c3761d3bdfe9e4c5

SHA512
7cadf54c25e03616ca737568811301486e51eb69f7c43c53c35c2be516caf4e35bdb5c91b4ff32160ca6b43718656f99b1ccdbef050e793d114d8d70d67eb3b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
cd1d0618242a2054ece259ba66e887e7

SHA1
102d6f206de262857e8efd4eb413ed06795636fd

SHA256
e451cf6a1c71b4cb006a6071a9f25913db1ccfcb9c6e972fb753bfa278cfaf59

SHA512
9bd063f003eba38a89776b072804ef50a69baeb4895cee82bd4ba90d48659f3072905b2e13f263ce1f9770f0ef7ab149a3860ecb943733391680d4465fcd1c80

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6ad78834fbeec8c9bc85297c721983ca

SHA1
ab8d239bfcca5f387dca3a10342ab90f9eb55c76

SHA256
c3e31c1e65170af4af188dc5ad667e25919fea65b9f594631f7ee1a196a90425

SHA512
35383e487b4668586bcffb8236d86db8dd63001588e4f8cc2def365785641179c3d16b6c9bda4a8dac9beb04e5ef83cd35426c14eb775abce405d0a879027905

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5d0a56132d423421c656327447f138af

SHA1
3e6274c184ca8b32c2d3d7092106204fdb9f0575

SHA256
fb8d6a54ab1ffae69dc3670f7585ed52409bec9974bbce16310a0549bba9effd

SHA512
a40a3ff7ce59d5aebe8df60c53e45ee7a1f21a796c5ad6f9bfb35f5fa776311e23af3e422f780a9dfd597f1a7b604b7f41776e27a031e82f194f865d410df18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1cc6a5be2d343132abfa76fbc996e80c

SHA1
fb174f7d6a0d957bdcbeac6617eaacdc06a7ec87

SHA256
712fb994a578f04cf75f260168553f4ba645c0a48846041c0450011c97e00d96

SHA512
c954a15e96d5dc815ea198c8290be76bbb57d96cace3813d38cadb7fe2e2c2f347cd77533b94fc8ad43f71046f807349d42f673f800b0b9d79e8021b20c0890f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
9260ddf687dd97e4476951c25f70aab6

SHA1
07bd70e28ec5fa928cad8749a8af9106ef5446a0

SHA256
42dc8d2fb618589a2354ec62383191a651f9d915a6d7b1168fc86165cb15cf2e

SHA512
54c44956aada7579024514ea0496501d234e8cca31a29e540adae91fe9058e425aca345f2738952e22030b12249be2e5ecf1bbd80cdc90f89d2e935fce719ad3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
38b9ad429f4cb3772377f38e8b8c223f

SHA1
159e93f9e0c9363eec8cef8ddab6f2bc199fc33f

SHA256
093435cbf91d51b10e7279a9f65a395ce26af3f624cb7f9ad2511d17e140c681

SHA512
763e04e93ca324f7c7eeac986891faa0c110908ca678900fed8a725698c9b114e0879d68c204776b5bcb31a2c434d1374d81199fdac09d828d59dd1fabb797be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
ee30ef35b9093a84ff2be7be2ceee0b3

SHA1
638852dde1eac9f6ac3eed0e6a237a69af3b7cca

SHA256
85e46bd148a2f424d6b0b2fab6b721a174c2f594d6841d19b2ce76eeca7c01b9

SHA512
2763589fa42e3eb40b9cf3ca939567eea05aa58cb05fd4cd7746d4841f311eea707bc6e4472ad1b029d3ffc7410307884141678018845ecfaf88f792fc817a7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
ef0bf258a7d74c7587a2ec42c2a8fab1

SHA1
75eb30ed4c21bec8bc46ab58a972385d86c75fda

SHA256
83dfd234fc03c30cfa0c302c7b9ef826681647be26e4063bfefe8fce6c74430a

SHA512
3141d48d55e75c7d36b1ff4751c5b595c5aaa52c7e42637a51f4b1f2d9e8628c383bc3c0113c9a8529da491c8b88838981a68abc868bec82d6e2a8e717c8a4aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
4758221f5058098c340b342e950636a6

SHA1
ca32846589cb616d80c59a46f0c0bf88eae5a139

SHA256
ebe87c2992339737f723946b658015d0d07402d8ced85391b9cfff4dee9d9a20

SHA512
0df845b45df8b5ef6a793500b7676c84813c9f4d8841c44c49038bb45d5fd36667665187f5f28aac4d1da91115ae9035b4e840c4972e02606d41f317fe9fd87a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
9eab53a65102b2ab84208564093a9d65

SHA1
61f794a221384908a21c41521080af713b0011c0

SHA256
998a78524f34f78cf62d1da88f92d8c4e6e939894f1c8850d954d36c955c6f79

SHA512
61e55433d05eb8a9590a4d0bef2871b3b8b2939aaf893858e59e078e579c244f38da29c75f729cc46a55dd720f542d99a72d584fe548a04c8573592788d44866

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
976765b180dd2a0172e8c0a13a80daa2

SHA1
1fc68599077813ee3a9277f28be982928c8c0359

SHA256
6261db692903cb3e9d08bac4fe37c1c10762a43979c836c287e00e6d09d85288

SHA512
b6e115b4981faa4711b32e9807367695f89d1d58d5b2b8a827b6c972981120e45b757a62017e2ddf5f5b53a242985b50f2f5fe59221e0a65ed25cd888c064668

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
adbdaedbc73f2d7c39a74b1865e531ba

SHA1
569147bed9b16df1e1f5093d3d061528101b3045

SHA256
8932e50094a221416243afc6337acba98e1c9dfd0fb3643c4c45c3b62edf2970

SHA512
4865f0a66a929b561e28c2ff8dc6176094df7a56b707b0bf21d4256977aa30c3ddeff7e576b0548e4c2bad857d5c013c18b4f85bf7004ac33cd2e81658941f51

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9ad63a4bb94f386ccb40d1f66f643d82

SHA1
f0428beb2836de90856f541ec35c7dcad68d46a5

SHA256
3e9419fb1b31d1aa1250ded2eb35a7304bdd477965bac540fce92f768a483f60

SHA512
edb71ca5b6fce7441566a094862115650570f4f1158206aaab83c8927f41b366c21895968e2f152b337df653fc330c49f9e7da2cc4d36ed020054cc83a4289b0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
902327e5ccaa1d53966e05e48b489aaa

SHA1
1c6efb93e1bebf81eedd744f95f24b460493be36

SHA256
6ddedcac628a4f8b5f1579cf7101ea3eb334e53e5f8d0441edce52fb2e8ae87f

SHA512
394e1ba6704ddf4ae842a494af9bca92c45a743b2b5ab6a2672c59d8fe27c4f157f7f0107c7f6e0b6577d758822fee18fa4b9274bd40c04df1394fa4740bb4f3

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
53c10b7e40824213647577804b94ee95

SHA1
bbe3d17b999c9da7a63f58bb7cf7d651443d0dbd

SHA256
29a2c2800d3c47567c74a7cf27367a703a912dd6cdf357004fc470bfd09edc9c

SHA512
737329f4d2ad5e90a16b3dbe9c231f32f11a1341a5462142adbaaca126eed775ef1981794122429c2c09a7ac6fbbcf83af28d1f0bbd8a94d13ad15d2f57283a5

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8b6f8ac4a78d9ff0d78f7bad96fcf7ee

SHA1
65792e3cfa6ca0fcffb2af4f75d63dc9fa060f43

SHA256
638abfbdab313d53862a9427740a6987d30e6dddf320b2b29f8683dda1dea32b

SHA512
d94301221af6d3e231113e9f5ad288392621500c3822be069a93d0484f0edcf6215989f183ab02862a8c6b921b022347a3af079de15bba24bd882a3f2459253a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
0d241a7477b542119cb399206790cede

SHA1
4415697f4785fbebdd78161f80ba23642d7f2984

SHA256
0e84491ca33425cddc8d44f9d5916721e619f85170a51a9018ab9d5bfde9031c

SHA512
e71fe836e5010f24abba13d18c51c19dfbf552c4d34c3370fa064f919478a1f1c160adb47e69f6a721312373256dc590fa1b6eb66ac5fc25aae98ba3894aa25e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b7d96980c5bc8f911b6609581778975a

SHA1
4f417fe5181279291c8a6d97e8b2e099b1607b72

SHA256
58be8cbebc43a39bfb348201562c686caac8242dcffcd19a4cd5efee8c0f221e

SHA512
2b69fa690fb4b14da65652be39a1aba3cff85052f369884b512c8e188422c26869c6644d1243663ea11dbd1ea482103714e64fb882626c95dd4cff70a7c18e5c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a24e0546638aec20d6201704bc3ede7a

SHA1
c7d9ef75ebbd6ddeb4d70c9e8ed29970c9a8fe28

SHA256
1056897b0fae693163d589d0b0f1ba4f8414572b8f24b685e229acfc7c5a0b9a

SHA512
eda79cc418735de3593fff95b803abc880ac46370fda9688401da865fb44cac2024ba98ac170f0f0fa9251bf8ea99fd926d9cb05e04decadbe10883d27f62e38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
695fd5d0ff2d4d6f42c07cfed53713ae

SHA1
294290903f98c2c3a853adf467e4f2b7153974e1

SHA256
24b234bc33dd7cd5444ae7824f2fe90221b256142f943ada18907a18b843a803

SHA512
a2391df83e24af0e08fdf52ab542082f8489b01618d7bfac23aedc97358e246dac7fa80ee4ab78991317a26480681ffebf7fc77d5fdbff9981419d68e540ca01

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
52630f55e1350496ed1bec656fe28390

SHA1
56f0f66e5633066c8149e19b37a88d020b289559

SHA256
e67af13f311ccc61a3735ec6cad6dd2c09d2d5b79957c57395dabd63fbaefcfe

SHA512
1f426a90a3bb762d1b4493663ee62bc937a753fe92f9741604c9ce45e653e8b50ba3439e2a58d443f9706e702bd70e7652b69d6e6e2ef0670a71f468f9a73020

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f27fe8c50431a31e0ce712852dbf4924

SHA1
90ca90ce2feaa07b4301e92c8da3f267562dbedc

SHA256
ea9dfb96a27f4b93f15413abbf45a6106ffb44a58ffb7f418cabfdc3fd8223dc

SHA512
94a5411d001336e8e1e20fd997a153866ee254a72cac9f5b62d059489ea10d22c421f1c2c12f0b68307e8623cb705225f59d346c287820f502070a9f45de4877

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3734de3eca23abe46d170aeda987ab9a

SHA1
e46553f92516076fb68b0ec661e926ea3a2ea91e

SHA256
76a1d686f3cec7e97a43260682f974f40845a7080dd4dab0dfc9b3dfb25196cf

SHA512
0871a14e1cb8412f1ec1c47d1cbc7c3cae97283e335e23bfc9e2acb11cc2ee4a15a08f852cf2df5631df0718eb7ceb72198c47285e4d4c9855ac64a50137676b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b8ada8e0150354cdf993c5716f30495a

SHA1
a53a0c44960017509d1d6686a38172c3d59c9827

SHA256
14cec365449c58d22db6dbbb8f301d6761d26ffa2e010ae3f5f16378b38553a4

SHA512
952bf4290410667e92dc2fd84ea249db1ecdadd5bb9c41c29cf3d4bdba2722e36eb543c807830cd60c8ce8e388073c6bb20cd18b9e0459dc65d11b1608eff9ea

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2bd5b76c341bd022b65eb6110ec77114

SHA1
0ec1ffdd22729a6e8d084b26787ade7a88d7a5e1

SHA256
699d8454da0a7190b192eeb0864ab5563dbb6ca6bdc314c3f6dba1865335c949

SHA512
2163e8a64816eea0384d8cf092afe95188ac3c5851d582732cd2a6fcc454f9fd2fdcdada10836bdc11e20d30d1e01da4f0b8920af5a1578c9034c44f5f10492d

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e3fa6bb1e0bdf4d6833f124a0827b81a

SHA1
e0cdce2ca56e0841c4591225b24a68a43c76e7ec

SHA256
335cb2793287aa3e073149b3f9cfc8252fd67f41e493785fec832da943a1cffd

SHA512
0791f1e8cfd06961f0738683bf2224cd5db05e431c1ba736b18ba5a07d56d7f54f0f373aab6c1434a89123e974a0068f83fe36c057213db13b7dc2982bc45d52

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
d0ebe40de4fc66ef77efecd004f59e49

SHA1
0d7bf5271e6e422186ee1bf4353fc4fa155847c1

SHA256
c75d89a6777116e654a7127e5caf3edc88fb74617450b0f285509a60f239546a

SHA512
8b5d84e8ab156fa229afe9ff4bf47102ffed262f3a4c4d5d744149d701ed94892194ef40e044f5906748c9bf7fe50927978f705e4e317e75d8608e16562c2768

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
ac866d0eefcf68ea1f2a0ad80b100c78

SHA1
2564c30f35773c1d0eb460d4fedc0c667b4b4d82

SHA256
fd525958ae2894081c2f5b68e9b9a1d60cf87b8f3dc1b59dde123eccefb61c5d

SHA512
7698cf321f9b11194b866b10131f7e302b56bcb878be4818f56edf8b2ef5db34e84dc6b08867b39cdd4f92da1236909d7bb9ef51ebc6a7ee4a88e9262f07bd93

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1052f7d32830a75289a8c81cb27b184e

SHA1
0cf93e7dfe72532c5fcf2146220511e47b347116

SHA256
1ccad20cb15ead6ce37a2f71286fa5c2e9d5a4a4fe9091429d89fd42d721ff44

SHA512
5177b48b0d0e783218dfb8937f075aea0a8478bc496d038b0085120f3dcf224bfc235862ea3101c406d91ef2c64c014e8f2f4bb9ab0037d969c66a0a1c944e9e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
f84ff3f32810dfdaca7e82e2a03d8756

SHA1
a07e602cada88c774164a88181805de7311f322d

SHA256
ee1e84c2f7cc79477fcf93e9bd547e678431bf5369b721e068d4c6ecfa96e94c

SHA512
7f63be1e0e391c3cc1d34e57818827672947025bfab9c8eef0305b9df3875edab9dc819870a6946e7f19cf15e9db4609ee6a823f828f59d4292437d9e6186bd5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
50343a722216b38317e8b74e1ba2ed4e

SHA1
1abd6bcd51b47c1cac459d8e82976e8b158c01f7

SHA256
084870338b66d02a8180b1dbe4ae7610141e9951e221e4ce1e102b1a6caad98f

SHA512
287b7d7dde4e34f9fa1ca08c8d487628a5d25e8eb4655f9f735309c9c987bc436c8a2b6e340b89429fc7b47366e5fbaafdff23d080862a917995c290b765ed5b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
bb86100ceb084dfa2712c958975fa2fa

SHA1
ca9709bea8140ff8e064e422c0b57831b1b39370

SHA256
7090a9bd5c15d352a1f0b7e6e2991f6029c1cba5503b23d0d564683f77309400

SHA512
e91aae9c502c07bccd95d6554fd129a8757edf8e676c3ad8b72562fcbc0a7886f182ed3352e164a0c5b9246319531e63d211fa6cf8d1efe67b11814523d43701

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b2a91985a7cc239129ce0ec09c7efada

SHA1
47a5a262ebfeea50ec59bf413c92cee07f9deea2

SHA256
5ede27d8a0d17feceeabab5460f8a836dfbe1d135e56c5c01284b7bcee41341c

SHA512
9763f553e1bbeb6e3f52168b7859c8e2a97f769db999ea0257cc68399dd15e8578e91e42b5573df83da417e96cc085f422e7b4b0b3fd197165a7c019db9b476d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ab03a6b9ca7bf3eca9e46b74e0f24288

SHA1
512399b116675663522d7fa286f4740ecfd33042

SHA256
f0a934475da94445c7cf5dda6476ac0f4fc3cc79f82f41bec201987c3d0f5275

SHA512
a6172203a1092e14f1315f628fc418a62ccaf076fe8e71cac374934f585872b7b185c9311ae655f225bdc909acd14588c8648e58e47df2c3e9dab8ae71d2555a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2941df75e6c46e257b7f9ee3064189ac

SHA1
4d16bcd3f2cfd897c4f80ab8d2ce3e4f4bab8258

SHA256
6fdd623b9299db4b5a7e709ac7339d4641508c1d539b1dd366d6b3f6a19a7419

SHA512
70dee4ab0562b4bb39613c3cb8f9bb9f0b4360a95be71d5d4d5c8568918fd2ff76fa0767b38b29a422aeee2c2d93bee3e50772e800d32ca74236a5d69500c85b

Download Submit
memory/664-51-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/664-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/664-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/664-444-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/916-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/916-597-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1648-445-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1648-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1648-81-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1648-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1696-231-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1696-646-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1704-197-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2108-202-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2412-200-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2424-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2424-652-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2568-198-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2736-199-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2736-546-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3044-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3044-650-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3080-196-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3156-254-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3156-651-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3584-32-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3584-31-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3584-242-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3584-34-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3584-25-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3664-53-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-37-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3664-42-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3664-49-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3664-46-0x0000000000930000-0x0000000000990000-memory.dmp

Filesize
384KB

Download
memory/3748-20-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3748-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3748-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3748-213-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3796-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3796-79-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3796-73-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3796-85-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/3796-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3804-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3804-564-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4376-563-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4376-201-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4744-195-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4892-1-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/4892-451-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4892-6-0x0000000000A40000-0x0000000000AA7000-memory.dmp

Filesize
412KB

Download
memory/4892-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/4892-193-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/5036-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5036-217-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5108-194-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/5108-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download