e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64

Analysis

max time kernel
140s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
Size

625KB
MD5

3a117afaa986095627bfe670d3916292
SHA1

e1c23250b2d2cfd961ba6c64f19dcaa2a3d6205e
SHA256

e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64
SHA512

a1f6748c58d7d4c8e89a74688d8ea286c1301dd060948e5337ed5bf6548977245a2ebcfe717827514bb397509f16b035767f58fcb76f346faa81a8d35f5e58a6
SSDEEP

12288:gBmJKQ1uBeAMlwesHU8wqy2VYCIbvpOBlU1RlgIDMCZgjtGlxHZ9/I:Sj1SwPHU8X31PfU17DhZy0lxHZ9/I

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4652	alg.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
3812	fxssvc.exe
4840	elevation_service.exe
4172	elevation_service.exe
4760	maintenanceservice.exe
4852	msdtc.exe
2500	OSE.EXE
844	PerceptionSimulationService.exe
4540	perfhost.exe
3652	locator.exe
3632	SensorDataService.exe
4968	snmptrap.exe
224	spectrum.exe
3836	ssh-agent.exe
2976	TieringEngineService.exe
2248	AgentService.exe
4560	vds.exe
2404	vssvc.exe
4808	wbengine.exe
4768	WmiApSrv.exe
2912	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\System32\vds.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\280464fa92be0f3e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\CloseAssert.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_91015\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c60d065b24a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001c350d5b24a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6dbf65b24a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e79f45b24a0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d6dbf65b24a0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
1948	DiagnosticsHub.StandardCollector.Service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe
4840	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1608	e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
Token: SeAuditPrivilege	3812	fxssvc.exe
Token: SeRestorePrivilege	2976	TieringEngineService.exe
Token: SeManageVolumePrivilege	2976	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2248	AgentService.exe
Token: SeBackupPrivilege	2404	vssvc.exe
Token: SeRestorePrivilege	2404	vssvc.exe
Token: SeAuditPrivilege	2404	vssvc.exe
Token: SeBackupPrivilege	4808	wbengine.exe
Token: SeRestorePrivilege	4808	wbengine.exe
Token: SeSecurityPrivilege	4808	wbengine.exe
Token: 33	2912	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2912	SearchIndexer.exe
Token: SeDebugPrivilege	1948	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	4840	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 3288	2912	SearchIndexer.exe	113
PID 2912 wrote to memory of 3288	2912	SearchIndexer.exe	113
PID 2912 wrote to memory of 3568	2912	SearchIndexer.exe	114
PID 2912 wrote to memory of 3568	2912	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe
"C:\Users\Admin\AppData\Local\Temp\e2cc91afa4485d9636b22355c80929c609d9eabe9ca9e079b20d66c10aad5e64.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2000

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3812

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4172

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4760

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4852

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3652

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3300

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3836

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4808

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3288
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
954af48ef19b673fcd88603d7641b6c3

SHA1
f93383a411a75a4647dee5660f4ca81e747e591f

SHA256
937d332ce72f3715a51e85a65814edda6cf5c2007db4066f30a54b6574fd1f04

SHA512
38e318b774c36b04b9c060b54c61f73369e76aa9232bb089fac9c5ff94656cf345fdd6d5e785cd9c1ad81669c9a3a01d14d3c427243c9e15cb5c3f5086b62b08

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
11d46acfc39c2d7146ee62b06de0460f

SHA1
aa7fe597678a259968aeba67d10cc1bb863fac8c

SHA256
22b494f002225fd69851ca746dca18fddb2bddde5802c8b38114ff7e00e58f46

SHA512
e0b643d365930aac144a7d083be2a432538b62017e71141915d8670035f655ff4acd95879343495745d8befa0428eb1314ac2d652d051340072925e5627b3847

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
451ca1e53ed83700e720a1e4fc5e43cd

SHA1
7a537ecd54c75a853c4de7471f46655abba26d47

SHA256
6c00b9d46f3b5c3173ffda69b4968d96cccd9bfb529380202d636fdb364033e0

SHA512
c6c709443bc875f651f345f2b9629fe168c8cf170cd068bf3dd5d0588b3f96b967a0d177fd2fe72e4428e71e6131f26d34e361841a92fb10a069a22c254eb74f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b484737c25e003b2a6742d82ab85a0af

SHA1
da01a6cc616ded182bb8f0aa1e406e5916f73f09

SHA256
0549cc95a88c52c832155c7416564306ccb932566bbceb1c1fc60c146cf050e0

SHA512
f1bd3761f47605b95f9f4a10fdfb262c2dbec3c36c1f8b97260dbb97f5a45ceb2661cddda205259c9037e86fa299bc93949a090e611303814018f938c1041fb4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
44f31293e1ffec0859295858720436e5

SHA1
09347c8ca241800c533287f1ee1d836b6ef87bfb

SHA256
1c0ffbea08542eaf148a720a7115a0796eb55223db2def32c6ed0113fa05dea2

SHA512
5cc04558a2d4a6f9bb5542bb99b03f19b8ff4ed5e0c334929b55cd461d0c6e835b0c97295c68ce35279888af863a51897909147583fa0d157681e9cbc9848b22

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
3262b09b0c7216381f78b2bf78f8d713

SHA1
392703049379ca5dcb6b68b267326390c0359746

SHA256
456974d6866eb7269313284769a1dc9b50a1c55b4742ca683ff93679448307a7

SHA512
0464099cb4b664f439a471dda251cc4b07f49f30f1cd17a6ea96570637d63aeb62a30123485af7d685cbc888f8a94ed4e8d2bf00907e9543c3199faf4efbea1f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
7f936ab89b3700e1a4218d92afa74875

SHA1
5011fdc32241ec06b885766ab3d670f3f3470482

SHA256
08564035da1dd0865c11dc151f220a81fb0cbd4d15bce0adb8db9afd8bb8c272

SHA512
8c4a4a074ffec8833cdc55fbb718f365c5e549b04632fb4484882420083f737f04cfc4259dcd54128ae9c7fa99c1bcb2f458f83dcb2251634a3fefa76a38d936

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
78ef5d8792059396aab1c7c28b3fa781

SHA1
3f0e3a882e35c098b9a6ca88479c1588fe05187f

SHA256
f08e97170c043125607c0e2c5351f13c43299ecd543e0b244af5eeba9a63c230

SHA512
efb119f0e904c0647b20b2bd1e2622d967473e6b8084a1d001aa12640b3a7824073171d650845dc9af3f840561de9dd1abe322988db9e37e43a1d95c6f995595

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
f61a8dde718469d1455c94f282ff271e

SHA1
a46e92b9107f06b9458687aa746b2eba2b5f0786

SHA256
3f3d0a031ca5fd0dc5b1d43dea2e8c8d390264f3412c39fe61a65d9483cf0ed4

SHA512
4558c5e80c5b69543c84012c6227909a2a2473a6d662b24825b3f592a63dfd5f5b6474c9fd928fd1b64218f772cf734bef2e1988977fb9d49994566c84f86482

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
04a911c76fd63db0dc6262ea93e994d0

SHA1
8ecd573114003450a100caa600e7be73441f4675

SHA256
2365341b72f0dcd59fbcec433c26b4c6bae85ffba16a3af40b64582066960d48

SHA512
c49c579649e6f5cabc8c64eb624299eba2393b7334666e356d91ea2e4af77f73ae0ddea80891d6b283a4662deaf5a4a558fd47894c460bbd98c498457436daf8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cdb75c2c14c4f6a77c27d89f6d481648

SHA1
6dd88861d5ec4642cf8c952b43252ae763b11aa3

SHA256
43c739d5bb7da4bfdb28dd6a917901cae653d58bb3e4240093db0950b5922c4e

SHA512
9db7917349a6c5db0da8874eec6ec407835889a47bac4dd09f01cc5ce9ef64df0bb83fc79e3a44e52716fa997922e068e736de404e3f0ca5534e21f3d6ee8d15

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
0fed6b79c001ed9800eeb19d26768191

SHA1
acf96c8408676124e16d46397e940e43952f38bd

SHA256
3ce3e0d3b3c37f27060600fee22954758eba13cd0ccd8ad7807c176af7576ff4

SHA512
146241ff5bdbb23708182dc6b826d6da51581844f00efb2903ec1966ffaaaa007743820b3a78bb63e0b6bf4fd492545c9730c934eaa742c62a150652f6c89d4d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
6c2d6c11cc9de524285859c6bf44f524

SHA1
36400f97a364009c5d11ffec9d59490e6688efd8

SHA256
13e5c5d5aa8753f033650c9d0aefc7715266d1f5e9231064919c955b10e23d3a

SHA512
ece7787a2aab8186b86d94d9ead57b45f0a177a752f680d6b9262dc43deb2897c24e6c70b904e1894b6c7cea4f37f57c36048a2bf76ca6ae8715550f59ce349c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
5710ee9548a9fcae2a3272da5abe72aa

SHA1
52268cb9898b5081be50a72d946d218ca19603a6

SHA256
37551d5ebdf7ccc5d845e8dd32daa1e86bbc05af37c165499d88df7548827173

SHA512
f1a49a50424eadfe6498fa9e956251e1740d228ea3b09925ea91c20dd24d2875201e4dac7eb1279ecd48e4548b0595c75add77f00effe1e79916b95fc5819f43

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ac07be431bbd8804a91741ec22680fe9

SHA1
10009d462f01e2b41db5151e46752aa5108dfd8c

SHA256
0e19159e7b2533f58d196ed427a6bb1700671b9d9e5de3aa4590c8ea3fd23164

SHA512
ef3cec366167b8a6008f0c8609fee5635ee3304d616a5c3cd5fa1485481714a75e459d22f10a8cf100e4d66143ae417c0e6b012e490c6ada8cd9ecd8d3db4306

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
e4eb3371469905869a7b518592d909ae

SHA1
2ff6a4b8ef061faeeec130468eb0e02671e9befc

SHA256
d41af465191c44282f8ccb8693f75579c0fc792a16e132be0e3df4a56cdfea4f

SHA512
b7255291576e28e9353ec9add252dd3a787e893b06873ede0e3129856b3a0d2dea43a33e2fea886d1674d1482f2c093fc75f5c8933627c4c55f9f2193fde6e5e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e5bee98154c81f131005ce3ae44245af

SHA1
25193c8150fedd067c985c422e50ff197dba4eb7

SHA256
fd36b4ea1ac5959a02a14ad5276a23bd0933b93e5d4d09ca921a931af84a6973

SHA512
4a1d27a9ca45d51cfdb75c3e9a6ea2d5d03b5129d96044b3c6a4bff87ac91a6c6e975bab25009e25839299d6da4e247fc9adb1af5befd8ed93e65ba4b37bde46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
4e4c29c7d089d00b5009baa494cefd2e

SHA1
92d212857b38a5bd8bbe1454c221b8576df6e240

SHA256
950c21659cb1594462a51abc984961857ffbab6784bb36a403929309a0be1158

SHA512
faf9ac2fbb8d1dd389b76939c87e63a226cfb03b25726b47086d3ff786fb34c0535e593b5ca0833559ad5f0f1bae39a8bf21efeac7a6905940b96c351603cbf3

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8305dca5a23f575e50d68e60a85be3e0

SHA1
b3e3ed73d14a3597a0c4a0ef5e35de049a5f3bfe

SHA256
d86168349d9978e962b19538f46bbfb74e1f202c370c137c7d64ca5a5b60972e

SHA512
946a1a17aca27bbaadf338903ff370c32b6ce5b188a4c290d17281364b1c2de74b6d7e1061c58a2ced6fbd70a8824916ee316faae6116de763d3fb8b5afbc70c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
eaaddf00d559515bd46c1cf175e2db23

SHA1
5c80a34aa007824084c90d851d1a89a86182d418

SHA256
9b0d1ca16d69a90d0df520cbc4c1b82b45a9892c5f7a369d361dc38109145d84

SHA512
1940ece06261d7d34010e27c52072b87f4436bde9c0829d12acbaf20144e2bf91704bbf574e88585ab5c90424b1445f39c7f8318d3c5ad3b802e2c5b18d1e60d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
289a94823d7ed7c6eebfe775c1f5682f

SHA1
84a8739f7c1329c23846ef4b65e9080ab2b8da52

SHA256
34e33e34d005b6e7792076d58386c11986d1a9ae0261aab10501c4c2ad0acc64

SHA512
1553f15ff5732a2b2b41b29d979e0f1c2f53ed0469478d4d416571472f6ed173d4c81421bfc8b4adb41e673fae2f9370b371a95eebe563bc91c2d0b2756ba697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1369df914f818c647bf78fb8081199ad

SHA1
f59eca1c29b07584bbf66f55465d266dbb50896d

SHA256
6b7907cdf4a59af54fba5de0aaf55c529dc5d0767b61a4bc5cb8f083720d7272

SHA512
74e1e62955f218e54294d25c1f91cd27f4682063a7c8c381a0dc698773634734811472c6ca41550861efa8173090427c5fb4a8686404197867a8622ec4c01fa7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
52ec0de7b4d0fa778ee42d0f28c82de1

SHA1
82a29680ae2dca529b7528e163e6dbfed7eebfce

SHA256
98ff3505004b29cfa078239fd4192f45ec46f3cdf72fdebe3b89543adeeba130

SHA512
6d04b1ed09ed0c884436a1d66005dfd74d711f54c096743115f861b4ad44fde6204c67228bfc14f46cc2804473c17f20a17ff15d38dfd9209f72f7a2a34341ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
746ad3808e4e36037451728740928962

SHA1
81878b3314386e1f155a54e7aa9839945b1a7381

SHA256
6b7be90dd692a83a9d9f34be8a833f0407fdffbaf9cc77d7782f6f72df24ddfd

SHA512
e61729eb1bd08503c8f121095facb0ba24985aaaacf5ec51be827e49aff72b9796fc60cec721d1bbc8c88ca43cc2ac9276f6ed3ef99b87a4f714c4874ce6c564

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0bae64945022531c4b9603b0853d3661

SHA1
4acb5c93b15719ea23e07ade4d50411af937e2dc

SHA256
9df2f302e98d003fb427432e0e8cb5581dfb9c9dacbbdf4860e3d188d4362e1f

SHA512
44b975312a995b965ad87a9fbf74baa6435b989ee7c03ec23006b4e1a362e5bec76a6fcb0fdf652600677dabada59867434e2171b5c8c9ea416be3d60a3c53da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
2f405f64d779219b68f3d17a29b6b60a

SHA1
51855c8f5ef29930cd135f34d1be8c0743c14962

SHA256
7bbe5b74c24763d6b6ea1a40cc2d6fe32d734dd3fc853783988a29179faee94b

SHA512
5e7571dea3ffff982c10e010cc47781dfe37fdf0f2271591a318bb542192eb04932dab730d62e3e3da2a4b03655f9f6811cdf4f0765b45bf140732883720d181

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
71f4fd4bca76754ceaa64c02b12cb791

SHA1
477df724f7ceef3f0602216a2a89a5df6d273f59

SHA256
0447e92d0fc81c3aae6ef626d9ee2ef61899145c098b3bca7f557f8f35687658

SHA512
a8727a5822988abcffc041588f112a48006e7b87f808ba1f8a1d5a4be2dbca1989a6ed2e318480735c9e414de9c565d054fedc134cad12dc2762e8cc8a303a21

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
01e87b44c4b4eb7a99eb6a7c0ff32c5b

SHA1
a3c2c29193d158435d22e08ce9b3549dead1af5e

SHA256
e5844e53c1b5b184eaf530a236a9ae9ba3b1fb2f320a6806769de9bc77847367

SHA512
96b33ae629c94bef6492ea62f53fcd96fcb4f28f0310fcacf1f83d68ec784b75a141c23787c9a98f71859a85c501c5b2534ce7c98612d663647110a09242be7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a98758077ac72d52ff4fa9cf53670a42

SHA1
7cd18a96f451c00261915870660d5630b850a417

SHA256
adffca296661ac6e27de2fc82ca0a7a8289710b2b3e9e2e323d999928c0443db

SHA512
f1bfc51fc631191fd60c78431faa90365fc69ffb9676713b66572f95108079e3382a24ff3fbc31c1d2b14fa58fd8633571029d951d44f68e8bc13f171f30a98b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c769568656cea7ee3faab40db81ad273

SHA1
e02ef823d1186542bbe3ab2db65990507e3abeae

SHA256
707a69d8ec40f6739bbec963f340a417e0c8b1fd1cbde1b609fab0ca7a53a4c4

SHA512
43e0ad8fb372d12badc68fac39503160edbad051679e7fac0fc80f9d96aea7c6924de851c186b8a96d506a6c0e17e4484454cdbfa16f333b90e500d37c12a7e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4fb87ba20afd231d4ae03b500225b4bd

SHA1
93cc0df862b035a2363c52d1a01a5a401bf9e014

SHA256
d3b06dc343c60ec746c1c9c955fbaaf2f889e03fc59832727c42be62bbd19ef4

SHA512
6d45f6bea85ef4fe161749e3e4221eb485f0382ba30344c5cf769885de5d1ebbb368862e4becf7e56ef1b1e830ee11b2f2e67e2bde8de4696335ac62d24451ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fac1ccd21e8fd826bdd5c4a28f8db9f4

SHA1
b79b409259f6cdbd7ad1530780ea5c6008966341

SHA256
70c002f503f540803d6ef75ce7e3fadb25b9451940e15d388ea66c2e52d018d5

SHA512
2b4f226b173d78f0d293332e980a0aa904793f49e6d02aa3c78f9503600153383a21e6bf7bf019324fe12f4d2cc7a59f1ec75967d69e8c62a66c00d001c60efa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
b051cadc25f1d83329d0f158a3e3a223

SHA1
5e3cce160841fae70d98dbf837cc6ee8ecbd8036

SHA256
e08301144e7027a2c2bba0aea93d996fc85ed163b1986f2fe304f71949266286

SHA512
b2c37c627556ac90b11b34694a5561ab901c0a34d6eb8bbb6fd1674c8124a5a119b3940fcf0f01339fa8db54fa8e1f667b657c822d15ddc98aa9880073c6f8a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
1afbc66b90575b15ab083b6e2aae4bbd

SHA1
22d7eedee392064af29677f1584fe0ed76d28022

SHA256
4edf8593615dabb38d186853889552e34105d709fc8005108ffd60757245d1d8

SHA512
5b516a3d9ba7b159789a044eded6aca2145f52ff64182bdf15ee439e5bd10caedda6148c036b5d5f4d8cb98d9188aaa41d5ccfde6d58d60ec1d67ae905cf00b1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
f7f327680f5dc9c7dcfae004d5207bba

SHA1
2cef5cd54715b595a989d9b648a88829a09d6d1d

SHA256
e26427ced20af06c5032ac81e9a6cf5427158672f4eab705a5308b248d81b15f

SHA512
7b218e7587ffc3f58bae90070ca6a28faec2aab92450b58d43027aff029ac96852a862fdfe61b12ab2c0f3efec22da3b6d239e4c8fcee5634d8d2f9ed9038618

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
1f9de7679417358c224cf4ddd6b53cf6

SHA1
6498ac79e264bdf6f26b09bc9df15f468ba929f0

SHA256
69dd34e3530ebd55a3e96022db2341187250896db3a28afe082f85bf1e731ecb

SHA512
0f61269cf7ac76ed2fd5c00d373b64a6e528ba505be6a93abf3e0c85cc74b48e4f25afd3052f1bdf2c82bae97739c93f4b781d1bd63f82196fdc41b0c236f5bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
2361f82b40622186a8458a038fb63b7a

SHA1
1bb971ebd3ba57ad5a4d039ddd60f2ebb7fa730c

SHA256
14f63e9243b28f6111e0f897b9b692bc043e64a769ef50d1d9146a54ca9e2e5c

SHA512
b4bc617c3842171f86942a0d4309cf348dbb41b8c6e034f0c35e2adb693523de48b493452d218b170381295925c125e6597f651cc6ea08710c0ffeb1fd9f4d34

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c82072a918ff4ca20a2b9f98e410be54

SHA1
16f96d5380d6cdbadd2b1fd547a61c2a3f460a1f

SHA256
e73993be803ff56cb2406b40a7688fb864ba345e1630ac6a23dd71fcb1d9f764

SHA512
5931479ae206ce528104c0068090d60ba73da7aca3fc0dc52c812e8e59acc887385849b233036169794a6ac3a7cd72f7f55310108e3a364713b87999670cab5a

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
acac8f8e2e8e957b894c7bf07f52fc3a

SHA1
fa6f8398b8e22e74e6ca99a3f6d6cfe973466f04

SHA256
954211cec8d72da6fc1adc225adca7d30593130ae8e1db2d62874d7eee19a742

SHA512
89b803bf676e2788e72a7fd6711899d4d1f7e7dae1c9c5c7b50e91852a3551cc31abd326a105c7c58924ce916757637467f513b0eea9805ee9d18ce823386508

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
3d7fc39811815be630ebd14512e0a4ca

SHA1
b734df1d402ad9316344f2bea72bd28a65d4806f

SHA256
39fa50b9b68cc9ad7b58395feeb613fdcd97db8b9d42b936adfa58d8cd1f1869

SHA512
c8299fd41952a73aecadefede4788b829b5c89c65c2b68833548737994deddd8e1930cb199a02ef7a24547b1556728dd051b70e567c1f732919a1ac7534ec852

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b3e2e7267e6256c4df5e26fc29761c0a

SHA1
a1a5066bbacd46424e4d07541714ed0a6cb154fc

SHA256
b5a18663e61e57b868e860527aeca24e7d5af572540151b43f269f44c1f68d23

SHA512
9ba733171d17da4645e2ece2a1a313ef13989a457e7e33276ca799b248a7de6451b397adc9abfc45aad3d322265f9996dcb0fc65eb462f04366291361c72af69

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b3b1f16a761df42e06039b0f1dd521c2

SHA1
b7048d004396b230fed6ff572d50074712ca5503

SHA256
22ec8d5147cdec2be780bf55f61e99b2aea27745b3bb5ddf1ef1858f2aeacef2

SHA512
9aa7bf200daae14c4d73ea0981eb5c4dcdaa58904592579f437e2969f61db2aec2ece090b251b7699dd827535d023856e042312de4cd853c6182b598db1a2e8e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ff14a61fcdd48d0c0ac16e9d8296e8dd

SHA1
568c9623705527d35e54e84a5e7070c55d4cb97f

SHA256
0b241b07a6cefdd14517e64668ab62f17b771b70d1eb694a4f08e18c27fdb4d2

SHA512
f39347697d3bf2ec0b327de2b42d1ae2f8f15915615b5d1ea9852842e006257289c77dc75e80b3419c23cc3e7d265fd91296a498bc61c4568f4ac3e4d67ab8fa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cc6f74aad23ce887f7350ecfc30a9bd4

SHA1
c825c651a345a0922d296383a764a027500e2260

SHA256
a55e4c073b14869e4dea53b636c6cbb755f66d271abe327089929a18a4d3ae22

SHA512
82216f79c967dd4d8aa72ec592e6546e06d652a11092aca84dd6e6c8743b034e5090dd33579a806bf308332d178b6b5b4442467284184cd10cae23490bda1893

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
5fbf966f9e6385a7f919af8cc321a752

SHA1
78e1322147ea9912b4b28732c2dc4230ae256d7e

SHA256
8508e92c596a634a518edbf69ea4e8c27245102fcc82560f19bf95c53277e517

SHA512
815e0013c8a8e168d56c1092bbfd5046e04ecf25fda90e98c2a7feddbfbee6fe32553314e3cfac6951acbc919425742fc5e389e633a4e983b13bca8922ffa58d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
0b58fa77627adfb5fbd0764e0d737152

SHA1
4e03ac6b2a758ebff554c4a47f7fb9b8c893ba44

SHA256
a79e94d882df78111c58d886805f870e2d95ad5c14d50fe72e9179ff3f950bb6

SHA512
ee1f468d73f6fe4af204b9048f81baf4d6001686f8fef9e58b596841671511ecae1b295d51c40d45699781242e13f1264cf1060383b91060444bae4e6e10bce1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f8efee8d58993b698c412d40aa845787

SHA1
b923cc91366b046e9efbc6bdfdf3c782e3eb38c1

SHA256
55a6ecaca64a21af06d117a8d259b3fa6f86d709755a47bfbbfe2a20521e0988

SHA512
1ba9cd4714b5cbc754037cc90068f53fdd8c3a1999145f9d0ad65e21590d5893490be83c53e60a451d0508195960912a3f4cbfd21c5b61ed38568a8c73e50f4b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5e8256884c03522d04a43a3c8ac01758

SHA1
1a8b3ccc7f438d58f34aeaf74ecf0b556ecbdc7f

SHA256
0fe3e7238fe036e35e28bcd316f751894cd12bea811ba732083c9943cee2c5c2

SHA512
9f089928e0ebc64f36b40b94d0a7567f6888513a0b789ad41c8fd799a71d23ceae618e3f69d8b68e614286ff4dacf214a47fcff6620cc7ef311014b582313912

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3224ae3cd79f7bc64e9da74622c3324c

SHA1
ebe4fb063df6fa8d8f437fc16fa1348c0847ada2

SHA256
3ded67f507264fc7e86c2a3294e242c56b9cc6499f64eab31295d0a53001330e

SHA512
b3e3f53cd4574a198b0cb8bd8b321f266749021712f839e4066f10e9c43f0e93631ed6927f4350a29ca79a830bc466367fc87626fa760767bba615702456f349

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
9677edc1fb72b2e4e23cbfabc4268e69

SHA1
384d9be55b58f2d9be7327ad334da341fefd4796

SHA256
c7efdb3ce023581240b9b5e71bec2ba135683f57cea35627869b1045ca9db255

SHA512
5734511ea51b63dc29f19b79ec38e6e98069b413bedbbea916fee1a6369bbc9bf3de3631fb15d2b0d78baed3be0013d7d5d6742de32692cf16ff3de35f6fb107

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b274d4f31097ff6eb2be6bc742f075e9

SHA1
dbe2900a0b97b9ecfc8fff4652a9a46fc0d70f8a

SHA256
feaa79612cac56beafb121d0e897fc511d4352e24c029c72b26f0300f749a944

SHA512
06691be4b343193264f540d2ef24e9a7055eb94a029758898243cc153f99bec6c3bbc889d93a67d2d7a337b6779a01e2b8fa2c82e15e380735b9d370728be3c5

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2a692e1c5f562cc3f3d6ed6c05b64e3d

SHA1
63ef62464afded639919f08f661f5980b5e7c167

SHA256
2b3b57ae2e6126808fffe1a6225d933c91485385354c6dfb1b6d852250f80232

SHA512
44531dbfd2f07acca79641e5515edb056e25d701a2e68001c4f6384bc0e6d4039d863c8635d9f4ed4b599fbcd1cd1c4adba60c7bea523a4f93988708b8812632

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
8541d9432011678137317ec1974a63fb

SHA1
e9dc418612cc4df0523dec1e6ade974bbd552ad1

SHA256
075241eca6128d8119ab7fc9119d7c2d98391477a066b3d0606b717e7a4b8ac9

SHA512
68233b7a3f200f5bca59528d5163e8335e83fb44e30ba5b7f966e6530afa20be41cb8bb9a9fe625515b18745850871ef15374d9b0d0d61aa8524b9e406a26a23

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
1997e52cab2436f149eeada6e278e8ae

SHA1
f94b0b25c7afec9062a72b9b3d0d012f60607cf3

SHA256
6f9c85864951499cc02b4fa2cb1483ce1c24571845546f4484d933bf1e821e6e

SHA512
623e49064e74433adbe57fa31535fc113389ed669616aa3b21a81474b795600a7c70501839588dd2e86d910f76a22e1408e14ce2a57ceb602cf2ad956ec9e845

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b54da53a3f8c5171153187f8575e2321

SHA1
5685d417089381bae23a1e1495f5eb6e01013ede

SHA256
2175e85a7ca5403a88e084e7157be1fcaa42abcda70f9a00f108b96eaa406722

SHA512
3a8bc9dd66b8607702efcacbd23d118b14260ea966200103edeeef64061fa05b3b4c6aadfb2ffc37edc6ebf2ebda3b4b82ba42ff5c71e1c39bfb4f8ee196fa28

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
cac54ac45e84ce8a97127c54358c6d3f

SHA1
ad6e3aa6c93fa7c04a26a157a0904e043d2686f6

SHA256
80fa0b11c5dcd3646c6a8f8acae7a9cb0563d57ef74250a2efc8476eb2df7c85

SHA512
ac710f477a1ec2ba09efc7dccc646fd556954f5572d2d3675caa3936270e6027644fe31b378af9d7036b656b2ba80a0646b26d917d8b121f6dc12b04aee8df10

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7be3d43dc77f8d98cf1b55d6ca0b0b49

SHA1
f1619dc68e1e1c2ca35aacc7b78a856603367886

SHA256
250c6bae29e420c01472cedfec61b554fa66c0581669e4b2479bde8b39a987fb

SHA512
a23fdd5d1090132b87b1fab0c9f5837e9051bb12ae40034c935b5f0e59bea90a9f1a60402751514cbb3b469895850bb2523cd45cadeca56a0d89cae08291b9bb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
689d9364684c411c5cdd3684147e7eed

SHA1
8eb989cbf0ed11858003c27d6ca843f0acc7ee93

SHA256
687eb2e46e6a84bbab25148bc5cfc78339fa7cb0c3d2421eff65e8a352764f33

SHA512
b078ec3b87c2d23d40c480b6110e70c7b13a746df4a1b7ec365100062f51873b9bdf0501012906ee7589bcbedc772b2db26ba44d489aace816c618cb08e3a616

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
16bfe208cb8d08383f4b4d11a99d8e18

SHA1
c7615b4326f450489df7b6b6a77db4c9251c6359

SHA256
c7f0de642a3a4ff3c750846a0ce0e2ab4d3f1254197bc687445554d1e73dbda3

SHA512
b417e577b28d0fe93e7016f27d0c25afd1c9193fac9099ca3e5544b6b38c59c21af1d1576d069107eed47edffd01d0ae04cea2aa36400299c51c17e7d9fb4179

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
05f46038fb274cbca0e029711ea89e25

SHA1
1b7ea0c4b3569344f20c50094bcb33013847a278

SHA256
f414eada54a2c4a3a216ec0ab400fddd077c7478080aff6246bd120255dbecf0

SHA512
ce739cb449ec97e02b88af2f7cb136184fcf4c554d435683a6094fe1a548d58590dc1986ff1d2c20987e962c33ea7dd39f82e2ac6fd0b4082e596f2057c44bc3

Download Submit
memory/224-440-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/224-130-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/844-88-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/844-96-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/844-94-0x0000000000B70000-0x0000000000BD0000-memory.dmp

Filesize
384KB

Download
memory/844-158-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1608-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1608-353-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1608-6-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1608-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1608-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/1948-15-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1948-110-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1948-16-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1948-24-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/2248-152-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2248-150-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-159-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2404-512-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2500-80-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2500-74-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/2500-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2500-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2912-171-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2912-517-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2976-446-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2976-146-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3632-114-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-170-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3632-444-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3652-111-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3812-30-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3812-28-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3836-135-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3836-445-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4172-51-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-43-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4172-134-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4172-49-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4540-105-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/4540-107-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4540-100-0x00000000006A0000-0x0000000000707000-memory.dmp

Filesize
412KB

Download
memory/4540-162-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4560-156-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4560-463-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4652-99-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4652-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4760-55-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-61-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-54-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4760-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/4760-67-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4768-516-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4768-166-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4808-515-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4808-163-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4840-32-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4840-40-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4840-38-0x0000000000C80000-0x0000000000CE0000-memory.dmp

Filesize
384KB

Download
memory/4840-129-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4852-69-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4852-149-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4968-329-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4968-118-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download