c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
26/05/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
Size

1.8MB
MD5

7d8da7746745fbde221b9dbe673822b1
SHA1

e82c6bc4afc6c8ae419e8d1d4f8d4031f41b62d8
SHA256

c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b
SHA512

f7da556cb7f7779042538b349c105c57e62352f046503ea1b7851d2c7e355610d979829a5c4bb952863e5a6a32f4369c72e2c0246ff0c859a48f86f13cdb7fb9
SSDEEP

49152:Rx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAMgFIDRRAubt5M:RvbjVkjjCAzJgUf

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
832	alg.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
5116	fxssvc.exe
932	elevation_service.exe
3364	elevation_service.exe
2984	maintenanceservice.exe
1672	msdtc.exe
2664	OSE.EXE
2320	PerceptionSimulationService.exe
3336	perfhost.exe
1740	locator.exe
2324	SensorDataService.exe
2452	snmptrap.exe
1600	spectrum.exe
4240	ssh-agent.exe
1072	TieringEngineService.exe
444	AgentService.exe
1932	vds.exe
3408	vssvc.exe
2316	wbengine.exe
1264	WmiApSrv.exe
3708	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\2c32e306b4b1389a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\System32\vds.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_en.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\GoogleUpdateSetup.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_da.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_gu.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_lt.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_is.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_lv.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\GoogleUpdateCore.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_hu.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_pt-PT.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_sk.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_it.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM5D52.tmp\goopdateres_zh-CN.dll	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d130798ca8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6ccef8aa8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051686993a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a36d558ca8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000276b2b93a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a2456d8ca8afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c9424393a8afda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024333b8ca8afda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006f7f878ca8afda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe
1280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5112	c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
Token: SeAuditPrivilege	5116	fxssvc.exe
Token: SeRestorePrivilege	1072	TieringEngineService.exe
Token: SeManageVolumePrivilege	1072	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	444	AgentService.exe
Token: SeBackupPrivilege	3408	vssvc.exe
Token: SeRestorePrivilege	3408	vssvc.exe
Token: SeAuditPrivilege	3408	vssvc.exe
Token: SeBackupPrivilege	2316	wbengine.exe
Token: SeRestorePrivilege	2316	wbengine.exe
Token: SeSecurityPrivilege	2316	wbengine.exe
Token: 33	3708	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3708	SearchIndexer.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	832	alg.exe
Token: SeDebugPrivilege	1280	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 5532	3708	SearchIndexer.exe	116
PID 3708 wrote to memory of 5532	3708	SearchIndexer.exe	116
PID 3708 wrote to memory of 5568	3708	SearchIndexer.exe	117
PID 3708 wrote to memory of 5568	3708	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe
"C:\Users\Admin\AppData\Local\Temp\c2f919d55ca7ef4813b9df7fc0cebb67c043761e17c65ed81f9af594bbc5791b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:832

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1280

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1644

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3364

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2984

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1672

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3336

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1740

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2324

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2452

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1600

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5052

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:444

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1932

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1264

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5532
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b3025a7820ae484313ec668964e3d3df

SHA1
d251f10d3b08839df3b33d2472b8aa06723b64c4

SHA256
98355d408f22ef9d72bb3b80a6800149e4d9a0c408854a89b779ac2a78974120

SHA512
bf206652e93815264c6b9f30cfbe0377d5b14a33b9d25a2d0a2eb84a1f5421d461148d958ba0c7d189527b96b6538ef60b60dceee85b3f8d5de9fc94a4db096e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.5MB

MD5
eae4863772a416071cf77f543ffdc828

SHA1
3b700474834e978a75a02e1e62c7dc2abc3b6c45

SHA256
57102542cb9fc94e5deb94cf2f602f9cbe0bc4c17590be87e42515cb05960b60

SHA512
945d9c6a2e91b1f7d2c417164c05c383e89cf59e2dac0da5a1bedfd566c6162f71a2873b4c291ac3569368875951a4e353dc9f490ff6b760427027238788e5b2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.8MB

MD5
35cd4d46db0577509c7e4d2db8f345e0

SHA1
d97db17540500ba7860489dd1e0f5ba116ea0bb9

SHA256
2d2450387c2a699d70968caff3de1a63df366cfb5a06d193c6213d36960ca5e2

SHA512
25ed631b9f6cadca24599195e927de4a8ddb0c801dfccd995759f74eb33d03778c2c0a45322c2f1f1712785654d6817606f057384fbefa6b5582a0cd5337bbd1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
6956ce10226775f53d221be99c501663

SHA1
0179d145ef1e6fdfea2d26f28cc87eaa2561cddb

SHA256
e46eabbba98cbd0b5986b02c6c21372d20c7aa9ffe2a5e574073699b4abf7ac0

SHA512
1d552dd67fc2f44a35f18499cc1fc18fd9980087ad6e6e97948bc19118eacef49ccccb1676a49877f0c5b5093c831a0b15d4787eeb0c19ab142ab48eb57cd5bd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d12d0000d82f072e235ac1ac12900fb7

SHA1
9d87cdc70a576a71cbf360b5e073e08ef9c401ac

SHA256
99cea25c5294904cd8606f5e05fc7cb2f88ac7520f34b28bbde4036a5fcead8d

SHA512
1dc11a4b778d8377b7fac44861246ea0c1e310a9622e5fa9539a520ccff7b0eeb69d275a53881cc26315143025892356bb5e1999022c3e93556e70f94bfa8652

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
080fbce582eab7f60d25df441642379f

SHA1
9e6e658710210766ae365cdfc575f09959ca0034

SHA256
544304a095431f07dce37832ab8bd0e05fd596dd958ff13330d78237c5415e04

SHA512
10c53350d9e64af0166f1ea8b65d857e78c339e9084331231294852b18ef585daf84a22e3b05d3773b0130503a697b57873707bfe24ddda264cf21e1f4becc13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2ec7de05259bdc471db522fe4e1df92a

SHA1
cc05fd338e42bfa4007b9de0128dd6d401e45dcf

SHA256
32c5637764c264fc3dcfcb33eca9bdbc4d397968c7ea839a7c0f41e2c81a9492

SHA512
8f14334e15f2157025475de85221a5968aa08d0a5e2cf536e7f18f6d991c482cd17f02fe775e1620d3c2c0d9326b2a93b6d6e924b35f12bd8c95dc015b3e1255

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
cba5df83ebb24289ea24875e687a8f77

SHA1
6d3b07c0a471b29d2f07848326212052e51be0ca

SHA256
6722fdcd64c49b3720797ab5ca56cc487148bba85a28a8de11dd2b68659188e1

SHA512
6c240766c621f8c2104fc368c5d6f2d879b79ce14a53e4a662301715fdc5512e536ade4b451005e69ce46a4d0f044889ffdc4dfd273acafe100958e3f56f44af

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
6b013c2e8577cbddd97033c18df63eff

SHA1
b081e311eccbd3c67d730be118191fc53a5ba856

SHA256
3076ba60bcbdd0e4ceff5396284a9e0607c2d1a5bd427e868e0cf60ed388e2c9

SHA512
f2a7c5962fff64af56cf77225d82b942b443fa5d6b8bdfef1bb31bc94e31e01cce4b158145bba87ea9d9806ff535e40c20d7a25290613324b78d34c3c2798a28

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1e8c11b959bdc77ff4501602d6d3a921

SHA1
4daffe0b722fcb42f793880b7de8aec38b85ceb5

SHA256
064eb9370284d3c130a426ed81c283d26f769f86edeee33629f07ee2516c04d2

SHA512
6f692fd614a1e5e1292c61fd1b73d325e6b1ddd29a3a716502ce8ea98d52e8903968b3f6e12c80b7c2b36fd3d44e48f1106cb128641a66c48bf7d5818fe63e69

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cfc8c2fe235c6bd9b095ccab76100aa7

SHA1
5a2cb88d6a3866d2b51a361a8b2ae35cb0a40c26

SHA256
a6d3113875d1d4695e0fa55ef7d13f8081b8ddd0f726b05883e5f55280a30d8a

SHA512
4737159e4037edec0d8c228e2cbaccd5678ceca4d91dc8f5fd07e1d4f93f8c529633be12db85cbcc30f35fd4fd3fb80ba99a36eb007d360fe2cf74b276747f27

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
bfdc294a6aa1704d6d6b29112050940f

SHA1
e71bb28464cadbfd95e8896cf741b61ee16404f4

SHA256
98de1e9ccfaf5bd2b0a89a4fcc8007742ef4fd1f22ebac03e1aa61582b28c7f8

SHA512
c410c495ec1e1a7d5a87a737a2e394a03ecd802766429bb4e95be05e2fbc4eb783b4b4b49169db4cc2e6d333bd4c6ebb380a8236a9ba30fc3dec7f79ef12d4e8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
089abb2ebf4402dc424dd84de0deebeb

SHA1
6e75d2b9ac57410890aa4cae28ca0e2fe8112a11

SHA256
6f34d1437d2f3f478ad8b696800e4752fe709205be2c38a3fce2eabd4f5032e1

SHA512
69767ae92d8998eaae6f7ca5ccd07d4f297526aa425a87d7277f80e90e813e94399b7d4990bf1d0220791e5c26d159df1aad7173daa703a629e01a5e0b96ccf9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
28730ca39b6102ffbca3f65cf3dbfb51

SHA1
cb99b0459c03a658b617871f60d0d67558597e00

SHA256
6d65522ad13a3f928c4b9d925714d9c649e923b770b867d8eaf3a02d7e0a2871

SHA512
d3b887faa1dcf811399806c6d9625e49f5f1e43c64c29ee2beed2395dc0670293189a401ac7990dc9c05157bd89fa9bc9309c6dac5a3c8e35958ca3c55d185e7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
71fe4a9c0b529bff70fa56eda176220e

SHA1
bbaf6cabf818810c07e492afcacd6f9844d7c7b6

SHA256
c3cf64dabfeb4d7461b916fa0094bb46dfda2cb2fe630a6a96decc1f2311581d

SHA512
ff241fa9ec3228ad1fc8fe2ecf6b3133846227d1e3761fdef4602c62ef045c4949bf302dae4916270c26e77e4fbb836caa33b18b974be773453cf00d8b4c9ff7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
36a065ac1f0e3cf397564b35052bc1cc

SHA1
d05e673c99974393cd0c3477c2eb21df0ca35fbe

SHA256
5b0c689f2b76d439937993067e0abc544b88e0228873412a2ce9c97d35df954d

SHA512
974b80e64e357acc242cb027634859513d5f779f9e2401ba0a6745c1f42abf336c59c85c8c592d5167564ee712c4c3c11bc8279cd5f63111956fb599b544f749

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e77381e8dc3127dc511a0525479b0372

SHA1
cbf565e123d31da377382f1ae534982342038c6d

SHA256
a9e358ecc796f6c82457935adf699ff34381b882fc242366b71c94a16fa5bb78

SHA512
1394ce5f3d749f02e857d7e4289113f92f119b2ef8cddd18961012b3c924926cdb2ae73e2f4cd68cebacbae6badbc076f0333f68e6eef42c30bd4b7bd77ffd0b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
fc1d017919b69e3b857ee5998a9546c3

SHA1
19921f395c2fe011299180762f51f340f9ae2db5

SHA256
b38fff91a041239253d9fe0e35c53400543dd35d0af745ec7be674786e94664e

SHA512
e6149f612670252610c010ef763b5cee51c1c3c761b6cdd9a1c1011b2b88eb53f244cc872a09ac6bc6e3e58581914dd454b6905b2df63efded7e727aac6e7141

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
bc1e8305b8447c1272d792fdd81313e9

SHA1
5a358329feffa7b1ac720f6215c4de1c60819a5e

SHA256
2add5cc79542f1189891c2a8351ab670f5da6e64a5f49140321eeb328378eb73

SHA512
985a71d318335bce323fba923e4508c1e9ee568ee505fa72644aa223e98183d8bc41ca3958f7175252cd1921cb8fb29718a7825a452b3f73a050cb453b7ed6ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.3MB

MD5
212f33be5cf843eb9c1e70d909eae8af

SHA1
451966162c24710d434b8eb087b80c9a74e5929e

SHA256
3c71aedf75658098e7ebcc4c2431757d82be3e044f0344c74cdd551df402ff12

SHA512
02ece5736236649f1eefc1ac3868a27cc39cd5340f946d8254903934b19c8eb8131cb476c851598e165f08eb96513dbfa8e70716233c8905f10e44fc3f70659f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.3MB

MD5
838ad06a8b413a9a50120345f347117b

SHA1
f17f0c9a9e9f80b944726bcf4a52ab1401f5cba3

SHA256
bf137ce6c163930c42db23be0b8a5e508657ea2106f5436dc198e3a0ef491923

SHA512
96208d8ba3a8145f4d401fdf4239a7db00a1a9c4f0ef9fb26f4f68707a1aafb5e9cb1620015121d7c3cc3180b20132919d438eefdd351dd7df6905589e0eff14

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.3MB

MD5
90f11d035e7796c844260d2bf52c3aab

SHA1
1fd1778584f7a64bde2abe24f7ae9bcfd2e23729

SHA256
00a27ac2baaecfc5dcba418718f9c5be30469ead3b9ab2c3b4563d51a56d0e4e

SHA512
524de1de5890c8aec6e2632531a6e10c6019dc16404b94cea8af9400b8624b29e4d80d26b91477e6f9815cbb46ac2b422aa0005d3d1cf11e2aff257ad39d0164

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.3MB

MD5
207e1cc9fcae8ccb88489a035366ed1d

SHA1
56db82e4cc0f14f84788941216ce9ee8eb4a7b05

SHA256
5d913017551d9d4895585285d5e5b6f67fd2f63a13e65eb8185720ebb54ff03a

SHA512
3b530eb8f8a2702a1bd28bb4618de594a2b8501c8a5e0a82bb68af97f8fd4573e9c2e00568218936c4cd875a749428c1f2164e4904a680510bfd4cd54ed3fb8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.3MB

MD5
587dde4f820217dc2d628dff8fceebf8

SHA1
195211fd3384d6365447f60bcbeec5090a9c40a1

SHA256
c0db0881de36f0cd6c23c3005063457baf0f850fc254dc8519a243d41daea969

SHA512
98c5a33e79fd59818c6774f81f08fd048bbd331885e00b241f98733d250f8258ecdf04cc3a08a303d1c6464f94eac341327131eaab6630b7f52835b3c85b2860

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.3MB

MD5
4930d2ed501b6a0aeeb421c391286118

SHA1
36eb1962164634214031e29e03c412210eb322a4

SHA256
7427073edd4d3b59fb40f8788331b834eb76dc1fc79375924d0969e1f22476fc

SHA512
7d3f539222ce4662093c76e9a79e286c01e4f611298d5906b2efc4092079e59de92913b80691325503d48c44fbc0a4a9d6f25451512c85c736b852f4f6cb9f93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.3MB

MD5
d58be7ae948b5caeb277ed537fc70d80

SHA1
64e4436bda56c5d0e6fc132628b435455a4148d7

SHA256
8a19df372978e62a88a3767b66a6226ca6b116361ab9e1cf2812c53940e03784

SHA512
0555dee246ba76ebe2d14129b95dc1a6389c57594959fbe1fe23bcd193401d32be8f0ee1a118dbc783777c395a7b726273324cf50768a1289102943c8d9fd1a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
a942d40d541123d6a097568e66dea245

SHA1
738527fd150d273d298ea575eb556a49b2cc4acb

SHA256
fd63920b1a413c048b15e569012f6d3858b6ab9d8f2298e8bf6f181d78207103

SHA512
32b35f30bf77299474bf884f0e5e538899206e08ad4a9de4c0e231b5dfb9dd5794443725aede651bbb34a8af7b7454743539ed72df41b6e9a304623a5e995089

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.3MB

MD5
5c3c3a09c142c057e261a7534e39b0c5

SHA1
3af3ee99f1ec05e540bc252f5da3e3fdd51d288a

SHA256
25a89e9a7fbe486aaab0b6952de461d156d2ac18df846194605c67ea967d7ec6

SHA512
480e35df941ad8c0aea993306d7f12260a1e5c841014094ecccb914965a042a540f6b54cb009867cab944ddaba00f1497161a3e9ddb7077f0461df795f7a3fc0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.3MB

MD5
3bfaefe32e6afdbaae2772c38112d80d

SHA1
76c2b92b4a3dc1220c92cbdd65d2326fced6d0df

SHA256
8ba8d7100c700a8aca506b6c638580331dedebe0d7483b6cad5e0f48f673fccf

SHA512
53761281a4429ba9ba613a79567a824da4b805598d49a0af9cadffc763f1363d71c7f125652d424c8639468c8658098e34247d1837590bce964ba4a2b311a792

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.4MB

MD5
d61810af07d19d32678a8bbaf79f2138

SHA1
6e32730420f933ce4eb8ec56c836ebf7fb9e907f

SHA256
6c8cf07d391cb647c05c63c1b2c3ccee11a3603f85bc356d7149e858a5b3e4c0

SHA512
1afa0f36c44d3f3d1f57f58d5b83b25f1fcc469f6f87a8eef9068647270c61e21334ddfbcef7cd2569a7f116253494eaefdab1c1e181d87e46984330306cc235

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.3MB

MD5
bd2cd9bda58f5b2c5514d9bbf726869a

SHA1
7339786f58f550f25a88ee265de0d3152bc365f0

SHA256
afe5b4f70a54201cb30b1025ac358b7dbcab663086021886e687a768b68917b4

SHA512
3b0549ed4f44572e406b002222d1b2fe9b529d6d0c4bd1739bef80c12e84cd9f47d5592dec76eb3d65a899aa792016daa96038be392fd8d8ed85b0f24db1a997

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.3MB

MD5
9f5285b8e13464c45d0128714671e1a9

SHA1
497b3c477335e1fcd9aa937e009c6fc1967785b0

SHA256
03a653e0d5be4805ac0886e17e38074eda58cad55eb051a8711a7a7343790534

SHA512
9c881b94b0c7af7ee0b3789c55aeff5a4da845ba7e305ec831273afe5a60675281587cc3ac65a1f2568a54861fed1b6a3fefa6e014c2b6299553e5d8bc35a686

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.4MB

MD5
9e520a4f44d730f254c48a734a107bc1

SHA1
9be0360387c890b06c4a63918bcdcbed0f684e53

SHA256
871b7fd84258254185f60873203b374d75a08b2c0d758bf38d855524a7ad24be

SHA512
004f3359bd5196ae9958413f1f09d6231d0a923d82f5e82d86982dbeee358c3ce0103be23ed50b4659cd4ad5ab61ca3851dc56e7476ef756ca790268dd2585df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
bf5130e219d0fdcf20f217343d074090

SHA1
25a612d8a0de1d67cd546c12cfd288a603ca8be0

SHA256
be4a7548c7043d3fc5ce27497947bd493ee25687f9fea138d4bc10141fb608f8

SHA512
fb7608868dd53516d6515671cb17b92bb3a0411a70907189c43f2ae17fbc64a188d2e16b30ddc3d5093d646ef63a1c47dda46be7ed5b12dbbe2cc4e8f6c639d3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.7MB

MD5
b7433f16456f6fc48dd64ef6bd6d870c

SHA1
a84cf1b4c6475a1e58475b46d5dbe290e71dd86b

SHA256
bc7e494aae51abc8ae6005bf2ec99f7421f3677471d8a0ab8743f848e37e154d

SHA512
8284af78810cb9a16775cfa60bd41526e0029cd5195879cb04e0465bbd2745ce0d42b5195a3d0ae5b2ee5252a673e84b1afe32b7ebd123a5e2c1f878601a8eaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.3MB

MD5
264c989ff460b589f86ed4725a794613

SHA1
773c255d25ee660331204c1bbf13e8c582a9df66

SHA256
2ff82649dd8d02d19a227f6fca2bc0fa44a965bf48f9d2d066af680b26e83212

SHA512
0a284e9c7d5e770204a25965db5866b64376f7f668888e16f5713ef66d7fe3d17bf06cbb9a46e22eff34f5b059c21e1e00483498d7d6f6133fca9661d500acde

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cae35d77f383660288096411fb98a295

SHA1
90505cef9fa2684da740f98fca39abaa1e70937c

SHA256
7fe8e82210ddfec792ce7cafc14fb890977d081a1bfd07deea0b063ab276bc25

SHA512
8eb18c63d60bec61ed84a32e7f70f6424a2f2c30e842edc1b3e96fa9b57cef5da3937c1625a6b76f5eacfadbaa2b2c3b5690a6a08354a963a5afb9a63b7d98a5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.4MB

MD5
e83c6d76dfe268036959c91d07856648

SHA1
b03ad2aa941965cf8c214948675e9d9a4fe17b4f

SHA256
1859cd09f36ab78c65da124fd5e76b8fbbf5ea482177de4e0900871a8e93a00a

SHA512
27f2e03be2d8a785751b4db42e4e6b4e367957d39adcaa0a421f7676b22376319375ca4416c5c716e4f3b2b5ead8d29c4298e1dff85df5e6b2fed7ea72d47232

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.3MB

MD5
6e8855627bd0f26617ec73214862f990

SHA1
6ae31ad66bde59964e7519a76cd32287c1821ff7

SHA256
a327b18d6de313a8fbd323d973d5264af89d014de30e60c86157d36d2e81e50f

SHA512
6f1dd31c7003ecd1cc68a9c114a3bc574759629036777840f1dc6e561448067902482d98e6296e29099ca734591c9ce4262ea24f67e68dbcbac1cca85275ca28

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c81b080768f33bf7f8a04bb522bd5ed4

SHA1
9d5a225ef1e0ef5ce438172423c36112a4792216

SHA256
2b7b0150b10478a9c22cadb8e40c4b809f681f66e6f5e41641578c1242f54dc3

SHA512
e385980d3a02ee796add0eb8fbbff95f8bc9c83e3f7c8454b477923277d626629a1eea10b223bb53a84e606daf11204c61715d1a29df19f0320ad773ddeb0455

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
dcd0c62acc172c1d5eaa7d78c6353017

SHA1
f207c1ce7c0f39d96c498c1e108598c89977691e

SHA256
ad32d7f9e602e6df8a96b88dd74a2095771064ee6a717640f6145e7c39b34e8a

SHA512
b6710636b4ca147d60384945166c60b62af9b05e060149a510c9ca65b3477d85546d4fef563bc0ab077a8c5412409ebd37de16db5795adb3dd49aa45c8f8f391

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b1e67f9f1f6e416b37b868d2a6f1945c

SHA1
f063991b6f7fa881102fb7d648fe781abdbcbb8f

SHA256
5eddaddd7e09d56a3339e68a5e92c7795c4b7a1dc13789a370cfa19fe97dd47c

SHA512
01919eaf02d2dfad23eb73356b3a426a792b60b7dd330186a0a2d002a0e636b333f98812f122414d9261b7401175c70edcfb88d0a850ecea6c9305d62275da49

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.3MB

MD5
da53846ebd72d4049536a8bcdf6b3405

SHA1
07c68fb57cd88a5d248f85d4c45540fcd7bf7e85

SHA256
a307eb8b3cdaf91c658822f15c29db41d2a2307502eab3dfad403574c5f3d7a9

SHA512
749fac13128fc733e94e3315dbc255597bca31de3ba58ff0feeb03a003001d98d340c1b4430d8ad2d2b456ab06d65889c8cf87bb94f1a28ac0a2c3ed2840c2a9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
82c78ad77fb3bb2a2e8bcac9d336b092

SHA1
5e153cb8d733a82cb52d93b1035490bf9bd5da95

SHA256
c862bdaaf94799f37d5688e6766633fa278d7bf14e80b0084706ec394b05862a

SHA512
a2c61b952112aa0ec921a7e254b5f1d466e5d765af9699e9ecb70b96ecd644c9ae6f1342f3840a2d25adaa761be24259456ca08d45653cb3ae37dd3cc8a6c902

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
b4af517a1533f809e2979b8ecb4d69c0

SHA1
897155b045acfa5546d9c4bf2b81cc5eebcf0419

SHA256
3e237c15f411fc7961bfea3caa7a6f8d9d269c80bd2cf8e5f30036700290cc69

SHA512
4913fa761a5da199758b0a23ff0bb63c0f5ce479e4cc625b06643b88263108e783d88bed2bff3f4cbdd3991c41f6c64192ff953e2f737c5adadf73180d625943

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
f701205148acfac767b3661d4ad1fe38

SHA1
adf11b05eaad0a77842f3d18fc456d4f3c970a7a

SHA256
bfa99953d37d1fec73cbd4898b2e5f9e7b0815b58917fc6cc9ff36ed8372d33c

SHA512
1667e73d719f7c1fc7fd2b1df65bd5412a1706a05f97eaab58910bbd2b122f732ea36071f7f3a23935ae893128afa90a20459b22953bf62062fab3b3a9e00bcd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
1beccc2e8beebde0de994786f6a97359

SHA1
fbe9960becc85495d260fc80f7fb2d7adcd9b6f3

SHA256
ce759f951d0d359bd1fbbe292295d513abc267cc594a2828784536faea2c2743

SHA512
1f48f4b4d32e9cca99910271f5603b18be4c880011237cf320fce8152bad1b3f9065075cb4e328cbf82f5e0a1c2d0cf30edefa0cb5d526f2c5002d15a7c0169c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3327ce953389d962a9d780fe7b502175

SHA1
8784933d41ee5eb80cf597248d2eb80606e453c8

SHA256
46e97a5fb41b397d4b2a2e5b8d32c8808a3bef3ec7f36c1ca8c5a7d85e53e16d

SHA512
67d769367472df80563e1341f90fa0d285b8b64f953a5b3e60d265efc4a728650a5568954d9269599074f3d2eb1894d8072bbc746c69ad887de091998ba782a6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.6MB

MD5
6f9a2bd7a970c77216f35d2abcde4e79

SHA1
97cd9afa973bbac77a3fd12d276ebe55d01a63c0

SHA256
9ab1f7a2d326e4eadc047c506089e76141f0e7d3f3daf27dcb9f15a1b06ca3e3

SHA512
4fc61632ed15bdda91a6c8ca6699ee97b8668602a15b1cdbcb701909be9cca6a2862b969da1868faece47e1db990b715304b0b58b1b9f740db624ae24b4600a6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8431c8277a0ec464563eb71fd92c6f56

SHA1
9421461c7341bd7fd08f979290c885de93726679

SHA256
d8363daab95d530ffacb5bcc0024c5a73effe4c24336f86739ed8187015a5bc4

SHA512
1fbac8e111f663412144ff6504ff924fdafe582d45dcd63a200d892143d4634bd356b9630257d057da49cea151897103419370bdb4d55747ff3974d162ab04be

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
60481489c8cf0b5714e78fd99e9b451a

SHA1
33a4656e576249016508d1f9665bf24a9e76aa0a

SHA256
fe84472f426aa4d080d184713612e19bef172c88130d3559c46ced95dfc10709

SHA512
a25ded0e922d059b98c9a5446cfb4dab9a34182ef841f448e080743cfbbfac8b020e7f50ab6c453cffb83f123dd1e71b31781660a4fc445b291d2e3026cad131

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
3f10f9420590c60063aa6c1ea3e46aa4

SHA1
5c3d9eedf74463d5d3de3e789d3a744a8475d76f

SHA256
ff3ff219aaa7b5b0cda337e08396b60db39e51132f7f2bdcc32131caa0032a5e

SHA512
74ec9e3cf36029ba4c1e93eb8b6250ef41e06e62815bc681066be82ad58f5bb15017c3396da1715e42c794f4fffa4c616c46d788d36bdc095b9d762b721fa3b6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.3MB

MD5
22b317dbba5f486f8eaa931e78268c8b

SHA1
4aab4c51d16f0c73f71a05700185c24ab537b3f8

SHA256
67019856cea95d1ef7848c2a9e4226c785ed9fb54c7d1f69d88abbccf8371d73

SHA512
32e19c48692ac170afe4159f7c0b46d9473087e9630d9e3ae20972fdef76e097bcd0acef31ce78c1338de768ab22139fb7cf9c40b0de98ba2a1915d7baa5d90c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e699f01a6eaa0cc3ae54946bc094be1d

SHA1
eac14b16f0a03b415a62e0c4a8eca33d42c062f3

SHA256
f477fd9122b2b80f67d2d36e7a060170633f9915836ac0db32e19ae8702ede90

SHA512
aebc8554c33c7ab46034096fd812c723b41b0f2b1bffc95767fe18ecc3ebf4f20b07ba454f246cf5291d0753bb4e492c79ef9a6feefed83de032f4107ed0ba68

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
02cf69484e849857e529fbd07043dc59

SHA1
522cd54683f9af3ddda91105b4edff6307a1de80

SHA256
43a2851337924faf06c74c05a6e37bd7fb3e9d81b246466bbb3e3c0b5849132c

SHA512
d3985f7181c25d134ddd696c079735239e58ee5ce5e3291aa5764feccca927e78a4ce771c234a8d9b9178ae60ddfeb1adca5ab80fac79b260539589bb95caae4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a218e671b0a701f5c4f90149af3cc9c2

SHA1
4ee01acdf24ded770a2b1207f1ee8b1b59e30762

SHA256
132898d9a846803402729c010f911e158b386b7e20f9a1e4946220ef56cafaa7

SHA512
ba5dd35eeb30f11bc31fae6c04bfcd4260a0b7aa33f66dcca8d2b158f8e90022cfe6825d93699aa4e4466faca3a0a1340e104fa4fba98fb81aee3e3dbfbdd2a4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
9fae3b041679243aa6c4f8861c7e3b72

SHA1
215dd289a9f021c1f5bdabfdd02cfbf56f156997

SHA256
e34e65efc890ef38bf679d464f16ae96d3c35f2099e00d987060054dfc527e22

SHA512
adfd9d06ac086065cdf2ad12592e4ba0c145f2ee66575e1eb36443cccc17f891dbca550982d20bb41fb1c596e331e51d61a7abfc1ad6081f447071ad8366c51f

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
f862b5f2971d0ee9429f1b1c9c6f13d6

SHA1
0e77e8cfa7ddb530db70042d2b5875795c93d0ad

SHA256
4bfe755d60c850a0f4358c14b61deffa40514cc30bab0a98880d9d289d33c8d2

SHA512
4a2c95cb39e61a8b0b13a095889780ab4c7e5a03a60e5d71497e4501be0ee4286eb1efbc3269e4d23b900a05ebdc29fb29b12f25cae2af3fc1c66da8c3c34e6c

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
754b5bc3c8fe019fa78adb36216e4825

SHA1
d6b233ba6a9419097033bcdc38ae0f376a993c64

SHA256
7a5d129bea1cf2448b0c15592e942b4b430a99636234bca4f5cdb1a864022d12

SHA512
973b0016bf01f6664ae772acb98f8f869d7fbfae301f8ecaf8e83aed349165dcc4ff07459620ed131c4d6f250ca4b0769b8a3b3a9639003960e21fd1b3b0b1c2

Download Submit
memory/444-277-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/444-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/832-88-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/832-89-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/832-43-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/832-195-0x0000000140000000-0x000000014015B000-memory.dmp

Filesize
1.4MB

Download
memory/932-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/932-117-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/932-123-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/932-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1072-647-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1072-265-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1264-337-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1264-767-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/1280-100-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1280-94-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1280-112-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/1600-241-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1600-623-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1672-158-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1672-276-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1672-166-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/1740-335-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1740-214-0x0000000140000000-0x0000000140146000-memory.dmp

Filesize
1.3MB

Download
memory/1932-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1932-648-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2316-766-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2316-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2320-311-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/2320-184-0x0000000140000000-0x000000014015C000-memory.dmp

Filesize
1.4MB

Download
memory/2324-626-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-217-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2324-348-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2452-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2452-229-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2664-178-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2664-291-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2984-142-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2984-155-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2984-143-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/2984-152-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2984-149-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3336-196-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/3336-315-0x0000000000400000-0x0000000000548000-memory.dmp

Filesize
1.3MB

Download
memory/3364-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3364-253-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3364-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3364-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3408-312-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3408-649-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3708-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3708-768-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4240-646-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/4240-254-0x0000000140000000-0x00000001401B3000-memory.dmp

Filesize
1.7MB

Download
memory/5112-157-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5112-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5112-459-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5112-8-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/5112-1-0x0000000002210000-0x0000000002277000-memory.dmp

Filesize
412KB

Download
memory/5116-126-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5116-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-113-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5116-104-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download