d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2024, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
Size

1.5MB
MD5

7ab00d11cb863510389e701485231d54
SHA1

1cf5fe458a60b10b198a28809d1e2e3cda2d1464
SHA256

d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6
SHA512

127e1353a73728c3d9f8bb9955b1118452a37fbfa638bf8fbfe739151ad5ee1928609e09ad804e53ff62e4ae3fd2f14e389960f14ef79f61e3813cee6752b2ee
SSDEEP

12288:E23Jh2IPCcnWZ9bv8XMFSkLDAptNyvUgXZ32dT4ePc7N29Cxs5+j2QNbxf53nHVd:E2LnQvkd7NyBo4kx929bL3Hnx

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe

Executes dropped EXE 22 IoCs

pid	Process
3328	alg.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
2564	elevation_service.exe
4772	elevation_service.exe
1112	maintenanceservice.exe
4624	OSE.EXE
1080	fxssvc.exe
1192	msdtc.exe
3300	PerceptionSimulationService.exe
3604	perfhost.exe
4408	locator.exe
2284	SensorDataService.exe
3952	snmptrap.exe
3716	spectrum.exe
3944	ssh-agent.exe
3912	TieringEngineService.exe
1908	AgentService.exe
5072	vds.exe
4976	vssvc.exe
3140	wbengine.exe
4916	WmiApSrv.exe
1804	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\eee90e78e703f493.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	elevation_service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000081582fd79fb9da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0b950d79fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd2d66d79fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea6e04d79fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000cf72cd79fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000880de3d69fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b10b02d79fb9da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006a8117d79fb9da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001cf0a8d79fb9da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
5096	DiagnosticsHub.StandardCollector.Service.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
5096	DiagnosticsHub.StandardCollector.Service.exe
2564	elevation_service.exe
2564	elevation_service.exe
2564	elevation_service.exe
2564	elevation_service.exe
2564	elevation_service.exe
2564	elevation_service.exe
2564	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1176	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
Token: SeDebugPrivilege	5096	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2564	elevation_service.exe
Token: SeAuditPrivilege	1080	fxssvc.exe
Token: SeRestorePrivilege	3912	TieringEngineService.exe
Token: SeManageVolumePrivilege	3912	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1908	AgentService.exe
Token: SeBackupPrivilege	4976	vssvc.exe
Token: SeRestorePrivilege	4976	vssvc.exe
Token: SeAuditPrivilege	4976	vssvc.exe
Token: SeBackupPrivilege	3140	wbengine.exe
Token: SeRestorePrivilege	3140	wbengine.exe
Token: SeSecurityPrivilege	3140	wbengine.exe
Token: 33	1804	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1804	SearchIndexer.exe
Token: SeDebugPrivilege	2564	elevation_service.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 1696	1176	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe	85
PID 1176 wrote to memory of 1696	1176	d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe	85
PID 1804 wrote to memory of 3576	1804	SearchIndexer.exe	122
PID 1804 wrote to memory of 3576	1804	SearchIndexer.exe	122
PID 1804 wrote to memory of 2720	1804	SearchIndexer.exe	123
PID 1804 wrote to memory of 2720	1804	SearchIndexer.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
"C:\Users\Admin\AppData\Local\Temp\d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Users\Admin\AppData\Local\Temp\d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe
  "C:\Users\Admin\AppData\Local\Temp\d9271dc744e8a04bb8551c04b4b554d474b14ac2d8f2ea37e6df80193f3c96f6.exe" uninstall
  2⤵
  PID:1696

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3328

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5096

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4772

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3672

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1080

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1192

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3604

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2284

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3716

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2032

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3912

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3576
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2766d26ff5d3a1e47ef0b65b05da67b0

SHA1
62dc081974566ef29cffdef5f618b6254b7ec865

SHA256
b4dd105163a7f4565e9f87ee5cc77e9f90500e9cf0fb473fc64ccff0e38c13b9

SHA512
74d8796c247b01bc9cf7759050a798931dfcab1222f6764ee988d07452678c9d7580fbe935907e65f75cf6230dfff3102166968af05d255df711ee2702b44529

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
29d80c91ecf1f8953e7d1dbf723f22d8

SHA1
c34d3a394492a86be20c7f2d36786ddf124a90c8

SHA256
68b016938884f80debdfdcc80958f9477a6193b21ec419177d75bed07514d451

SHA512
10605ebf36e4156ccd8938c51853ca9550429af3ccb12ffccd1078d11804c9b8933c06127b59b023b8337e5e6309355f9923d217887b6045e374b441bb17bd82

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
617d6262ecb40610ad88251e2b25400e

SHA1
2079eb14cc4b4d3a92648f11e75bf30f52c071a8

SHA256
74103d844f06b9f180d6727c22671f5854f95c5b7a98c53c2d32e4d05e84aa3b

SHA512
2dd64f518cd05d56d83bbd0dda1d92d6f8f8c323e8720811316665ebf4b761eca3a01398289169fb9384c3f866804f7525faa180a76cbad278fab6f52e87952a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7cbe299091e2aa543cd500606feed1f0

SHA1
c33ea9917ddab01e6f9899c1b8a24b1c5c92baaf

SHA256
533f21aa2dc21b41a75c2352160081d89f93bbb3b92385ac35b41a8608849ec9

SHA512
d36d384a1e29af180667dfd263291d6bc8d75e54d23cc6cade78f01f0982195b5fb5bfaf8f314758372f022ed2f5686ea8365d6da094db5e914213325a636df1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
54cd7764725d0cd34006d4498dba9bfb

SHA1
5aca49983b171c1604e6fb3e9aeddea4c7688c3a

SHA256
c6d10884c539596e3fd9d6d8201f5300fc3aca9cf242b5c4f3e77afcad52e57d

SHA512
3f69c2913599156413122fc7dd078cc660211c6f29837e1a45882b325f5a86efd3ce255e504cd02bee5d189d181d8cff29e8eb65f63caef745e9ba6ba30d45b1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7aab97916ed8b2ac22305586ce0fe2bc

SHA1
9e841dd3a4013e6d22548a39e256b84789f39697

SHA256
9f9054e7f9761859d3e2b8bb3699b283b59d3cd57488c48f5db166c0b0381c9f

SHA512
f0ba59502b1a307bd2bf017060bff72f7cc1c73d9f061d796b8e425ddb6202dbffe5abdec0ff7481dbc32fdd016ec4f4bd10657b645a2f31b8de86503412dd4f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
90c8a59db076475bfbd58e28b6601f0d

SHA1
4181ea56a2ec6e15b915d179e9e6f988fd6aa17e

SHA256
febbe831bcabbaaa00378c3cea09cf6edc241a920ef3faee26bf84dee457bafe

SHA512
a4b550249e97dec166e01b270157a17f942a01873347710a7dd312c6b2d898bfbd1978759fce7edece083bf9b7a0d4806d2bf6afdc789057515bcf8a477782f9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
9d7be1888ef55e911c98ec0362fef141

SHA1
90bd2ee9cf8eb399bd3104096b52878a97aeb78a

SHA256
654c810094e341f0e00a14eceb184640f587baeda93fcde83bc629a60fda5f25

SHA512
3776c35134c32f50e6bebf73af3e331fad2d350d6acb77025f672c79b5eadf7f5ea4963a12b96b2c1b94a01e31808cba18e0bbb8a19b09d9ecbe2abf21e6aca4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
3f8dbbbcf42c22b95ad3a5666dda53fd

SHA1
3b24c625f597f1ad8412ccb9f1aeee10b4241bd7

SHA256
233b330292565ad35c74d7f9932c9459390fc59a059fee5d6f9b94e7a76c1f22

SHA512
30aab3a92ab550b7dd5ac636ddd9f6cdc7d0f1847ac0b0c7927b188a54da484c768b6231e3975a9ba3e2a72173064c0741e4d39c058b3a62ae8d8106d444cf8c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b1f32d54b9c50e5b912ad5033d8903fd

SHA1
0d656ae3e73386f00787a159b449c5bdacaa9559

SHA256
aadc3c8fd625df22931cf35cc1e8d7bdb079173143b4f845e931b367c11963d8

SHA512
a72d28825ba6a6e9561fbd59d7043fac0aadac24215d3f9c881fff809ba67af702d25dca1067b6ba0f6c7442c3f8e2f41ce57fc1c28c7e278c9a277652724c57

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
79a8925ff54ed7c645405a9d3f061d7f

SHA1
19703fd320829718b2332ac551084c4749c751a4

SHA256
000e6d2d671fba9f9ee381d3ecf28702f1c4a66b7bf45293efc4ace43fe0c061

SHA512
31d7aed19ae9d6f44d2f114a57c82e64a884cb6b3edfc2dad08d733689d4792cb4b3e227165544b7c498c13496d52bda7d4a94bc245a96c8b2b172d18c7cc897

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
845610aede3dea042dc0226bd43f1e52

SHA1
ef02abd95a9156907773424b60be899848f777f7

SHA256
b253bdc8d688551bc816d654657a98adebdc8a6b6d0b5e1790e35f5db3b2d747

SHA512
310730ef18159334d6c45c50f897a8b3b49c6d5cd817581acf2d5c2bf68cdb04d0e7771f34e003aecb7b47de6f280427eea1e69011a1d840a4e85584072bf564

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
db76295273fbf8589d4759b4e3f33a9d

SHA1
11fe753eed5e05715172f5a51a6c49bfd0d40dd2

SHA256
19feeb33bb82f16e07d7cbe7731fbbf7f2c178efd515764608845b28b3965192

SHA512
c964ae716e89a17443a8ad4253c27bfe895faa2e5780e061d9f27616240f9476ffcbcad4937ae58d9f2063aa8bf77bf7d60ff07a08419aa1eb2fca033dece92a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
4014ee4dcabb5246d6ad4a398e655571

SHA1
a6328ec76999d5520c79313c61ce993ac67478e4

SHA256
7d73ecf490daff64b4eafbb29696430c1aaa8d8fc1c6b2af6581bf9ad1e103ce

SHA512
4725e2d9bef85137a68eb69f2067159ce726f48378f053989a8899ef8faddc71945d8b36eed8c3beefeda9c14b101508d4a810d83e4b9a77a85247cd55194784

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1e4e43c79b2551e36a4921b835378c52

SHA1
f11b43ab0cb730a23ce6c9ba86b37ddc85dbd431

SHA256
589c42e48326715302dd60a0b07742a53c352158bcf834f8511850d2918e7a4b

SHA512
aa77845a5e21172510b71000a2eeaff6b6dea6ca87c1060e41ec041c62bb4c17c72606107b6d04834cb6dbdc5c544ade790bdee15959dca7d08ff26c77217815

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
c3196bca97435d34377767ddc235a784

SHA1
1e1c9f3e2266953a8b4f57335aac12784320c561

SHA256
2583b89ef46ccce458701edb12c4b6ab7127f0dda5d478fd0a2f0c698a727dbb

SHA512
b96929ed9ee5d8fa65d55fd3952b93e0bbc503415e9fc6a953d6b8650b037c6f69f2906613ba534e9be3b8237d72912d49120e1af8afd90615cb46f71294cbb5

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c738ec3ca92946f8e582c97f46e4b721

SHA1
99d8ed51b45a9bb94386d0920f7ed598511c6cdd

SHA256
bab2c928ddff6f9a82364ff8e7776a1c3b72ae18f34d0e536ebe978a29a07a61

SHA512
d980b407c2977beb5b2cd2fff727653874c46ec637bb6a8ad5568a462139350559a6e8798021bb365d1dcf945035efad74a21ee440d37b9f1d58d9297ed47610

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
bf55a2eeeb66ecc7c1dad412050cd7a6

SHA1
7eb97dcb5affd76fd73f4daf2105cc3fddff927c

SHA256
32ae5b9cce9714c39783d500e7ce165a10571f3c0189994b597da564b69d1bf5

SHA512
6cd096216a38746b448040c8a10b7945fe755e350d206027cecfd789a1de2d480e84460d9af05eb1ebcd034ab2d7f847b3819c05ca9760f35990acdd24424f86

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
2e0e945459a9eb579074bb88f530ce79

SHA1
6e9c8f4c19aac148defac90f8503903b6426f49a

SHA256
6ad5ff3de41289b69aeaee5017d719460fa7901a1a6bf812407681648a080b41

SHA512
75dd1c396540fe6cce30ee38b6879f661d6318de106172cee33ed6376d1847a3a537111f7d612d6b8673448f23b6850a6a914ae04d53f490d329b790b213668a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
d8249793eb53fa7a28dd23ac7042004f

SHA1
81f6b1ee977e7dc4e94d4f865de6e969d4dc1d2d

SHA256
22c1d535348261f65343c8be7a5360da26d90586edb92c6c72172b173f433cb2

SHA512
fbb6b5528c2980d137b65177c1eaf93e006f55695da5f70498111ef57e451eef9683fceb93f14e697e6684045511a73d88e0bc753188ef43e6d10470a5972348

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
8affee5dd84d59256f70bf7c19d75cc5

SHA1
2f891a95850fe01073297a2fd348b783bab2bb66

SHA256
bf9fd7148638b6f72361f4789910e099fcc0645f47346d411b35e60a929d14db

SHA512
8d47da115054ed03ab0aed2f8d31be9bfc5320c1c1d71f80de4986e88ae9123756e810498984ff2a1749fc384d5fa0a794244f1ba9f2e48daf872cadd91c4a1e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
2954c291a762de6e3751c16533622428

SHA1
e46f185d0c7ede1ce44a4a8efa7128a59e4a43a4

SHA256
b355249019273f03a2be488c6361a9c6f442f04436b130e8d29c446e6df4a9ad

SHA512
8076e083054ff4ad7cc4fcedc79ce825758bd520f9ef125cf5af1c55723a2ab8385299a273afd45e71a1eaa3815b95932b2df8221dd160b889b1e564a367d8a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
5440b6e81d127c2de82f7aec80bb9d57

SHA1
88740f67bca6aa4ec33d2fc158da80cac39663c6

SHA256
f5caad6c651e87b63a02b9d510f5448d07ccd5c248d3757b59bb2efbf5b27f82

SHA512
356b5d3d41c55143163f866c385e78d7af2e859cb039c9b6dc3cda3eea33fd124e2b2ca09806d8366c4c39e3e8a4e32eff630f0922a853c98f130a0c006c181f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7dae110b033e15ee8cc741f3df8782d1

SHA1
36e646ed760b5f9b1e6ec70cd9d8474a7a9a27b7

SHA256
c61928185e94c1569efe4d97503b32887a07abdf7632baebcfbe8c8cd674c34d

SHA512
718d86b470915defe3ee4a2087520b7fd8f512fca38e1be0e2f27c1e06dbff48d2dc639a72b59e82b3a8ebbbe4e0dd5b75563d531c15248ccdb588221024e87f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
47dba0ba3ebe2f930553f56d121f55f2

SHA1
2791bea144a9a6e321c41eeba4267fa6512eca56

SHA256
f0ed0b05b28a6d575f5460e5ca1c8f41a3a205ab2138795831e7994e75630921

SHA512
417ebc2114c3badb59beb2a5dd091543fc75b5779d8900884fcb901348844dab118d9caec8b064ed8abc23daf663828f0b2308b5797dcecf5fde9c22945be1aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
889651cb9e8fdf928f5193f3d18c070c

SHA1
1f891582f63f053c5d396a1ce15f51acff3bf5ac

SHA256
d828384528a88f50aa64ae529c01231524a3b67ac23c14a710ccf7ff19165c46

SHA512
1f68c7e7a1886f4eee732984c882d7bad3bad9eab9be9c7f19320db974223dcd4fc0ad0f3c02ac3a9b53796ada6a832d3efbbdbd5905116e0047887c5a14b138

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
251ac362aa4d5ecfc1d0ca3f19d7b91f

SHA1
384594a343de1a3bd251c57dd97e56140a399914

SHA256
2986e75955fe21a9734a535bd2a8cb262d41ccd51949e2879f3650c01e96f861

SHA512
9b78b40b6f9b3e09a11fd8cc6a363b496dd715f566acdfdbc27fa1f5b7fea25e1f5da4be401d7c54c74c148b94367ba46acdfcbceab28816b89df743cac07eda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
7439679211e5966680879d504cb40448

SHA1
eb3ae4c0e791323a3bbccea66e44a3c1c98f1a43

SHA256
e14bb4412fadc0340735075b930cca9a66386ff6e82330ff289f45f50abdad1f

SHA512
dd9c9ab673965ac7dd37f04596a9e9336b5d888e0fe896d968095b96031a98b6be3d9b67a782df0a01fd671863fd3f51fcbde2d003ab134c47e3af3dc43a9cd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
62efeead8a34496724690c81effac68c

SHA1
55fa7e8ebe5238f9cd5c8eebfdcf76dff9121844

SHA256
aecf648347b07a0b47c98940969dd1052dc7c56b61f898603604303063372372

SHA512
c60500152589e7744c7f5819340cc4eba3dcdbfad4c1da4b9665daf63364ca87ec557b20e40387ab0d386cb0e38b0ad57612340303c7a935b9666bbf5e1f6e77

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d680ff8ade5ce8c5b162dabe567c1991

SHA1
c0d6e07be53c7a3758a453691278ce99f7ecc8b3

SHA256
c6a63b710b21d742a834122f5955f5a1453b77575f2f3a4fd3bfa1d119e2b729

SHA512
6edcaa6f2772759e68fcf5e7efff999238bcc9b0e609c4c380abdf3f043fe005fd69caaff7c93c632e2fa19fb183a9a01db418477a3da8eec467bf30fe4e61ad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
c4cd4d5210617d60bb461232bdc23d30

SHA1
08153964c399d93dff0b5ff34fc02dd432e96cea

SHA256
524d7984be8165764f1b453efe6a411601414f73f9110100bed9ded7bb1802cd

SHA512
486868deb9c0a78bc64190bf924f143a840edd118b01a073b11c2e11202da01af7af34c8c3e1926c60f7d4af83ca240225a632e8befa359efd89425674298d12

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
6ba0745c52fd37fb28281ae43f7c840d

SHA1
aaf3a1b655889d1f550cb825cad32bcaa8d7539c

SHA256
d1b2ab895083b2c3d007ae66c13636898fc0c847664f18a5bf73f1339c00fccf

SHA512
c7f8a45e4b2a3766e995eb253ca77905262c481002b4f72a265eb9045dabf0336a7356cc22c64f3a435c942283b6ecbd57d938bfde38c504fc7365f0a6ac91a2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
aecc66442b16638471df7ce11ba05a50

SHA1
143f13af378a103e6b24ff68e644c416fbcb295b

SHA256
ba4e71cc9368947a632e5095051b9ecc7df5b4f9686bfb1e7479d4950cffc855

SHA512
6f794192933bde23f0ff4c07a92067a638459fbfe44cfcf787ee8ac521451fbb81c73be91d9f84f6ffec38c2e382ebc5e33ab2bda9eb41790eacb6baea36a8a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
48bc56c41d93cf2a6613b503fac6ff18

SHA1
a993cc57ba61e725ee7ec66e8686e9939be17f29

SHA256
42f7bb91352816226b15c7ef1aab864f4b75215b8c210fff74df7d652b566040

SHA512
1fec9b00c28ca09baa1165b11b16597ecd0d5ffd94e5c7223f61240408dfc2037c91bb945eea077d1c86cee745941e5ed25901fd93f82d0a8b5f796cb7d56748

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
dc24d5cfc1098fcac1fa1f51e866ced1

SHA1
ee8d211993e536fe372485a881e32dbdb89ecba7

SHA256
bb4a3632953ab2850f39503d23444d1ac73c405f066bea8bfc24da35ac5da22c

SHA512
dff40ad4e48ec03211aa247e9d2060721befdfa0c141149acf397da6e80c60ba9931ba86adc075451c91dacc6299c257e01a980221d9a75c574554fb45c6ec1b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
048c0edd65f51c35a796874d685f8e41

SHA1
be52ffa7e17b3fed959a82ef6c5c09969d21973d

SHA256
1bad2c90579dc0b6c1e8024012989986efb01dec3b44d4bbcccaa57fe379a6c9

SHA512
9c52e361f8962d5c07513ea76ad6fce7302eb01494610feb52c588418255f49d29353bd828b87b30545507fe1c4462299c8a9549a0d13e9288e157a1d94cc9ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
6ba45cda66f009ca3982c8253ced8779

SHA1
97a8d8e68726555a9c34457ea62669184371a7e2

SHA256
79fda35f01283ca72e1d8759cfbbfec1d7aafee51e7cebf2dff169b26e4ffda0

SHA512
69df7c126a19bf4ca3cab8c48b45f633b1a794a1b424e01797fdd578ba23c5cf660983ae3b45a4fc821238004404a6325f18dc99f314e547dde2422e81331020

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
3c7be2f156cadada1d4d64b9a5836ac9

SHA1
8e15b942986cef7901e7eef18d6fc51af8eca65f

SHA256
89f84a8c2a90279890b028c9b5bdbbb59c6ed5996a65deb551dc099ffa2fa83c

SHA512
5480c25e58fb01b946961635c6a3d029503a98262e74e317081a459dcb4e0a3f4efaa8472e92079536d531998d9a3d78684fa2a9ac544b9981f7134fc6720f26

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
faa06c3edc2632ff2aa2e9d3a95f9b8c

SHA1
6d0fa3e646c7311678eec28322f0b85489c0e651

SHA256
e85c1f44f330953434931b941135cb4e2bedb0b2b0159f6d743ef194ade313e7

SHA512
83298e471e51ae327d0bcd1655e207649a77a64e62304731fa89beeedd6ff67b9b4d114b2af569bcfc6a96db28096f6e33961d058685707a26878924d00f1b0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
be50812c8b57c88005207f3f79a0b0a7

SHA1
d2813e00a1a8449108013678fb99f5e65470cc79

SHA256
e4d74d8dfdfa3752878ae202d84cb5773029a3f02a57ee1f11b4d9b3afaa0c58

SHA512
4b2ce23ade5d0f7dd73730034eef58c912419109a3dd67feb473a688f17fda5c4420c2f33c7b71a0f540ae37c6fad458b02400dd1693c1049052b942d098307f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
e6e4b45e290f9deaa4115a18a2d4381d

SHA1
26478a9cfb9421e3a50a4704546a11270ce84900

SHA256
c979741cd4f6d2378759f37d65a31154b388d438f0e50a6543145a3eb952aae1

SHA512
606fe0001eb313dfef5da027ca8d963f4cd3321b161ca13b922cf634484e1114227c588b6a36f3dfa1a11d12732d12368a3bb6e4091e8faffc80de3581e089c2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
5b717269fccafe3732fe7cf07e594fa7

SHA1
91c9a90ecfd7fe59cb0c4933049bbd441bc2651c

SHA256
bf6ef97c127eb938cc30eb36c7325557685d1c8324b49795a6ac0fab7c668b55

SHA512
a52a2b45057e680f9054dd9f25e2e14ad8d522e7a5f94b282c67509c1c18330638bfce7de0752c217af359cb9f6db99e0dd61481128e904e07e2670adf523bf1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
78147107da31d74c561452b150ffd11e

SHA1
7a335105db7673767fd397842a761355ba3e2e8c

SHA256
da8485da30faeb1eed185e31dcc5726941dd86516e7ca194b70974edaf66d89a

SHA512
5122bccfc4669c8f209b13117820c668bc4fdfc1ac355aba9d2e727ea739649ae2d3b6fa35423e7e7d6f52385f34cead5f13fab0139960cc36122eb7c6df9360

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c2337a614dea8247ddd98164af20bcc3

SHA1
566bfa47456c110965dec2331a9a1a7330f5ce05

SHA256
b5224dfd00e68652c7be57e3bb3d16f23bd4c408fe65658120dbace5c539f40d

SHA512
99db1f88c999fa83a621ebfbcb66293ba87782688ccd7f871baa0fc236f19af0f30de95cee11254503c6328ea3a73ca7a4b4410226c429dd771a5f8a70d87c38

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
572ea239decac47b2de81ad31147935f

SHA1
eb1b0e684ab8879cfa05546aebeee7299ff1e5a8

SHA256
9f96839be630ff59ce40e6dfb98715eaea5e25a4870076918ab362f69e481c83

SHA512
3a674e3a7209ec1e5bf95db7811a1ce5869a6a293e15df21a12bdd6769d2e9156b98b09b9db7499b3a75b0c62fe2fe540f3572dac42fbfcad444b9a5e88cd53c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7f53b53f9a7ffe0d8eae7b581831e75f

SHA1
c738da14ddf819a2b857c9244cc6eac33d34aa74

SHA256
521dfd77efee02413e9da5d247802a47bbfa2cf4c2e2f5c60770e939a16b708e

SHA512
166c3eb628980c9c0ea21376b41cdb6e37f16046c594c9366b2cecc5d3cfe9e4128e3ee2f628323b3307493d18fc15f7a83610b5a8a576dcd39099b54a867711

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
dbbb006199370ed713684fb024edf2f2

SHA1
80b7a304bfc1aefcc9d9d0b24d998b08b10b2016

SHA256
59146f8d841d930ab4fa692fc56e794f0d8fa1775b31f8e00d0293e39e157263

SHA512
b94ba63126c133032d6eb13c2cd7e616a7959fc614f632f1d987ef0eb72b4d13205c2c01d56c25cd8db5ef7c6f67dbef666e5020dbed0eeed5277beaaad33ea2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b436c4ef8e9714813d979f5d1740efcd

SHA1
b1f6f292f986ba4da05d42a9f30a5283eaf0bb4f

SHA256
1df39a26b1f949438884611d60b59cee0a68763f4d21e139575dc15410821ddb

SHA512
5a42c70943fc6caadb2e7d285a3ef35b979535538bf7ff62dc7f85377278912200e8ae1ef34a5d922ea61e54181fee988ff7137740d5d08054d06dfc62084d2d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2dca35e8e69e9d784b4674d8e71f7b81

SHA1
a56b147b28bab4538509c84e3291357bae40e915

SHA256
735861398898c0182a55fbcaa2b0d87f3c5fe0915a778f5d1412ec9ffef0b4a4

SHA512
319cd090e94d0ed98892b3112b13436c12a45a2a0b038aee28cfb83332bbc0ae57cc5df7cf57cfede6279d9ddaf8ee66b08ec65c7fb9c89e18b4fc232f5a6394

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
56e7f8005f03930f5a70ae68af43d1dd

SHA1
a6334fca736fd11a6685423dcc01423aa691fdb3

SHA256
303c844915966c89a821434e04085e48338c152d204622befcf60cf4c8e51cb5

SHA512
6abdc69814166a5d8fbe4b3647d4be0915226a2053f2777a033c47c9917cbd3e8fe6fb9fec91ec1f40882267de7d46ca3286dce2d6f841c698207f483f82b7f1

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b2574d219e3c29ad6a19f701f48d0963

SHA1
5c3d8ea8fa4989e7a1c441a02ee69d53b28e8212

SHA256
c07798094972aea89d1527d10d6b67232a8f539b97e64c4b4e3cc8929f452b8a

SHA512
78ecd766916e935481ec5cf805dc0c4bddcef1e872043369d33590917afc66880844597f04d0b4a0b583b52529878895c58efc599f608d8952d61d7a862ccb4e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
fa63b51b8dc03f93f4373fe5586a6ffb

SHA1
640d4ab5290a9b80e22c9ca677af9a32d132484a

SHA256
98dab4c4beaf388591b2406d15f36e62ecf9aacf874bf02e2413182088a0daf1

SHA512
a4d3c1221e3b5a70bcfcf8d72838fd605f7a5049c4eb5c02ea5c9d1d54b9868cfb8ed91917816b265e2c44c9459094f288931b6757a976bf7adf750a8b107b88

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
23e76853b382432ee164262eeba67869

SHA1
a6768110fb461db776d0b4745ae3b61e5e432f8f

SHA256
14e111f2358a01e723872c301233613efb4ae01940384d806e6cf2ff22d08077

SHA512
bf76996c59ef7397ab72a66e4ab7422544b2c174ab0326680d9d5597ea5fccc2024979c16a3f658b0de106c2ead2f5ea279eddb69483ef693cc29371d5203983

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
3f9e5b02c11b3a588a4baf46bb56cd20

SHA1
3462b54f5c42a111c596bb3a7dcdedf15f65ec09

SHA256
3de0c7d812b89dadcb233432868297fe39d90d471aee7719da5364a7d52886bf

SHA512
f8fc390e88b6e0f0e5e4d092f558a8b03811f3e8f6e995cc5df7d49e5784a5579fe33faaf4a68c2cdeb94e0c1186262e0a9827345fbad5a3a5f48ef9b3d23d6d

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
308aaf74e3970de19b295c416bfe2b9e

SHA1
8003d6464b552da5f45ac5b09c23eeb0784c8610

SHA256
c62a597feaf03d5aec2cd3f5057c5853ffda9ac0b8ac7e236fe344e5c4f5796c

SHA512
300dbdb8dcbdb2eecc63ab6312a2d9919b7334ea087078b062becc61c496a0898a5b54ee705315634a705719bfcc646f2cc3d3fe0646ae2f76e6fee4facab12e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8de2c3c3684671f3d76c46229aa9c382

SHA1
b1b1aaedc93f392ce13514a4511ba9e94d385c41

SHA256
15ac5d607c50ac014de4f326a6af5eecb8ed29aa96f722cb2515422e36d087a3

SHA512
87969556cd5fc0215f6a30a9395cab830c8e9e8cc2848a8feb9f54d87b824fae46c41b28c2c0d6b69f8f756710c0ede27cb8fabe7beadcd7c883cb850eb3a985

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d05afd8e2bfb6ee7066d1076011374bf

SHA1
89db4e96a929fdd1b21c7e93a37175b81c597819

SHA256
14589fca852c52878f0843a2c6fb8ad550db693dfecf2449e7d17b3b57fbe4c6

SHA512
e3837832db64001e5e7838781541fe2665fdf2e362689fc1cfaea01a1524fa73aeb226ac70ed251781d83cf2c7890b26784b6fc4fecf373871c4e1fa8cc9cfd3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
bb394626bac7437c197a9d6fdc470662

SHA1
1977cdc31c62e171ebcfb717563057b68d335825

SHA256
67335dd0626ec7e6c34fe0b5292884b05306280c79a923eda042e6200e29e16a

SHA512
9145bfe6470220ed5271816039e325be579602d95ae7ad65a59638d4059900157b933de310ba2c2ee311841a4b8e940fcf8f8240b4fad7c397a1b1f740aa9a8e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
868ccd014324d41811a97170c14583d2

SHA1
d8a9553f50eb02dd8268c5e1352837fc869c38be

SHA256
a4d98f27a1f56f219feca88af88364fd486e807e29c77064c6a968c3f1328610

SHA512
6245801580eed126a2ab417a93e124dcfd9283042087eb1342fb96fe1410b247d8586536716a7835ca09a4e07f2ff5f1942140dd6d307c1cd4fdb1cedf93d727

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7d70a5a4b791220148c991217af358c1

SHA1
6ed188fc1066951fa340f2ff71ce5496e9db83bb

SHA256
73b3425307c817950006486ed7e73cf93a3badf07a8fb49ff2ca1833dfebdd72

SHA512
f4b93821f8adec4faee32e4f9120d190f4525ce997b16ac834d62ed2e38cf7842977c446ebed335a73798a0a2a18478926493e080bce13080c7ac47e85399711

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7092a4e327748cf529a733d4438f785b

SHA1
c343fe975e787fae6c8b3ce0a41aa751f6935ea1

SHA256
b52f0e9bb103967b878c095ad9058ea9b6467f09028d1f9e97791ec8744ec3d3

SHA512
f0f3e7d17011a4db1a20ce0bb71a61a524ffe4d4aa2c5ca30aca9dbdb75d21b204a06e119f6863457c5bc49116bc425386b41446d189e89c1c89666f24308eec

Download Submit
memory/1080-263-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1080-260-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1112-78-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1112-67-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1112-80-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/1112-73-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/1112-75-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/1176-1-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1176-15-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1176-18-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1176-0-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1176-7-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/1192-265-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1192-333-0x0000000140000000-0x0000000140157000-memory.dmp

Filesize
1.3MB

Download
memory/1696-31-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1696-17-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1696-39-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1696-41-0x0000000140000000-0x0000000140193000-memory.dmp

Filesize
1.6MB

Download
memory/1696-37-0x0000000001F70000-0x0000000001FD0000-memory.dmp

Filesize
384KB

Download
memory/1804-351-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1804-487-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1908-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1908-331-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2284-297-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-350-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2284-427-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2564-45-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2564-253-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2564-52-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2564-46-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3140-485-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3140-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3300-269-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3300-337-0x0000000140000000-0x0000000140149000-memory.dmp

Filesize
1.3MB

Download
memory/3328-12-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3328-249-0x0000000140000000-0x0000000140148000-memory.dmp

Filesize
1.3MB

Download
memory/3604-283-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/3604-341-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/3716-303-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3716-460-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3912-326-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3912-480-0x0000000140000000-0x0000000140180000-memory.dmp

Filesize
1.5MB

Download
memory/3944-477-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3944-315-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/3952-300-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/3952-426-0x0000000140000000-0x0000000140134000-memory.dmp

Filesize
1.2MB

Download
memory/4408-293-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4408-345-0x0000000140000000-0x0000000140133000-memory.dmp

Filesize
1.2MB

Download
memory/4624-90-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/4624-255-0x0000000140000000-0x000000014016D000-memory.dmp

Filesize
1.4MB

Download
memory/4624-82-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4624-88-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4772-56-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4772-64-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4772-254-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4772-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4916-346-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4916-486-0x0000000140000000-0x0000000140164000-memory.dmp

Filesize
1.4MB

Download
memory/4976-484-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4976-338-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5072-483-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5072-334-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5096-21-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/5096-250-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5096-20-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5096-29-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download