c3db53ca415d590d394113f66d2d2ed1790abbe647803a5461ba41801e39da7d

Analysis

max time kernel
118s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cfc6c989a7d4f077c068a7b11c342ec0N.exe
Size

625KB
MD5

cfc6c989a7d4f077c068a7b11c342ec0
SHA1

059e839b94fb728bc83fa4c7c87b77603ef1a10a
SHA256

c3db53ca415d590d394113f66d2d2ed1790abbe647803a5461ba41801e39da7d
SHA512

e3bc9bbfb6841eb8cea98900c7347bd9f6101d2121a70aaf83c26ffbfff620f65ebf7d1b9a1ce7b2bb6b8b40d0b7b0bb1db10404ab760f807b094796548873e6
SSDEEP

12288:t2xFtMa8MLBn/M5BiIymQEZ/faim4WbvFqsG+nM3dOrr+:ETZHd/MHiIrQE3aQl9+Mcrr

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1540	alg.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3040	fxssvc.exe
3448	elevation_service.exe
2348	elevation_service.exe
1384	maintenanceservice.exe
1344	msdtc.exe
2576	OSE.EXE
812	PerceptionSimulationService.exe
5108	perfhost.exe
4140	locator.exe
4792	SensorDataService.exe
4008	snmptrap.exe
896	spectrum.exe
3636	ssh-agent.exe
2656	TieringEngineService.exe
3800	AgentService.exe
5096	vds.exe
3364	vssvc.exe
2016	wbengine.exe
1056	WmiApSrv.exe
2960	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\vds.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\812732a5325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{F23469F0-29AC-49EF-9260-16E5DB697B1C}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cfc6c989a7d4f077c068a7b11c342ec0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c586a484aad6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000585f4386aad6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022ae7086aad6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001163284aad6da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000055228686aad6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000289c7984aad6da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d2874a86aad6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009b725686aad6da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006cb03286aad6da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe
3692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2736	cfc6c989a7d4f077c068a7b11c342ec0N.exe
Token: SeAuditPrivilege	3040	fxssvc.exe
Token: SeRestorePrivilege	2656	TieringEngineService.exe
Token: SeManageVolumePrivilege	2656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3800	AgentService.exe
Token: SeBackupPrivilege	3364	vssvc.exe
Token: SeRestorePrivilege	3364	vssvc.exe
Token: SeAuditPrivilege	3364	vssvc.exe
Token: SeBackupPrivilege	2016	wbengine.exe
Token: SeRestorePrivilege	2016	wbengine.exe
Token: SeSecurityPrivilege	2016	wbengine.exe
Token: 33	2960	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2960	SearchIndexer.exe
Token: SeDebugPrivilege	1540	alg.exe
Token: SeDebugPrivilege	1540	alg.exe
Token: SeDebugPrivilege	1540	alg.exe
Token: SeDebugPrivilege	3692	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 3608	2960	SearchIndexer.exe	112
PID 2960 wrote to memory of 3608	2960	SearchIndexer.exe	112
PID 2960 wrote to memory of 3084	2960	SearchIndexer.exe	113
PID 2960 wrote to memory of 3084	2960	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cfc6c989a7d4f077c068a7b11c342ec0N.exe
"C:\Users\Admin\AppData\Local\Temp\cfc6c989a7d4f077c068a7b11c342ec0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1540

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2924

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1384

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1344

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2576

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5108

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4140

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4792

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:896

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3508

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5096

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3364

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2016

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a357d6e968eef003ee675015864c6554

SHA1
9d81935ac1e9eb036b711bbeaba1513eaea1e18f

SHA256
8963d12b74da97c2c78cb1bdf1bca8cb636fbf179a3a58e0523127ce6e1dddab

SHA512
8f3d58c9955af17f4fa2e0ab279dda93e58c00cd86bfd331b8fccbf04dfc4ece8ffbc6f8b8cba257f0817ffc6cfa13c406731dbc2621472c9044460fb7385d71

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
22abf63c77bf3036984933131eee186a

SHA1
13f4246119689345364e8b2beac8d65572fcaaf2

SHA256
37ec68a0c671cb695db32e3f1730c5b398a4a58fd33f227bace74578a524d83d

SHA512
699b7a6e3d86641842be00f06fb27ce58c35a8005084fc2c12bc804333934d950dbecece34870328ef6a74e0ee037d68f07b53a1dadbb7beec7e4d28e16d82eb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
f2f5f1747c398d1852daf22c135a250f

SHA1
e077f38e536534d63ef02ce417d87d9ce9237910

SHA256
0b18823afe1ba7f33af5516ef8f9a9bb4a42e93def1d83ac71dcdb08ab369cc6

SHA512
544dddfb9c91a96f804a90296a5c5043875c657a4576e92638015c9091da02f2521c29ad02125ea70f88f9a39b8941d260314aab5992b3a1e3aa19d1007f622f

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
08c3c73b0124d3638a4cecf79d7cf521

SHA1
78ecadcc41987d66f9df312defb0913e6aad5930

SHA256
f6a8a73fceb3574eea40a03e7818ccb15cd2e523d719e8b994e2d9fdb737b006

SHA512
104f0b878e10086d5b3f6175af10306498849be66fec11e3495bc87352fa5c0c9c7a531a91cd5d39be546b4faabaa0e07e48dbbe496762bb3dcbedf1766408a6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c30d6868948c45da3f3a93caabff1b96

SHA1
d6495584f8794eb94004dca92d61f7f397b4875f

SHA256
10dfbdc97f1c8ce32758b0f154b2e18bb9aeba987504d41bf1680fabd2b1f614

SHA512
37504638d09664d26aeca135a1c325e3cb34f2c10f6bcfe6be1e22ea211786de557dd6c08f55fa2350ca587682413c941ea0329896a6f56b0a829553dea9919f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
341cd90987a164471df6625bbde11554

SHA1
ba60af565eada5835132f494c37d2adfba2a93a3

SHA256
6a4989ed4c5142142a9ce7890fba878ab2f5f9d66a66fee013cc2d92b82ee971

SHA512
ac5dd9e6064ee31015783e1872d811899f89567659e93a78e8932328d2440d59c5fbd17f5ef74893899d37326f7758eb61bfc50dab8439adaf2deeb3b7ab2706

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
13a28be7d9ec2f8f94a04d1d70e50e5f

SHA1
64ab3f84a3b801dd3b1317479ef00bf15fce69a8

SHA256
9b9bb7b23b7e66b8b5ac47ec3d8096c6f7ac0ed189003327fc13f130f30e2eb3

SHA512
0e32c6b3ded51ead0db3d684787e840849dad1099d1de36dc11b68ca55503282395f7e562e86926a8c227678dbfa704e746dc06e58e0201986bbfca03c8ac0b1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
3d97b351af5ce06d757a51e0944b004b

SHA1
728b546e2eca58c2194053c870c2aecaf0d7837f

SHA256
86c4cd5b1994671b52e7bee4a1112876c1011494c93ae6673e3da097e601495f

SHA512
6a26f5cc7d8ea426ffd7c9021e4f21daac741c60863719235a2485de447e46fa8a400611d37b6420125e86ea94c46161812ab99006fdb44e9e135fcbf32375d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
53983202f57838553106de66122153cf

SHA1
39c1cdee8b13f9f0abb9ca80df8936058d700cb2

SHA256
5b43f30d38e8c41c296a8ef1e4ea12211fdf40639ced98500e527ce98ed2ea3c

SHA512
1a39cda7aa81f285a545c2954bd0062936d9f2b40be9be3d41914ff1a8a24feae11f6eae8863e0a72285e1565931af736a10d1d1a9afec4a3edc39c7ac64f469

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
fbc5ebf625470deb1297ffaf19cc08df

SHA1
1310a15668580236fb26b77cdda35248745a10fc

SHA256
739cc0548a440c175350e5434117bece1e622feb8702a7158693b04041bbb6ef

SHA512
e728a5aaf24837700d908c697696b3ee63f6ca7546223994f63eb8f127ba1af3e1e7c063f1b9faaf2764abcd0c1b7d701e881f0ebcfef809eed1297dfec5f39e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
859f548f6501307f09ac6c875736b6d2

SHA1
5c1ebf8b339ddd645d86332b97a84bdc5425c8ef

SHA256
a50d15eed9948501a6b4c3ab8b6a14d03f8529039d2c7318bf2474604f01dc4b

SHA512
7a9ca3334c9b6483b65fc70327d99dc4984e80d2be5d21cecc05394bf67f20020e92a02125d6efc930018058f9337e3b2060310a2830ff50a9fb1c157ee188ab

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ac1d8a35752add84d88f781b8825cc3d

SHA1
ecc384d74f3c11454a9dab81776363dc62d98b02

SHA256
017bdb7f74a5eff31ef850474a3c13161299a60b5a154b26f35b4dee80a7cf56

SHA512
735ad9a43a0f7aa783d619696c819172dca64407ea15278540c116e86e03b23666761b290a92523ccd40994851c9e5e2cf43487f924caf666dae5f6821db2dda

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
e895c3c8e6e086d385671faf9ab1d899

SHA1
fe1b7acdc155a89a39720f5f908687962a6dd8fb

SHA256
ba4ad7439e89f84641ce7c599b8c2b9fb45e6a19992720a12d7137592a9c428d

SHA512
fead05d5fd962f966c4f592a081481fcd8ffcfd09c1d34434f0acf61f554f930ffce364b67dadc243a5adebd616c74007b66cb492fd5abcf2eac1b775e3fe030

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
60e365507e80a9ad7c1078fe4ee7f9a0

SHA1
df3471227398a9c2865fa8f8f76e3bcf186adfae

SHA256
5e00df8da3e4a85ef3987fd4e74814ba316ee8a4e17f3f9dffd3c18e99c31ce8

SHA512
2d14de402e19a7cecdc8882408bf1c5bdf6afbb7a52fb0cb43d4406913902bafb9b6f5877fc492f4d98f92f31930e7b97e296f3500ed85c10f67a37debb64ed5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
9f4e8731ef3d067db29f4d99fa7e3185

SHA1
70a81556a65b7e3b244e8957d05f842becf4bede

SHA256
acfc8fe90c55fa2b35890f704e4ff4a1b3392366142f4379ab1a72b9ca075a6a

SHA512
4cb5eb41ef5c7bf42d48a3389d56414047a92f162ee1a66d628192a0996b8cb649bc98d26823dfb780a3a3c97b562c7b2f2d9be776c164cc9a594b05ebe32b34

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
d1a5abf7aaefc5ab8ef18b1aeaf123d6

SHA1
01c6b8dd151a76e982d17c32d051a6b562625720

SHA256
46a628345a69371c77d73f08ca27057598370d4ee85f02d60de038553448ae9f

SHA512
e35d812b7f6c07ce2455f85f0b41cd2b863d3a7a63f55d443ad5227d0d8d0d38ccbe2908de9df0d571599e3257cb0ad971cc3a7758a7d7c22e02150b323608dc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
318948bf89b50973d2d29f2594892c1b

SHA1
755f841b8161de50b8e0ff85d5aeacdf1cf4d4a1

SHA256
871f6722839dbae7ae58e71efaec8162f0b212aedc3ddae73f89a2edbf476d97

SHA512
6cf82245c8b41c31f3061a0802cfd7114d2901deb53cb6692ddfcc6b4643da0d34fbb413919cefd9f9ba5564fab1660e5a521bae8b4a55b8031172a70d1c1809

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
29e434ff2ff336d20047824f277b98b3

SHA1
551f2e78c40fadd4777f5222c1ccfd353cddf30d

SHA256
7d7ad6afcf3ad81871ddc67a49dbfdec318d514deb0b67b5c9fec05d9b38729e

SHA512
b9f0e1e0512c21897e1796ea5aa45e88074766b41d238f9049d029d3668d82a26ed95700e333a56b7329621c7079faf6d8486aab2ca26243b2ebd322f12b355e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
ae767c45678eafa80c0435995659394f

SHA1
64904dd1db4b1714dba3977b60e924eb92286369

SHA256
3075addfe9f3c781d8b1040ade36b3a28407b0a9f46ae542225a844b47f0ccf6

SHA512
b99edda86a7d08e3c6b832cbfe682bd26e90c6ef8431f47390fc5501a10a254a4055e2985e2cf5237d55cdfcb36b10eec0ae7bb2e985d28ea0e01279be3f41ef

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
35acfcfd570346fb7125174013c64d57

SHA1
546b7a65166a733a39597ad4212ea475b7ab3c8e

SHA256
39eeade878eb6562e27c703c8fea8d972b8f3c46b95bd469d5bb0f292189d201

SHA512
bf273f048dc7ee4869f2d73d6d9f295972ff97999ac7e3608301a5e0db5f8f913846707133f121f6d446aa24c9d6d6b8506ca8d000fc93da9cdef1f79b1cbffa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e0863a88e15d12b373fa150add7a652f

SHA1
315e1da2f5c3d9ad35a7b110276be5e5ebfc382e

SHA256
1efb79b5efe836512a8ea234235a8c8e2e87a31bd24631d072b56e4f1e6464f1

SHA512
9b156b9887deb6330664b86cec77a873434219d490f3a0fcd5c801d0fd8e7b9cc14a9f7cf35a8f5b69ba95805adbe6022a576aeb0e1859a90f3505d726583be5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
ec54629c690ffadac562f27d94624efa

SHA1
1e9f1b66ac0e7b110fb50f08ebd061ebeec2f67c

SHA256
4e8a44cc5e038c4d976fefd882cf35d797222893d706b8fcd420f6648ee63190

SHA512
8fe18c7c77e38313c565ec4bd21fed8c4408d23cd27273f5e08299d169b03c0e15094c1655ab0efd8d1d60bfa031c0d9f9137c560d819f82a255623ca5bb2f9b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2e9e53bcc4a6da214cb4d37668e436be

SHA1
4dc11acf7e4520e04ddfcfa352240bc733254eb9

SHA256
537f57e8bea918124ff4fd5fd91d7b02fba3fb8f6d52c81cae94f0436e840050

SHA512
f4ca431c8014884b78ed6635509e4c3efe24b92847d70d63efec33d6482039143d2ad7d89c1a1fcb7f726b049442ff8383cd89aa8ba0143f5fdbbfb11d87d86f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
463b021f11644d04c05f4a4bdcea33b4

SHA1
f5e93e0c7570358090147831cb8871bf75491a3c

SHA256
ae044680cb75bac72773cb5091ff13ffebe51f1bdce438d49d9f054edc43d7ef

SHA512
b292ab14bf8b8e80a1fb7cd66b4458cbd685deee85d939f964d331eb15ba2a2f282abf7a483cacf2c193e278097e480fc5fc9bb3fc5cea251476ad9c4f3eefac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
8aba67ae2730577a3cc8c0fcae4ddc5f

SHA1
10838c8716c39b96021a35dea50bb36e0ce98084

SHA256
be81fc86a5a5c7b95b31c5809a334664bb28e798d0713874b8ade6c8cb689944

SHA512
39280d277d2030b1c729d8e6c7d2659c36f2a7de24fdbae02ffeb4cc1a8317842cb7eb255df4113d33fe84a3b616dee60d8e95fae039e9d2838f01b381c1d459

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
9a32477a0454ae47a6ffa0b6ed35f780

SHA1
4456c9f96dd20b2487fad1f4556f1f4c02d5a42f

SHA256
42e21aaeb1cd1916831bf6ffddf6b014f1b2c3b0062223486500a9e4723744ea

SHA512
ed483bd875bf02c4ab141b9f8841cb83c6e0d7c2935bd4b6d7a47f62f2397bbc94410c52cb8ef6a90eeaa55869c1e9bec2e7c83fde640b9814a132a5b29a4a68

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6eb310387e4469544fa7cb565dd13d80

SHA1
25103dfe483467dc69830aa3407f5e5b0a9332ee

SHA256
f4c1801a650a35094a855a8f36a966de85d68fcca8fdd96271d1fd51f4fba04f

SHA512
299c9f2d2c711a1caf92bfd5141c168961a655fa2b4356fef2a6578bbf01fd5e492f0df260d0bdb3a1c45f7a716a8b604e4e9186213ff26bc0bb76cb83f513aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0de4b9ea5b6835d5cdfc932a7eea93e8

SHA1
3f3f6d9572426a051958d9573ab63ac5c64e3a74

SHA256
24e2d9ecfa48b604e1536668da900a654f8695056630b6ea120a490453d8b84c

SHA512
20bcee75dd140796139f20a059a6638472e38a4a34d1c5eea0e907d0bb7bed882098ad7db8164ee1299951388d8f887837cc1a37f5695fe9a52e230239025c43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
c2f7848854556fcd5ea9139b90d0b4b9

SHA1
8dfabf6a206b630ed273c53acd825fa55a4dd90d

SHA256
52395b5790b158e7fbf57833a752dd26a2df386c56949b539d90776a39433695

SHA512
ee44be3cd64c7995b15c5eab1f565850bd88222730fe16ec82449a44090e89fbc3029f2b946e923c159703564a4eedc10664d9ee7e82e929982e17a8f3213e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
c14d59daddfeed2e651ac495a9561060

SHA1
02daa807da40ead22f3c20a9656121410f37403f

SHA256
c427ee4d8cc44b43bd4b246bc0626751747d73d629560f53ce3af1fe8d41871f

SHA512
145a0f10a3d38818b545d300491938b74561a5a3278974d57087d87769d3f5a9c2a28c992645f75d51d6dc3f7ec94ce45e66db324793a03d15e0740b1c71061c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
17256df6bd47ef26beb8dd98a09e82d2

SHA1
66702bd3cc89e3c8c06058f1df11748f845aed8c

SHA256
dbdd480defc56b8b139414e2f56b83a390d56f2d6f0ce37a91cdd341ac5e2722

SHA512
f9a8f6683d195dc2930dbdbf2b5abe8aee6ecc3a1157d9f0e36ca0a615ef0388358d1e357c27cbbc44f6b646bea42364dffbf0ea3de4957babf11ffd7aa3b4d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
808217a6041898f5780594ae58ea4d5b

SHA1
3070897ad35a2ce1c721a5f2a2d42a3c62fe80b3

SHA256
7010e66bbc906f4b3b255ccdfa54cc6df3f9d88e1b312272d5c58cf8f53a15e9

SHA512
a3192d6ecafb2f9c464228b89370b2b68021c20e4393299a6b1d81f15590b3252bafe8d59b3a83b6b8d97cf7eb80cf6c3898da23e5e3254da9780692037b0517

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
012d465b8739252d959c349fb5a7d687

SHA1
d984fb7134fe6baeeb937550d83e13da5cea56bf

SHA256
293147191fa878aea53c09fc238e83251824ad30093527b1d064c9ae611acd98

SHA512
95c07d8b5d7d39ac382cab94d95f9dffa6b79a01a9cc77827fc3b1d8cbb515c1c3efce5c8cb5f42885d8be80a8b8b6adac76a4ca66c2336501cbe8fd7b97db3c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
707edd350345026f92ae3481f1fd58c9

SHA1
b8b943b9cb51853db71737affa994b3c05641684

SHA256
65b3bb35184d33095f9effa82712c188310cd9204ec96e5fcad2cf3a0d46e010

SHA512
4a853e43d10e6c65e870a9409d288a37be429d908640e33d866706beda1c43bb257d815d7443c7b7781850552afc5ce4397fcb91f83742bb118df45a3371c18a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
ad4a320ab2076955414fd99dd2cdc1c5

SHA1
5aec51096849cb0a37a9f4d98ee69526ceca712b

SHA256
5562ba1698817be605986d45e5e4a086b9fdad44c17b9d1221a3ac89746d8b36

SHA512
af666e32ed816a68546048b8b6c832c697854ea414762ff5744f8df3e85b093d99feafa81e23c1952d03536cc8b33ec0a48bfd5f610a58574c3eb9841c2fd555

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
39f5cc530a168771f9103091a11998ec

SHA1
a28a0a39692a157ebce08903a6c85269f68c5230

SHA256
212dc1d8f3869de1c7b01f537669e8d17cc2d397d3ba4818200899269561ca68

SHA512
e2cafe0acd7682f5cd5964b6abd270b9266f4029f61eb8cfffed58d4c89acbdd71f52d2a4eb8c37ed98d92ed272f7fc27fb17603230ae483445d1371e1ce65aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
043653c612c07ec9a1d75ccd6926034e

SHA1
2ab5586ff3615cdeb4d18c9c01d797f1621e0c27

SHA256
6e26a0b5d2de3191b75725dcab65c51fc5067723b3cad065e92fcea7f6880b50

SHA512
6e281345dff25eba9dbd33d1ab47ef47d1608d765bf336040e3a0b153e526d505724462d5757a793cde6b335bceae2a0a1ba391a22f69d29b9006950a62a642a

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
25feebd0de01b2821b6f268f6c5e89b3

SHA1
1d69f9d2f1d7cde3ba1a5e5191224e127325a3d5

SHA256
094542507935c5a38184710b0b0f4b64c51fcde622832388dcaa65c1e9a369b0

SHA512
9c5ba2b6409e7ed410d24f05f64f8c31e67d549cefb4b18461d3122fd0155d47c44c1311222c889cf931d29f61503ee993cbfe3c45700ff2f0e846cb1a917e8b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
9be7d1a4a687da49a8b065dceda7a205

SHA1
e51d49b654ab1f1d14ece5febc218dbf395914c0

SHA256
93f7ed1a35c755ce916e09e6e5bb2e22252169fdc89c4ce5f39ca2187cea5132

SHA512
de49a80b4f5d0629ff976b296118b4a2992d877e8cab6b86922e0cd44d14ab81c6941699e307fbb5c6ffc177ab3b5e7f3c33ea3e62f435bc9a2611d1ec2ad729

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
854a11700a5b8776ae4fa5662956ea47

SHA1
681020721d11d02cf6eccea5edabc00fa641a74f

SHA256
44c38b98bde899a83832b2deca2bc62bafcafc8e22d6e33667ad41a1dbb812f6

SHA512
44a03a003689905992066fabbc5c0b9ead42a8911836cda0052499f5786c540b16dbce5d450d0073d452cc11b173657b3cc533adc999ab8a435a1db5284ee4a6

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0bfb3e8948ca3df241457666800c111a

SHA1
cb5c77b3abc412a390181b8c22e1fab480b5132d

SHA256
3fb07a23e4240c062d7fbea8ffc8ebf5853673eba099a0ee101f45650bfd1cb9

SHA512
47c6742d7b9b78ac039a8753a8e8c0f2ee843764d1c7a5e5e3b5ffbfd139cda0e537e85fb1c6e7d083cffc8b2b126b0281d020813c9a18f0deb2426df8a357cd

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
1782f20e5e406b65872f992e2a781cd6

SHA1
2e1e92118717583c82f471029bab3294b05c9d1b

SHA256
9f606e7ec0adde4962b28fa256e4f7bb54e794c2d65594c0e4b1e30933743090

SHA512
830020c6f1bc0342942bc1afe39829f341845c6b816a1ed17967e93c40ef67f6d37123142f95f031cc39521521ddf5f2e2f69a014fd25845db33a7b2bf26cb4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1d610243b874e4e521d4c01c97bb7b0d

SHA1
f784201a8285212bf6d0f967936f1429434a4d6e

SHA256
9a10be2c275beefad3effd34fe99e5c7cf76ed0a873e61ce5f38320d2368b9c2

SHA512
cbc33b51e0a48ecc7068620e7bfd8767e247f5aa108ddbbedca7c72be02f7d8db2f70ec770604ec9ad51a3c177dad0e9121ee35d7d30d9b47ad356b56d005d7a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
f7bfe34da4e069c16b17c1ba14d2467f

SHA1
f686e8e7b5a7d6e27d54634ee0d648738f3f171d

SHA256
9af3f331ac49ce86e439830c804fef003e44269c9e49e5cbc17eed4ebdca4bf7

SHA512
8d78433102e572f297f75f51afbfc9cff83516c7a0d11291669449c73045229faa34cd1612207775688e4b290d79fe79eb2d9ec6f933647f197d48dc0537e5c1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
6dc680c7000a185748c9fb224186c8ff

SHA1
7e97888bb31af7ca6a625c61e3555eee819f520b

SHA256
3bc64b8d1914458469130676961ecca879b52872871db571d912889a726a509d

SHA512
71103f5d90cd1a0b31286fe07e9beb332d033abd52c3de92dfd778b69ee922bdec0b7ff9fbc77695cb00bf3703428ef6eaebd28d2a8e2308b7fb022a8b013e33

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f2fdb4c8032aba0f5a6ca95d546e13d5

SHA1
08e94c306f242680421df7f5da2e38671d9a6210

SHA256
93970912bee2451d2bbf4548fae410a8cd57204be21af35a10e44f0f03e6b441

SHA512
d8b45581d78bc701d1316aae825972b74b88d04181b402ce6d8b205cf822b98fb228ac94ec488ea460e752ea29e97bf4f41259ff6f667099bf7d64415e367bca

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1c1ef4d24cf8e194138db473fc4359c5

SHA1
a0783c930785b0eb487c612d1b18b5a2c1a4b628

SHA256
aa4c7635b5ac57986f356542b4549eb3d069e3e0fcf70917165942351436bf11

SHA512
48f2ea18c1413dfc6a50bf3888b14ed66c080f7519addf0e30e64d96c86dff75887d6d12662c15b9903ecfcfa4655d5a2374cfd5bb4c870388453498f4becffb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
a5de078809132ea1ed3a501698c24b9f

SHA1
1f37e71fd42b9615e650594af8a8d4c2d517db4c

SHA256
464dde8ea8cfba5f4c4ccdf30edc7a1c4b612c4298c47a0cd9564e1c29dbcd8c

SHA512
03ef0ecf7f2f1ecf5af94eccd6e6dfa60a22a788320d9a44dffcafeecef7ff47b7d97c8438929558e0779fa05d0a3c6aa77f4fe495fbc2cd95a2a90c00c24eb9

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
eb07a86699feedf00599454e5b64156e

SHA1
ee50449540fa2d6ce6d1b1b4c9b298551fc50dce

SHA256
9ef0c04000d3ba15ba709a17e49a6a20a6f76f0fa15dc5391fb446c5bc177d3c

SHA512
4d8ba4177a18d751b95c7c571267c5e0fdc8d1b56aa2a78489720a6022331e157cb89802df7a6d15010365dd717fc4c791510926a03a11bb9fe6e380c533ab39

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
fd1de9058547651a38b77cf17eb2b669

SHA1
b90d249e040655766c749c40207a296d040fe1ba

SHA256
c3334916ac30de7c84c49219535ec5746198d9a48dc47b51726eb9a5853cf6c4

SHA512
a161dd8332f1391e179ec629259b8fa94457641a47e00f0a54d88e3da5d97924367592ab2b4262b9b1ab5ffdeb55511757c252289171cbf94ca6d9e558de7c94

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49ade6a74d065c5ca188ee387cecdaff

SHA1
cc01b52a7e39e1bc680057d4f5a9f04a277cb7dd

SHA256
1263dab9787ff248e042a4258c04990af0cca2dfa844a34474d99b5d87c5cb31

SHA512
47a7b6e3b65af678093cbe22f675400186151eac217a7a72bca75efe858282f72a53285d2b8fdbb8ffe8651a019a047d2ee85c650551193f2189ba2551de8f52

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5d7314e9119dfe625aab252c6494ea73

SHA1
42b9ff362df8271657b995f4f65a1b98a3c5dab6

SHA256
cba761f53eee8d1506cef26780bc856e0a9f4efbddadc2927a488d0bf8690d01

SHA512
8688235426386b4f6eab91e6ae9765e1b779feaff0b6fe019156827c80e269446e9f13de462b02e977e5d6adb61426bfa55e5838c5bb8cd0768d67b206bfe488

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0632a788508c884a4b1b7fc6f421bf3b

SHA1
4fc99e9dbe07506efad335d4b6fdfc21f7ccd49a

SHA256
5c68720e76fed2ea1029503ff24d142a220c0a74e610422cbaad30487be018a9

SHA512
fd81f6d239057a3594f39c7d12b5c84144dbd26fc2617df0520b971851f00f1350008c2b140c8ca7ab26765de885657fda61499b6fff7393ee762b2b9217d26d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
d7f44c4fb3f89c2671d1e2c6540104c7

SHA1
82fd8cc9e271359818e302e919c8bffa1f711b0c

SHA256
124ee9dd52e12c2b684714a13714490a380ffa65a810c67fa159f43553ea7eb9

SHA512
34abffcf89ce0bbb364cbe76fcb596b34c263dd58453670bd34a2050b459825090cacf79e248f81c86533679b39ead0aeaeb0a8eb6f5e62b3af5a1d593fc0edc

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
efbbca6ed6a88a106e49a5a37573c34d

SHA1
d535c3acd0812e8cf6da615fa07691a931f4c08d

SHA256
b208240029d4246649c2d11f5f2667be421060591afdb08c1909a06e29ec5495

SHA512
e6b42b28fb6e0c4e4253993b983c9b3dcef3353ca5cf7a21bd327f1b2462d56fa1461c7cd829450e225e707d129b26b8562443080ab287b4f0d4c06c580fe308

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
342535a429afbda11d71797300395d0a

SHA1
86b836a9f1343544dda2825fc6f42ee9d0833248

SHA256
d0080cb576ff26214696e6e4ea6dff8a58806d9f266182c96e50f00ac28cb19c

SHA512
696ab50ba20a8227ed6f2fbf54b26553bb0c1c007d9768ed56e4a650ea5c93bbb894a9e61f3e3b90d781b54d54f8756ec38301027ef908b57b1cda6db3f91f5f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b16addbfebbebf260e6b035fb5543112

SHA1
a9ec07fbc41038ba841de5badcc58749e45bdc18

SHA256
57d2e9c5645b8a7e1e3b2153890e0a62c5973c5df22cb89657a78e7ef59740c4

SHA512
adaaac4040ab82f3179e66f225a8230a83d96e0f2a88017a255fd91fa9d236ec47021d96b0822d6d4d0994f5b97b435fc95a2aefe4923b4d1088d77dd2b6d3db

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
082f5848059b2ac57caaab485bf04a09

SHA1
aeb83136b25a95a160dd9164f8faa4b2b9b6c97f

SHA256
17bdc1b5ee13d7a49fbb314eb7f020e44e036fa9ad3e6ea828c43a1a9e6f3c8b

SHA512
8a6aedaa10ad9a34f94867f42733053a5d766e042e5fe35395c7f07d3f33f31e29682ccc7c0baf58dd4733369562fcfeca45eaf318628dd109efca6eb735eeaf

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4515d478539b1178154d4a2ed22b3530

SHA1
60807d0e1596e4788d87e7e730960e8a99de7c36

SHA256
9ee0a8687505ef16b010b2322a6633c79da362d659a87d8f8b3959112d2a41cd

SHA512
df046c8430eed4c9d0bb54c349caf7300e6b2adfc6891b7b02db69df8d8a1fac7904e8866ca033bff8bfb335d5f218d681f3641c95d02366cc8c6dcf70d854d9

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f469b21a83d0fba81e7b98c5b34e86bd

SHA1
3c1fd3da145c976018677fc6fbf0e2ffd5b01c73

SHA256
f540bd3d08079c5236dc13671fa3bd347f0b5acb65860fda9b76fb4ab3a6e774

SHA512
cd1489a0b0a10ec854471dce5362e62b262fc245936f64dc430c374364c26658667a5a537d8f93c7847593b2c8a755258d96c7d8fc26ef642220cf1cf28f0637

Download Submit
memory/812-165-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/896-598-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/896-190-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1056-654-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1056-263-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1344-98-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1344-89-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/1384-74-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1384-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1384-86-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1384-82-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1384-80-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1540-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1540-14-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1540-21-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1540-163-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2016-653-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2016-243-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2348-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-262-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2348-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2348-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2576-164-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2656-600-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2656-203-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2736-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2736-1-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2736-472-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2736-8-0x00000000005C0000-0x0000000000627000-memory.dmp

Filesize
412KB

Download
memory/2736-73-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2960-655-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2960-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3040-38-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3040-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3040-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3040-44-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/3040-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3364-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3364-652-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3448-52-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3448-242-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3448-51-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3448-58-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3636-191-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3636-599-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3692-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3692-33-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3692-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3692-200-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3800-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3800-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4008-594-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4008-169-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4140-167-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4792-597-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4792-168-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5096-220-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5096-601-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5108-166-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download