6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
Size

1.8MB
MD5

9f7a6d8b430718b71b4b0ae96127fd64
SHA1

87bb754b6fce4bc12512ebe471de1dded709d1ad
SHA256

6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881
SHA512

cae2a3445bbefc51dccda4c0348d0700450b799b2f405f87598b3e06ac0438d89602ce49a8a4b8a061186ea1a4185ff7a075576a4c95262a867f760aaa8a1998
SSDEEP

49152:ox5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAiaB0zj0yjoB2:ovbjVkjjCAzJIB2Yyjl

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1920	alg.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
1512	fxssvc.exe
3324	elevation_service.exe
4220	elevation_service.exe
456	maintenanceservice.exe
3200	msdtc.exe
4448	OSE.EXE
2688	PerceptionSimulationService.exe
4392	perfhost.exe
3624	locator.exe
4248	SensorDataService.exe
3644	snmptrap.exe
512	spectrum.exe
1664	ssh-agent.exe
5012	TieringEngineService.exe
3016	AgentService.exe
3080	vds.exe
4768	vssvc.exe
1420	wbengine.exe
3924	WmiApSrv.exe
2584	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\wbengine.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\63722875325400b.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\System32\vds.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\msiexec.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\locator.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\spectrum.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\AgentService.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\vssvc.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\System32\msdtc.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_tr.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_bn.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_90203\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_te.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_sr.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\GoogleUpdateSetup.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\psmachine_64.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_fil.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9B36.tmp\goopdateres_mr.dll	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3448c63d6dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005bd33863d6dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000961b5860d6dada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009af67d63d6dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000932eb763d6dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012304c60d6dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3448c63d6dada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002105ee63d6dada01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b0f1563d6dada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe
3612	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1388	6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
Token: SeAuditPrivilege	1512	fxssvc.exe
Token: SeRestorePrivilege	5012	TieringEngineService.exe
Token: SeManageVolumePrivilege	5012	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3016	AgentService.exe
Token: SeBackupPrivilege	4768	vssvc.exe
Token: SeRestorePrivilege	4768	vssvc.exe
Token: SeAuditPrivilege	4768	vssvc.exe
Token: SeBackupPrivilege	1420	wbengine.exe
Token: SeRestorePrivilege	1420	wbengine.exe
Token: SeSecurityPrivilege	1420	wbengine.exe
Token: 33	2584	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2584	SearchIndexer.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	3612	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1204	2584	SearchIndexer.exe	112
PID 2584 wrote to memory of 1204	2584	SearchIndexer.exe	112
PID 2584 wrote to memory of 2792	2584	SearchIndexer.exe	113
PID 2584 wrote to memory of 2792	2584	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe
"C:\Users\Admin\AppData\Local\Temp\6649f06cb39d783cb1f703c510904d552103d178212405ac962a036e87877881.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1756

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1512

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4220

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:456

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3200

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4392

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3624

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4248

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3644

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:512

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4580

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3924

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
6c2fad3160b3f33a4ea1ec29e68c9c63

SHA1
ef5014972fc5824c5181d1eb78a4b53206c298dd

SHA256
78c37af6c16d00519f5114c03c86cb6d13ef612ec6c8082f204cfde3bb864de4

SHA512
3edab4615e44bed333bb0fe2461d844a66515fc3c444b1d1e6752f7e1f97f7f655aab5d02696c9e85f7ab5ec92714181144c95128bc0c6ce11af2ca697940046

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
80e609cf3ba427b27c7c7e162278866c

SHA1
12daaf0341dd7bd7e7186e7379963cf551f8e478

SHA256
10b07f1cc3471aabae62446df4b7635f6f1a46cae0e67e5966979b0e6ed13604

SHA512
46418ded907516386db785b6d84015659aa6f6583ea0dc6d62fc2898575ceb4f49574bb9ec864fe52b233456b48dc14abc1a89d12b6e08965b105d799f3eff56

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
8e59e7624f98a6297b3dd2bec3af2ec8

SHA1
056975c85b289d53a7fe1028e92fb444dd67baf8

SHA256
4514bc03e5671cdd947eb21cafec464f16def576b3b1c1750f929909db543203

SHA512
63e69ed036e0e095a14233dd39e98218e8a951951d0b5cd91c8e81c69ee165d93fd0238a996f2c774a20df830f9ba9d23624d73c6e7be85604dd9aef16c23e5e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
e3c2d5687ad7125993af49d6b084e23b

SHA1
29b06d2b7497cfe19c67af584d53011095022630

SHA256
4ad57cf0f9a1d55aee1a089abbebb61900f073f6cd17f4d484cf8234ac526410

SHA512
58d7c3221c107d02f800fe20150395c7efb786b67479f7da4dcc2bae7c187a5fd7d7120ac1a330679246d1623f1d3bc98f88057ff768daaf98db66bb19c641c6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
cfedccb5608a90929184c0c36fd7bbb3

SHA1
d026c575d650485f0e3a199d71a99ca46e76e1cc

SHA256
bbdbb64faa016acb8cb32e521185555dc972664f77f4acb85e4a69dbff3ef3dc

SHA512
25a66b0694cb8ee2c024ac93213e7f10608d07cbcfee5e3978bf302c0346bfff0c005782b714e4d7ce4e842e8ba13f71af572d93a56fde8aee3ce1fa96dae61b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8932f06f0ae1c7fdf742b24e0173b6b3

SHA1
af105d18cf6123920a7838c7d7c8983ee6ce3327

SHA256
7b1da4135238892762c1205d344361db852a4bcd5b162c27abed614f019e2cfa

SHA512
092f0b3276b4698a4f4eb96c3a783a52220ff90eda83fbd45eec146d3ebe5d3383f64c01254dde8b5292ae196d312fad35588226feb824f11500c99225e9d8b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d55c201744a53f222cb3cde8f147fae4

SHA1
c141bab2c2b80d8d6119153e2965a3078ced8965

SHA256
a67194bdcd281b7ba29a3a3fd1e328c4a949b2e96044360c7204927a3a4a5922

SHA512
1cbd155ac6fb623327e7961268025a1580fd57262bc741ae1adcf74db32dcbf2e62b3714e2cb0ea2ac366768510bd1194b094b60c2df5a2f078c29942fd29020

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
65d33136050bd17386906de65ffac5e0

SHA1
52835ab63ca5c19ea089422bdcda8c07802f63bb

SHA256
6e263cab38d569989f2dc91a899f2bcae962851221940787f3123742aba55144

SHA512
e30731a58d298e3081a9f92c40a26d55bccb675e6f75abbf488260762bdc06432e60da8771c9c920c173a657a712a93182aa5c578e11b81fbbec11c5b1a58262

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f93ec4ac12d05ebb4c1c8cde74f063ae

SHA1
b4a202b6d3f305dc058b487fc5a17f559fb1f586

SHA256
4a63ca46ad59878c832a3eab5103f13dea74b0f22b2f1f82f9cb83586342b5fd

SHA512
c9c103578cccd588616b1b39fc23ba5df9e23ebc31ed6ff63144209c181666618ecf9c39f529485ec29feeae0b3d99c24bc0ad40e281304f142efb22bfef62f7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b73f105e9df9a1f15d6e3c2b2f872557

SHA1
eb6a5e7ca672302a62257193aa3bfdbd6645e3e9

SHA256
8225f8907529663a9bcdd0f8f9167bec284d70a43822adabfd5c434d3a1763a0

SHA512
a55383f969b3e4b48d2c617d2e71f189343212370b37b7b834c18ca9ccabeda03ba741997a3a54e503908541c8d377da358fb50b1f97b956b8829cbcdc2c3698

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6845e26f368c45bc2a25c26cd04669b7

SHA1
1ce2df0c89b044adbcd512081fa973c3a6bab65e

SHA256
7ff70c94992bc83360dcdc25a14e93864303b84480ae38e4288efc799d78d548

SHA512
31e5462bdf0f95c29bcbe87f6a646ac45c813617aed33f64ae24dadc4b6d3eadab027672c0d12ece3ef694fdd10bfc42101a0987f43557b78c91a6413ed525d0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
debf77dd7346425d18f72b68077fa3b0

SHA1
9547872bd74f0ac30f806c9555b6e1791ceb2806

SHA256
44b894bfc35a3d98d814217e0840d8d60ec792805ba4f118e0039a590e43c1ca

SHA512
2b80a45367cbc295c5265ff227a8fdc4a9a4760975649a658e27b7d12d8365b5b50388c1aaf6137b83d56ec7b6b28d0727cc8a6542b77ac3847a0ef6fd447259

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
2e1fd991c99c3a6deab77f14cee21a27

SHA1
472e6a04f43ab39f56f24ab4d0cde53f9543f2e6

SHA256
4c983ed90fc81e06d824eccbe08d8730ff760582eb77ca44fcc8fd3bd0767294

SHA512
e4771cdef7130e8bff9fdc0c4e556a0592aaed5f2861ce55ea42240ffb55ef506d7e24ade3b059dcb10b29d37c40a3d3d9c0e0c4c88d398633d7d88bd9c0e9af

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
adbd48a8575f8bb97d52c6418bdd071b

SHA1
786b4e606f84b831a121c552a2a773644e4ae97c

SHA256
4a3096a0507ec7b247fd500edd12df97d8a46ca75028afd66db9928bbbd46901

SHA512
a76ff18f07fdf1aa306db19d5e37b0836a1a6c2ec939899a60869d30c0fcf2549529e262dcdee9222a4763e0e8bf2b9e5e70247633a682aabea2271795e8ac56

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
4afb8e4c7c53fd3bd35b63651cbc9e0c

SHA1
cde729afc7dbd7e77d7a9acd9814cb15139a8305

SHA256
6af8a01ea0bc65f8a54384fe47bd2399fc953a7cae024e38f3baf0591d7da69f

SHA512
189dd84a976664ba6757bcb721b76b65a8e07e2dbb35cde9d4864ed57284aa8c26a141c2f48aff6028c1cb409a8576175ad1f0caf2d3a8c2fb65497afe0a8c30

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
4ae1fae9b3a79e7f9c9c09b0183df5b7

SHA1
1534ef870a00c98b0c557dcb470e8a25bc09c257

SHA256
6d6b450ff3f0f8f57887890a1450811f3728ed82329cd152fa446624d2aa0eaa

SHA512
0764802c19a76e45f27ab4513f1ba7c654354451cc6eeda07977ef91b268958b87b13bf0b4b85cee3cbb867a4f8a02fd5610cfc03e241a207440b4dc8e83ec8b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
3d1e4c2e3b9982a6fc651ff659c6a443

SHA1
a7d0e225710a72e3c7afeaf52781d5a8ce32de20

SHA256
f4d11c7ed447cf4a8afba8de9b969c2905f404cdbc3ff6958b4b5cd2bb874855

SHA512
84f9e3db9785f1668949a4b862cface8aa98330a7925666ed7d1d895f70a447f8854732628f938f9f0175662b79565c6a47cda42fa699e35243064586f5f9e33

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
c7ef9c0eb4fd8358f221bb6671c003f6

SHA1
237a8b0fbe08e7b1355e82bacedaa15cecdb57f9

SHA256
ad6d17297272ce1803ddce581ae2c2e817e1f0f083ecef03ec66620ac3610ab8

SHA512
bb31346c4eea8385825f2343ccde455446634b93940b0b49f1f30cf23611b6ece9330fcb9c21d7cffb3b89ee45dc94f71c577778e4c8386fdbd9a8521408d79e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e625a25feefe9202b90734e615ff98a7

SHA1
2163c3ef9588cdfe23df192570b97cf84d63231b

SHA256
3d2bb1ee55914a0eab95ffc179081a44f271d1a84c67e493c08600062b1a0b68

SHA512
905613877e53af693ae22770d1e62eded76f0f83776387b9271f7c5a3963be2a63380adc5e436144bbc57e779d2011dc4c972099746065a22b98b58e246465aa

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
33042f24f833d3adb97a36771a8fe203

SHA1
ee1924d1376be1941b38175ca57accf0b3bf9d90

SHA256
24d805878b40b3b82c7ed611eab34152237f18ab30cbb20562054d042da760c0

SHA512
99448165483b6ac57c8d7ae8068f3ac55fd88e6c049f2c407ffc965fed756ff179d3a2a5b5dce880ed09d12332f8bee06d0a32070f3b7b011f6e6b7d250f3077

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
9952c10d33662d9d8de5220da30da5a1

SHA1
9b61053f379553069a57dda36fc9a633c088a691

SHA256
a75c20e0a88d638b126a3f4eecbeb98d3390c540cf085784b093678d33b10be2

SHA512
7ca73c54dfec9eff6b7d52d17b2b8aec0cf67481b248759b5db71a47c9d44b620b7dc59a0ae7937ffe89ad5786be2cb40099ae80201455bf4b304c30e2e595d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
46cf19e75a88144bf389229bbac5fdf6

SHA1
2ba5448b2edf2445d4aa2c9119bb1d6c94280507

SHA256
b1d7f85ba74b69df5bd0e19a490b82456b1cab422eccc73386c07b4d096211b6

SHA512
6be03b47a867ab46898ca4214dfbf579b380926de2da8d27b8210b0059517b6c7a52d4d40177a967a729d4b3a119a89eee008bb717990cc79e4a9c5b957b0368

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
4b5eb9386eb09bc7b97687eaa0d43126

SHA1
f6e74c5a1fdfbd6b5ede522d798644184cba70a2

SHA256
ddfaa7fffcd53366db460edf52f708a306ab96d9a3ce03bfaa6f7632ef8090e0

SHA512
d7e1d1f2400e4914f8080e6ed748d52ba106c4244ab429ebfb432fc71e5c2cc58cf1017ba6d8355df1885dff62f219a9a16bc54b52cf29e6cc9eef7161130460

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
bb91c9435373fdb1dbeb589baa04889b

SHA1
aa118565ea83e0251c46e58bda7885fb44a22ecc

SHA256
39f65ca9a0062582d15df0e295120f982452621c00212a449bbe62ffa4212ba2

SHA512
b5e751e5f8f7e01ccb13e2225e1bc94997052c0b1545bb07666fdc40a799630a1cf999c9875ff6394396809fd7dc748022ff64a7b328286430a56beefa97c1f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4ea10f21dd2e019aea7dbebbf58b6639

SHA1
8f8e28813f1d63214f223f1901d63df3ac7dc85f

SHA256
3f5171f62006b515986abe59cf7a316a74a6e5b94d54e20122939ac6049a91cf

SHA512
53ef5020efff419992c6c71f32e9b620d0b00a87fdbe65451d7b32a1f13ceb7cb6838555ab97e99d6bfa8fc0293ef660f39e4d94972bb6dbbb13d1adc64558cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
b733eae908744a0f68ca47e51745e95f

SHA1
8b910edf2377476cf78aafb2b38480498a5212d6

SHA256
909eacef45da5151582816fa2df1b61a360e45cff5379f2e9f6afb5105cb8c9e

SHA512
8cd3781e22e9a616752eb05cf5b46526a6e92f6a355defc6f7eb3aa0456935d4ec8a8e4ba99acf1942899b0d28f86a5b4a0cb9a67bdd54b25c057d8b65c32bc8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
57901a1207f8a3fa14936c477f990fff

SHA1
cf9d1c657de633ef9be8266ccfeecc4ffce5f19d

SHA256
a5dafa5bf1e5339a3861242794ebbe9daa6f6fb71d90e003175acf1cb4e906d9

SHA512
ca2e77c4f6410c9228b6b07ebf5d2a0ef4bde1b801bd3a3f7f38b6589dc4e1873f706dde4c20fa188f48baf83f210677f4afa5abf3d97d10280d8e5574423913

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
c5d09663d9262f0575c2883484cd857f

SHA1
e724b1eef5ee8aa234ec83907670c11bf3a7a3d7

SHA256
b6d1e7979dee12ec57b67b77d7f10e0ae8513c7ae340cc1cce6e7c789d52a000

SHA512
b42c0f3fe3047df3268241a3af9c70c20905a579d3d7b42bc1cd2ee47e1f91f7331572fbd8999fa29712ec3bd4907cf7eae6962aeec9dde890660fa48f81582c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
c3b0bad48f93d646633f55261dcb042a

SHA1
c5040e84cfc1e10c7a2877193db1e5e9c029cd3f

SHA256
ef36f208ceb80f070228da7b356ec69abd8bb12d554c9029e5367fa7601125cb

SHA512
492a3f4965942fbe3fa178aad3318f7e2252b18508ef3a59b9d91b569db577d6d7211332f5a86adc75196dbb970a61e375b8e71554d3062720314c1002e5ec5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6e1660105b13c51c190ac0d34267a99e

SHA1
abaf9c392570fd0423f5706bb35d01b8ea21d34d

SHA256
2f6a1fd722b564ca7b3b3906359d0314a147f44d48271954fd47252e4f808f78

SHA512
691c518b842908e1e6502613e194d28c11827b63bc0562671bbddf22d023a3e64e0bcf56defc8862362f2cf8dc84862d8d7c05d6f86130e987ad5fae2e22b927

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
4d081a0e3905f014e78a24e7ff3fd398

SHA1
44ae8355281f81d26fcc146fa927b977549a21dd

SHA256
c243a9d1cf2954958fe2522f6e8485639708a7c34ca5b2549a7d65eb0f942ccb

SHA512
3294b38710c486880171706afdfb823d422837d98936b7c6c251fc865d9741cea921d1dd6a12edbdcc97333c49ae4eeaadbaf5d579902ad05431de15ed24f1e4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
8e4715cb2ffc01a957619c4a54218eca

SHA1
a557911e7bdd13fc2c531baf8d2a0d7c02ef9ea5

SHA256
07a182a308a98a983917f42ab79c2b44c234607f5f3b287c777c79257866205c

SHA512
aad9f8514ab899620173362d399867baf5cf8ab6104a27ddca06a62e8bb3aa7a56ea6253f28e8ec9a6bea34f986b16c40daaef6b559215154f57f2c83b4ec2fd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
9dc261998c481076ffeeccb82d10f8ed

SHA1
d9452cbf860fa3b7fcd430a358f95069b874506f

SHA256
eb376a988f313a5968906f83234a5f722563a932b77fddb7ee1806cc83536b89

SHA512
27c7b2c93bb014ede164f4beb9a98eb4d61cf3278408dd5143968037400b0e79d3e34c81858cbfaa86f7193c400a7ae7c45331765cd1370b2e9bdfa66752cc52

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1ce5c3c84542348d7cdb90fddc50473d

SHA1
be66897adf3348109a3f24ee09f1bb6e8602c79d

SHA256
6bfe27fda19a7fdf239610b89003408da16648289505a3f9f5de0ea5fb5218af

SHA512
fac7410f58691b4f75038668e01e4a6ccf0a8cab532a674a9ebcd6d3441b1d8fe32221ea8e61e271618dbb792f2fa7f2ef945d57b98982e9b9f10110f0fd1fd8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
2f02140ae1356c0501aff2c520a98f6c

SHA1
67a8f8dacacf05a864fc117bc4241c8217d68945

SHA256
4b1c26dd4788e48e85f6f400713aa301cc5c10054eb3a96eeba732a8b22fe8ca

SHA512
5c6d76c0ccc714259730f2250b4ae19f3a21ae4aa752fd9607711982c1c646584a849e78f2851a9edf91c321c4b1eeb233f95bf70d9ef0ad3b241de00e835478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
c5f8670bb1b3960386ca9e51e3e10a3a

SHA1
0453aec847d8007de3f7198434a0154e4df5ea0e

SHA256
c3a0f717ab51da749e7cae145f37c6f2e173a56e11719d1ff9e0c284209201ba

SHA512
5552e054f4e9fcaf9815fead032bcf105942cc2ad906949b4251a4b5e46b6b3308abbabdedea07dd4fd190e319a1d4c398800f79530666f5a1f56f0ea29c3c59

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
9ba4033233bbe50ab26242f67aacd0d4

SHA1
d8ee57f14d231d9bcccbe5021cd86daa28dfc3e1

SHA256
69ec673e864f50c470ac86d6bf5ed5a2a27932268c7004051a06d2ab826a5867

SHA512
9ee1f3f837fadb514b65edccb514fa7bdb9528438b47a5c1fc04d627c5ec78dc2a87942a128c35dc4aba91b9759507e619480f9221b216b0c052aaef4f42c176

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
c95a372edf819e8da0440bd388656c45

SHA1
4b695f9f4645ce9dc6b4befba514fcbd8b8d2c92

SHA256
cbe5b484c922ebdac1556dd489fa885fe27d84f39555691061d4cf225c9ff83d

SHA512
d00219b30e6c36708eb94c9c9b7094d20043caa3b34097b8353785eeeb5005924b7ca42e6ae2d182d7583830dd2563e52560563e4c7f6116f8c718c8f09acbca

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
9d9d2cc6aecc44ef0690b56ed3c33c7c

SHA1
d8c9c5e51cb87a84448fdf6236c43cf2d8556ebd

SHA256
b4feceee14e3c6b3762a46b1ea79a7698aac67fbf9d75237c66a773edab715d6

SHA512
15c8a79b1a3225b4879f43728641053de5eb9dc6fab8038ddb4baaceb36b3e36113650150f8ab5b710e139f7b896aa0c49b431f653c0d78de83fe3c4063dba3c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
375446d955d3998db3eec562a884ef1e

SHA1
3a0cc9eeb34b74e6eafa708a8e500a6f285db1fb

SHA256
0b4e08cf77a877e9dc6ff5e732ca44308833508b03bf9aa80fb0e3d5908aac72

SHA512
31e4953aeb35bb86f24287b97b7ae3c635597ba852db47a69e43f9b2892badccb341c0ab58d36a62310ba2f6e155b8c07116a32ea58ccb4611ff33c1ed253bd8

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
935f294948022df4899b4164181c35a0

SHA1
daa6d7b29eb17ec039cfaabf08728e2ff2ef4b23

SHA256
e6b63f9e8567b683421700e88a8fdda89dca25d55a0e38526f7429085ab1c7e8

SHA512
adafa53e7ffd020eae1c80f50a0c817f8d5647d7351b0a18789a7cd584e4b0f009fc4feef3c467a7979b543f5d5ed10631929e788e2bd8850de165e1c56cab05

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
10670423bd954988138a145aad0efea0

SHA1
1cc0fa70faa1a99cb92d7bf549f5958970278980

SHA256
623dbc7b4570c2a2cb56ac41912b22f91de26211427f5053eb4415ac056f6086

SHA512
260a3e68d015f20f622c360f927ec4c3bb0a7ec3f2830a425c3450672dc3b18208115962afae3f67e37dff5be83ec3cae490b5af1eaf6bfff18de30324d2dca8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2285ab768d76d3f1e019a23b087ade8d

SHA1
b7fd615f58487d09303338a9e6878fb75603aecb

SHA256
052573d4d0ccafef8250bf1e3475ea21da1dcadf2e1210c441974debdda0f30f

SHA512
7f75015c31cf70473d91f815b8f947197dde4924ff12733029ec3ce069d71e55c8b5a0298095afddbd57909d5fc88b6a3394afbe621cf55abaae827b52c86e9e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
287af060ec95f6f318768e41a46037e4

SHA1
58df10ab3bfc179cc9803e19a9462af50778e76e

SHA256
afcdcb911ee53feb313820b1253188da656950b7fc06d035f3996c896fa2720d

SHA512
db8301b15d5a6f4641e0093a1ed31fc8aef8f633b50f88cf37f254f1c716e8e157d4ab82a8cacff28931fd79987c81167f86a4642da890081e8d209ddb9aa8e0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
bcc0d2e765cf43eef2b4fd96c4e5bc29

SHA1
e5cac55319bd6c0a17e690020ac63a7de4a92d3b

SHA256
61be2d297d517dbfef759a011c2fc3364ff29859ac1d1b82fd35f30e1cb761a0

SHA512
d2fc638bc69a1caa1f94884174220db12ed03a90f63215d6ae95786985646ecbcd7b0031bf649063fe6ef29199a15d8c0031c317241fb740f318a44c014d4ec6

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
90a40eca0a8381100e3a23c1aca36d5e

SHA1
4af9888bc693e7eb06088fd6e128d831835e0d62

SHA256
f1c16b50a8f531b785a260d252dc1ee76cdc0c08b75a0646a6a2f44cc5db704d

SHA512
747e77d75bc2c75a35c0f09351740db1cd46d0fefcfb4f9eaee7a6a7cd6522610ee8129473d874597393ce037cf7266623e20d61b8f09a8febc6c260f1de0b07

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
81829d3ea65070d74011a47006e21fab

SHA1
f313c4a57493902ce16219bb129e6e0e3abed645

SHA256
5e55e6890bbeca7747403c53772d6d4defea9b0620b8519d110422d99685a7e4

SHA512
dcfe7e5d35578b61d368c2dd30a91c2f47b5c0ccb0cfc53e8d679676ea8697d7f4a0715caa04d4b3fa7f35cdb3f8f1e775e1e979c79273c8393283f868262483

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
ca1d8484991e190d4843b586e584ede5

SHA1
fc77563e402848707c000ec5c1288291fe16fada

SHA256
9e35ccc648f8a74709de747498f58a5ea75623a0010f9c0a66b74c0bf9f89760

SHA512
14f0dff5b7e693abd3150f161341271aa979da3b5c73d80832957dd10cf9191f5e8d3d3cf904276e2ae7695a62312c35a2d0202db447c934655692547095d4fa

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
391cc18ff798095db993481ffc7bed1d

SHA1
ec52ec7690174d7b2c7bd947a8a39beac97eb880

SHA256
61f3ad0aea8cd7ab7c40c6c5fcab7ffbd42c22db6e86e3672b0ffd1d90da5c4e

SHA512
26bc1df3f3150b1c78b77ec99269421563099bd2ff186c3caf2cb533409d83e08a7b6d35abed2170170c2092263e219d9e511c665970c02e18b7b97ee2b67cbf

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
d1fcc0de5c9f786ed27648cbf6b91828

SHA1
ebe7773c25883b2f51c29f0f6abc16741dc237b6

SHA256
008afeaabb7915368c38e053d678471a6d4ddfb4d54018bb48c96bfd054ae036

SHA512
baab78e7cc6cc6fe35e31161693b0eceb2ce0bee2dfc3b11cc33a8e6cc6a6ec815a96f1da428fb0fa1b498745e2da0443cac94f18f4037e19079d97ec8599c1c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
49a07b1355f93db908352a45218c9df9

SHA1
fa48b68016acb137530e7d1dc366124f04aafc85

SHA256
067a70a4f31902ad1232bbf02e3e74b547d90ae129164b07312d567f59e2d686

SHA512
e7779bbcc6848853cfa989e96096d06cd3c4ae0c3a33173165f11285ff35d80a153c3cef69b0c6c6cf77812140244d37aa9f1c6916fe4f49ca4b0f5942a09831

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
2ae3bb3bada8c1a728d3c5eb30ed38ac

SHA1
e1dcf82664b8bdb0c88dec0f86144253103e7ac4

SHA256
24a3bffa8404231ae5372d4476cd3c9e0c9f0654c5c977c6941c9ab2b6a4002f

SHA512
15bd3c526397ee8253e3c6ab3a7dd2ecfd039560f1f12a617edb258ecbd3d4d52a7b03aafd37d9c1703ac4394af5c40cf331fa9d7b790ae5e3e20b7ba1499254

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
63d6e1a459a4d4dd8a6d2e091ace687b

SHA1
8b1685b1bb888dd3c5503c585dd0caee3af8228a

SHA256
4c0c34acd22a606124e2ef461770816b9ed79b175398851ad749f96393c2cb3b

SHA512
5baf0ef9238435c20c06f7f8761390133b15e8dc6e1a39a897c101ed4a09ae9fb93ec0f656f68c6f37ad6b1dbb4428396c46d8ac5c2f1fae4ed402ad3a26f9c5

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ed31f3caf4a9cea677f7d5453986e4da

SHA1
66960232b057014f167fa659976d55269438f19b

SHA256
e3076bbf6f1ab53710f14103382b7fac6af638eff835a646378d8bf61bfbc945

SHA512
0c1facd5d1b4ca5151fb381543c597671dad7c1dda8d0ee89208ddbd1984e84a84fb3f3a89d1b16ae03a9af3219e4f3e005f1638c8388c5fb44d3155183e1965

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
6ddfcded5f986ebafa15a97ae1a161d0

SHA1
35852cb32fe221ccfcbc5e99337a646c32a6ee2f

SHA256
abfff45c6c013a936302391f2edd44632804b247409c9d77ea74782fb65bfdc5

SHA512
7e8543a90872ded948893bfac04a08ceeaf4e85ed6342e89e101636326c5f0cd521e0138bf140732d7df8328858cc7fb0887d684b93c2d15a1ff0493b3c7ae5e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
4bd6a1cab5afa6e35dc6ff011f9bf1a6

SHA1
f429ee6203d80b17ed9c069f45d05af7e5c61e7a

SHA256
c58c2d60fab39abb2e956432fbf2faeaf2a39aaaa6ee93e9395c7d340dbe318d

SHA512
56e19efdb84ce35e78b7e3d85908cd93697c6b5f7f7fa042a5811f809b1a1f8b5bc743c7ba7f33a49ea4de23700a0dc82b1d34add4621c41e6a4ed25440e8323

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
82eb0979ea1b9f72681f24c6da9f2aff

SHA1
9e8c04f625b28b88fe8550063ab2ac6ec13aa0e9

SHA256
59a98af36b888532c7717e55747bb38c1939cd2604913d686604193fe59a6181

SHA512
89e846071cc08ef82380d86992fc450c22fb4148b47cd56f45f016eb07303a1db428644fb937629051e44babeafbf22b2b6e895a34333350af09bd47b72d479b

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
302b20a0ed523e6e030b1736c9d079a1

SHA1
927885a54bec2c4a3177667e15643a0795550904

SHA256
13744e01f796592b87a8f473e10843ebabd32e79c48d3ee97957281db8d15843

SHA512
cc3a7dd9ac01448083c346f3d1a671b01faa70c347a8aa31b1f1a4e3eb1c0fd1747de7ec64b272b013fb422d5daaae8175f21207cf3dd857cdf97c94bbaf14b3

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
ef39e5e862246ee70485f6182547cf52

SHA1
240167535f859dec18fdce9550d219c08dd3f5e9

SHA256
a0dfe459e1636422e914201c596c894d18281c5bf4c8ea926de6982870dbfe59

SHA512
1fd44a2784659ca52ab4071fbcbaf1fd7f42a87f7134b2cacbba619e603893d23be75114a7c7f55a67782c61e1fa57f78041348187a7ac9a674ecfde07c050a7

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
735ce1bf19b4b56ac86a52c35a52c480

SHA1
2db53e937dfe0baf89a895bcfc050f3f4635daa5

SHA256
e05572d6b8ceee6cd3eb5c45939ee21f5e85414a96a8c44ce881b4ff72b49fab

SHA512
d4523489dc8b93f62774cd9caa0cf7d97db3a9f15c444f3dbe10cd3a57c7329509783fa181a1b4ce5cd4899147abc4d7434cd02f9180cc3dcaf405e31b47891c

Download Submit
memory/456-142-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/456-155-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/456-153-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/456-151-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/456-148-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/512-336-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1388-178-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1388-1-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1388-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1388-6-0x00000000024A0000-0x0000000002507000-memory.dmp

Filesize
412KB

Download
memory/1388-562-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1420-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1512-114-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1512-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-105-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1512-113-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1512-116-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/1664-337-0x0000000140000000-0x00000001401A3000-memory.dmp

Filesize
1.6MB

Download
memory/1920-20-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1920-193-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1920-19-0x0000000140000000-0x000000014014B000-memory.dmp

Filesize
1.3MB

Download
memory/1920-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2584-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2584-707-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2688-194-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3016-281-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3080-339-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3200-166-0x0000000140000000-0x000000014015A000-memory.dmp

Filesize
1.4MB

Download
memory/3324-701-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3324-129-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3324-126-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3324-120-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3612-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3612-69-0x0000000140000000-0x000000014014A000-memory.dmp

Filesize
1.3MB

Download
memory/3612-70-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3624-226-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/3644-335-0x0000000140000000-0x0000000140137000-memory.dmp

Filesize
1.2MB

Download
memory/3924-706-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/3924-343-0x0000000140000000-0x0000000140167000-memory.dmp

Filesize
1.4MB

Download
memory/4220-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4220-140-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4220-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4220-702-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4248-227-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4248-645-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4392-225-0x0000000000400000-0x0000000000538000-memory.dmp

Filesize
1.2MB

Download
memory/4448-179-0x0000000140000000-0x0000000140170000-memory.dmp

Filesize
1.4MB

Download
memory/4768-705-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4768-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5012-338-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download