1308957c829d909960dcc95c010cbc4ead1d75b391aebaf3f8af486bab08c900

Analysis

max time kernel
119s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 18:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e83518f3b0acb9cb1bdab967cb380ac0N.exe
Size

622KB
MD5

e83518f3b0acb9cb1bdab967cb380ac0
SHA1

cfa8ed9f8e3a13628e2d2719900a2da742272e37
SHA256

1308957c829d909960dcc95c010cbc4ead1d75b391aebaf3f8af486bab08c900
SHA512

405360f92fb70ab3995780d31c48cb4b4491f970773abce4d95826752bc830286aa6c0a1f966f807ae87544d417eb9fbed548282dd4a929c169a40d6d4cf8e0b
SSDEEP

12288:luXf3SBPjZZQOcPskdzM0DZdwPCrUQaoGFU3Q5QitdsOegAU:luXsdZCA6N3Q6itdsOeg

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4252	alg.exe
4844	DiagnosticsHub.StandardCollector.Service.exe
2524	fxssvc.exe
4356	elevation_service.exe
5100	elevation_service.exe
2128	maintenanceservice.exe
1112	msdtc.exe
2448	OSE.EXE
4800	PerceptionSimulationService.exe
4340	perfhost.exe
2344	locator.exe
4664	SensorDataService.exe
3268	snmptrap.exe
4296	spectrum.exe
5008	ssh-agent.exe
4424	TieringEngineService.exe
4824	AgentService.exe
3240	vds.exe
4456	vssvc.exe
2876	wbengine.exe
4444	WmiApSrv.exe
4016	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\System32\vds.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a5cc5f66c056941a.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\locator.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{CE3D9DE6-FFCE-454D-B2FF-D9D6C166ADFA}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77531\javaw.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e83518f3b0acb9cb1bdab967cb380ac0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e83518f3b0acb9cb1bdab967cb380ac0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025a3839fbcdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002438959ebcdeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e532119fbcdeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005322c09ebcdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce25829ebcdeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000824ba89ebcdeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeAuditPrivilege	2524	fxssvc.exe
Token: SeRestorePrivilege	4424	TieringEngineService.exe
Token: SeManageVolumePrivilege	4424	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4824	AgentService.exe
Token: SeBackupPrivilege	4456	vssvc.exe
Token: SeRestorePrivilege	4456	vssvc.exe
Token: SeAuditPrivilege	4456	vssvc.exe
Token: SeBackupPrivilege	2876	wbengine.exe
Token: SeRestorePrivilege	2876	wbengine.exe
Token: SeSecurityPrivilege	2876	wbengine.exe
Token: 33	4016	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4016	SearchIndexer.exe
Token: SeDebugPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeDebugPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeDebugPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeDebugPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeDebugPrivilege	3308	e83518f3b0acb9cb1bdab967cb380ac0N.exe
Token: SeDebugPrivilege	4252	alg.exe
Token: SeDebugPrivilege	4252	alg.exe
Token: SeDebugPrivilege	4252	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 4204	4016	SearchIndexer.exe	113
PID 4016 wrote to memory of 4204	4016	SearchIndexer.exe	113
PID 4016 wrote to memory of 3980	4016	SearchIndexer.exe	114
PID 4016 wrote to memory of 3980	4016	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e83518f3b0acb9cb1bdab967cb380ac0N.exe
"C:\Users\Admin\AppData\Local\Temp\e83518f3b0acb9cb1bdab967cb380ac0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3308

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4844

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3764

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2128

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1112

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2448

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4664

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3268

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4296

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3144

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4824

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
d5d9efea2b7f5db6663ccc71a35b6d6b

SHA1
0aa2ce53d64192ec5e32439c7af6e9148cef7b0d

SHA256
1f313fcc783d3438f696c8d4869d4453aa88edf6010b7c8143f3ea5b5f4a5a4e

SHA512
a0691dbe2c6451f51724aaca468fde8f1c3de269ded0f0b6f6d0c4ddc485ac3db7227547dcb4f4fd5e705b238f0ee36dbf67ce1b613f32b8e3734f01662fecf9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
88cd8a8c8a3049ad6525c4ffa915a5d9

SHA1
a5395853452ec669976cf736538f798c585d3335

SHA256
3d9a3fe92829e0248d60f181bfa81ab02119c64619d2c84feb9efdd2c7195dc3

SHA512
1e5e9b8faca2fc6a4476dc5f47ce95d669e274e323ee5c3c398d4927f66f51be814fbdb4d587a3b4f8b43bf4a7e59e35e93b84433370c480e685fc900c91bad6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e5f3bafcb95105eadeb370c6d3188eb7

SHA1
2ca6fc11c4842a139693503a4b92d6771c0c885d

SHA256
2c08af3235027f7b3af6e10ddcd0487cbd4650014fbbb4abe63d5e738384a18e

SHA512
d7b1c40420407baba347b3f6e527881112ac51bd47f11c9294e79376decb47d3fb0c8d4011e5bea8a3f14b52695513bd008c3df4f83ffb6efee9f97439fc7b17

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
99f7d28d87926d30a81d1726a5d912d6

SHA1
940a7b85cf1e9d55a2794a6f3ab43b8fc59b1a29

SHA256
3a1fb2963a419594a4d63985ea759eb9e60eb9461fcc2b7fecd830aa96a18748

SHA512
d35372fe583417d26dd7e88665a322d0f05a13f1aba5b09118468becfefaa3c30f08898275fe8736b8989de97482cf27b72d137e008d170aae3eda49d1b49fd6

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8e66529f54f74cce0e3d764917e88f47

SHA1
719168d95ddfc6ac5a56b8afa71ca797c28d3d48

SHA256
a9c819922d5b583241b868f18995cba7381b9f3ff253d78748076993b4ab0b3b

SHA512
74a3538dedaa9b806d9ec6a678c3416c06ab594dabc6edb58370c31b077a754afe1816076522dc23395afed15fbc7a2512d262cb61d4825a422c518c43b07594

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
d3dfeec10ff0d374cbcae2a57435670f

SHA1
19c693b2dfd7ab227a27007a79bee824ebba0194

SHA256
56e5e0c0245a2ab03076c7c0020eedcf8780eebbeeae4de2b1de2b73d01b3ebf

SHA512
0c9e5b3335e798fb9a41b9ee3040334416199b23a9d8c39cf17ddf17a37f171b1c8962b50973e4bfa4bf5d6c89df2d277079c716b397dd198fc8934472484c51

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
48fe4612a302894d869d395399dec536

SHA1
1b3e9f29f563245e1ac2c0b6a2403e59ac83b336

SHA256
f0222c4f1d19615914e3f202e7e99588609206fbb32b820d062ee7cd156f15d2

SHA512
ee86b4f7d6f03f81520d2171556218f014928da9b38b278a5670390286d60af19b8b7e3fe339ef4eff25e6054ca7872bda1515d1ed34a448d2d98fbacecce8cd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
bf134e85737d829e605a265ecfbe29d1

SHA1
1ea5d7058075834a2d693021c97c9f9f8b4afc99

SHA256
95b1fbc2d205280c62f2a54836d23338e61d4408fddd0ab78b8a708a2c0b7ee1

SHA512
15c7502efb1fd6a63b72f491d9fe23249b842ae7be422a994c4e8c61cf27248d702dff4ca71bee9d4072c6089898bff0c3cf9ecdb4dccc734723e0630ec3dfad

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
06b33f56293e2652362f56a0038a61a1

SHA1
b20e107c6702512374d274873b9a588d65f0d4bc

SHA256
16a54bb8bc7df7478cccf95a935049ac0fc952ac199e755ee6a89956dd93d564

SHA512
5b7fbf0144feb890302b9b6dbc128fbe66298a9253c864cf32eb7316d276990430efcfeb880f01b0736596cd70310d5c62b9a2eebded375113fbaa124d87940b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
25c457df1a1457847b216be83c1f6280

SHA1
5b9bd48fcdbfec1826956a6211ec1bbb0cd01edc

SHA256
3df630b689d9edfc8650ab5fcf0a36aaae0de731bec052c5c4503f00c3bf3433

SHA512
8b87e014b8ec94ae961bff0157c6d8841f6a64ea552d2979f03f941c535fd095529e6b30eeb4cbdea4497d69d95605947c1043910bacd8fa0b4122388866176f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
485e38653a263f6ed8e3ec99c895f000

SHA1
3c34fdc73e93bd6d004f629a57e18c2fce9b64e6

SHA256
fa064eaee981e51808a97d4c90d6c5b0f2a88c83fd5f3bf0a06bbf0bfcc1d054

SHA512
16fb38903f02a77535f4de03dc2667acea58728f16c6a2fb7759867b29daf054c5004e66deb9f537db659c19aca7d76525a612d482bc7ce1390f3a28496ab147

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2aa32d9192bdd804ff8e643cd1eae5da

SHA1
441e66ff318066b5cec0fb2f49cce0cf6823a024

SHA256
5eb034ea824c7d5766eaa42d58e6d0db93c00d56f3fb9b2f20e85de1a24f9493

SHA512
0fe93c180372c1e63aa2815bfb283fba77ee9bf33a1484be04cb3eea84e0f77fc8793e505473b7391b2cd4c6bb75189766c475a384e5047453740163c7ef48b5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
5ec49234382895e10fb5b655022c2ace

SHA1
e8b91fdcf078cf3056aa339de8e3af426b53e457

SHA256
ec132b9b21733cbbc85492d07a4db3f023d659da221492ae6772dae6e1eb4e89

SHA512
87a11e88537533a0beccd355e4b5fa9a7d32112a37916e784019edce7b55dc02af992ad96b6bab0860d52162a1eb77ec8acc03ef9d81200901a23c07b88ea7f7

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
d74eb386182ebf1999d4f29dfdb6349b

SHA1
5b0a011abffef28a6d2c2a8a183737895a6be851

SHA256
96682123535a9d5b212f7c04eea5a51debf4cf4c4044348a7d6edeae65321083

SHA512
a1641b35ec60e215a4627b7359b252ec40050e694787447a69f081ac6a94fe49b0c8f4f87ea916dabcd95ccea51ec1295d7b92fb3dc2cc0a0ce8bb1d6bf402bc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
72d59a04a6697459a7943b2545a76721

SHA1
55a713793fd251ccb42e292fd2aeaa7b96d2139a

SHA256
3d4339fe4abeed799cb949d3614bb484c5fbd034991dd1f8fbad6f104de736c0

SHA512
34e3a897d13273a47654003b1d2041df3ead178779881b94d7ecd74d8ea2a863461f94037f3442035578366af97e7fa987dc346e9e22938fced8145b3fc9c4e3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
616f237d7c80fee4fa82673e242c200a

SHA1
a254584de1ee10afd1a5fab13804361e75d3348f

SHA256
46babe422ecf3a0c2227885641150c468b39692d4ce2e320b4d5f65687f6e836

SHA512
9b6607b6aac8208e3b0063b3d91a732d57c2f15506a71be8974433e40914df4f1e62f4e88392e30e14aa74223a6f279d77a28d0aca4e3cdc1b7285d53dc777b0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
b030cbf7639faa4d7e973d4751712ed3

SHA1
a8d1d81d98c32cfa4e3729a6a987a39605d6d394

SHA256
c731db454124030cca60b3991943366ab576fd614613ae4b5131b0d46f586899

SHA512
aee2a24438be87a76c54b1aed49aaef92ff96addde97b8f05a744a6f6f63e9d0414208d68a1366e0e67e54cf49fbf2c0bcf0ed08b51dec6c115939691d767300

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
fcb54a929c33450dcc8afcd48c5f2cb8

SHA1
6049dcacc61df263d24e2596608c8c6f6fe448f1

SHA256
9d1114e898971ee3b71f4bd712e0ddbc0055b25a5284d583e23efe34af3bb5c0

SHA512
e04e8b39cef75fc9bc278386c757ea992efc618d80e4a1b4e30322d9f03fd94d572f9e688df137d0c5010c9bd006b9f222148fcfcc06b1ca4dca6ef62534e129

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
985bb3c260aa5d71cdfed699883c7035

SHA1
39f6c6e2e1976cb1e7bfb72be5d50abb8ebbf15e

SHA256
abe94d713d6d0fbc5999507a78bf861eb1a9fc4b1a158e3975a6edae3ecefc4f

SHA512
eb1e9725dd0e5171fc6bcea1e13c1b11407b9f566b3b231126f8579354ff362e1e55dfd6f7a6b232696b8ab6f449bd10936d72ad15e9f528c5989ae100cf8954

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4e52fb4b87fdf2bdebbefd1d231dc9d9

SHA1
23551b851fd712a77818f9eac42fe8042346fb42

SHA256
a097c2119fe4471fd383a7716c43f7bac55b952aedb2d48dc3e6f2b4e9d79cbf

SHA512
dcd7182ad224d6cf3069d3a1ac30bc2314a102080f3e85ee825a752296dd283f335439ce3bb64b9528d259bebd9ec275827bd578721f9ff83f9b36a1a3dd2d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
1e5b6146a459cbe78ddb8013a6977f01

SHA1
54e5c1f3b57c26bc58fc453f42e72e5cab2acb7e

SHA256
c9eff82fba557d086204b99bbd2600735f2ea2026a9856cc49d91accc1aa8738

SHA512
5870157e494e7974ebe021905ab39b60322c499985393784544422808f19ee17e120c65a42848ec7c72d02ba07fb1c941e09ec173b62d09b53a30e423bc254e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
757d572848ea688537c584e4c7185cf9

SHA1
59b39d20a15d42859e3dd7a0fcbff47a8d101834

SHA256
74e09d33e0607c9cfd3cbb5e8393cb71cf20a6a4b116b524dcbaf298496be910

SHA512
2c1d5552871bde2eda9e359906f7e51f93120f5758af79816b85bc20223c98dad98dfbaafa267777136f24cf9675e002bcd79628c0d13217234c552db786bb0b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
882812ae471b7e1a59d6e64507f9a32b

SHA1
20695c1980f42f2de545925067a906b4074c3909

SHA256
8eddee21e2971df7419362f48fb76eea738046eb10a9728e58268d643428c461

SHA512
63d15eb6549ae26131d807dedbe0d887b4575e45eeae527bae4051bdeed6a2be0904fae0b1af8164043e4bf40708f4ab3438c715bf37b96bfd8bdd5866187620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1c2e7041e4e35d86712159d93d0f19f3

SHA1
15bf7a79a1c3b70778566c3b62c7dfa0968e2c72

SHA256
4a1129d6afb7d518aa4cf3b4d0f98694786326c7b92c8fc4168f74ed0d2c8c2f

SHA512
304c03994301510233c4b3b317d30800acf7abb075b3eb0de1b30c87e8bdc273b4bec2dfd664537c0db0a22d263ec3115df8be911e34c7a65cf5999c48ff97b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
2c20a4d415b7921e7a2999ca1d37539e

SHA1
d970f74f16d8c574919ce1e8998330901d53471f

SHA256
e2f75c3ebda889062c138055f36f3bf1b37e629310c8714fbfb480d50fb29063

SHA512
7770b5c02d0e992541c0866f4c9274ca89cd0562ee934c34c52ee70410f93de38881ab0965749a1276af79eab6352fb842f1ff88f609ee99b06367b8074b7ef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
4bbfc6ea27b1057e4ce1cda1fdc2bdd1

SHA1
912cda4bb5c0d75ff3b54c2d3e029d304f87413d

SHA256
d3aba1130bbfd273be44bd8493ff9352c7846761ffdc663602c2d226690c86b9

SHA512
70b0a5d183856c2968e205f46235406c40a75beec5093f6d0d3058124bdda91313322b1f87b52c40a687999b498ff2006e2bad1450e7377d1eb4f2fb9e8e60d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
2950c8ec1d7fb422ff38a2b8440159ec

SHA1
bd0fc8d8c060edd7bc69a582e834ed3414e4d4f4

SHA256
d709862ed74fd1da86028cbd29406f8448ce307c1a7a74cc8260b02c8906b09a

SHA512
3f1da2f53449e7091f4752fdf2d4140b65d1f27abfa53da0853401935ba20047b1d864041e2840036d647119972788dcfbc494a2c3936d6035e4ec901668305d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
2cc546fe41dd2475c43dbcee2470f3d3

SHA1
8b3188e3088574119cf708354ff9095c1ecc1716

SHA256
eb16e68b6eb44c6c9d271d48f957f810990360c424df1254f118b57880e2d09a

SHA512
8a80e5b31017420603bc8d334219c2d5542dd401de16b40d4695c2472ac2bbc35af154ff26f62158b43c306485ee3783459cecc87d0a38fa075b7a2b9ff38402

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
8d7f69e0c471fc507a62ba7f4a25ffa4

SHA1
2f11530ebf41b295e9660bd223967d5e3f1bd8f2

SHA256
e8882fec6cb9c938b7318c18b0576837267ae5f05c4ac261daa94b0814210a25

SHA512
f714b0dc418f7d0bf06d8ff31a8d149f0e2d3edf2b06f56d5f097d116f13de5efe5b3dc3ac5c9bf3183d2aac1a1dbd5c46518647a740ff38bcc87782038be2af

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
a92c6ecffc01a82b15404720de6b3da3

SHA1
9fa066facfeb43b24323e2f610c72b978f66275a

SHA256
6ad9ae8114b538f81630fffa452dadc556d1ae6b80b623cc10b14b571c70a5c9

SHA512
90bdf7b04531dd05ad27fdadc361d5d7673b9e1451d93e49693624b52c326af5b1ad745c878aa405f69dda0f1f160dbd79c25d6be198d9f2f8060c5f7af5ebd1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
72479d85a7a0374f2961fb342662b2e9

SHA1
f7a78739d769d1c0dca363f258b364001495d1cf

SHA256
0c670f6b63ea4d99c91385c25d7430c20f0ad52c29dc12bf130b1597d9ff24fb

SHA512
cc2999cfca1241c3961ea11296325a6d7e77ed56038b324c379eede80bc9536926f5e6b6a0cd2bf602d1b037b5559ac2673157cf844740954eab3f873a9735d0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3bd4bd11254a001784353f5383755765

SHA1
940a5c606e2d08a9de49e8a9d4938e25cb92fcd6

SHA256
feb771545c5447d2bdfeffaa9b3ffb260da07322f464534fd15dab7c4146aa93

SHA512
cfd410db1a981a326b1aa242ae740925406a0a3a56de2ce917174d2ffd011e67bc216612dbfe7902e125011a0441e13d6c4119ae7c15744a575f38dfdb149590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
fca83497fe9b569c8a4d1ee4c7e2090f

SHA1
1ae75c9d396dbf3771df17527a61a1c02f833e6a

SHA256
82139fabd218cbe0b7d5c3dad9f516c5da81f0e08e2fb116bc1b3312a0e6a6b6

SHA512
f93d92dac7cea44fafe31f901e9a662d1a12ef88dee95198af88014711c7dc6962b7aa0c7f703367470acd28602509d438e51881c1d328eca1086164fd1919c1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
380a5bcd9688ba1416fbdb1c3da31f42

SHA1
d2ca8024f7dea4dcbc43602e68788d21dfab8d02

SHA256
35c1ffa50b0b5dff1e8667e529206ceb8c60232cc5e1fd2e1ad825e1e4500497

SHA512
3abf0b101406e1dc221c8c6635c0addaad950b2278c59ddd4de48d15863d01e5c14c9c3b0c680acb95103eca6f788336521ff0773969c29a699211a215b2330c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
00643a2dd7b8001ffe5ac830b1c8c69e

SHA1
26a1f2447aa77b8fc7694766ebd92e1bfa941a1b

SHA256
26f12dbe78af8e8c97c071d287b703affc681e7ee694d76ad0b3d0a739a3d0a9

SHA512
166b4213377d788fa0f10df7405a9101deac05611f66cdb32e80dd8ec711ae6c42c3e657693b65637f7cff4052206e52d8cdae7ca987eb7c7b5c32034d7cbf87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
add38a2ba5237761c2045fb79cce8736

SHA1
da30f30649fb7f4ee0f6a3166546d2bb2004b7ed

SHA256
99a019af7e1ab08b77a3ba5528f8473e27f7d6d077047dc25ecec9db75e58be5

SHA512
8b4ccd708d8f297162cceb00a06c79d604a6648ed5bd6520fa80009435afcc93b5b743bdd274a067731d5ad0ea1d12b8dd8f8d7cf9ca7f9e631628cfc44ff9e6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
7c65fa3d88c3bbae475f40760c29b7de

SHA1
55bcd447e8a1b93a57cc262e816b69b53f311289

SHA256
91f4516c25888ca642900fb75f51d4cdeb5f4e84c77841cbdcb29d6c19693130

SHA512
6d8047a4669d29623d631b45d9279f06ee77fce000bbd4df8884a038dd1a0a02803594c500db28e0eb950af8e9f6a1b58f4a44d05e479368153fd43e2bdbabe3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
206dca485a0282df754ab2dc29953c19

SHA1
69f96e5aa164eab985712d160efa9118e88db16f

SHA256
46158bb1246020c7955d3e13bbca81716db6572d48022676fa270a4b3f8ae209

SHA512
1a2c43843f81090e057aece1750071765ec3c0bcfeeb5c6fb44c38f640101c0f6b6a70f50f1c5ce945932515b02f0aff6a2168bc3066f552fb5dd6fb7cc650b5

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
acc724ec29b09f02acaa9326808eeb78

SHA1
f28c3b5b7e87a26d30a638082ed3b5a5f9a96e76

SHA256
2b3a67463f7781e7b7cfecbdf66b6abb1309e8aebbe8a98599013bee542b1faa

SHA512
b21ee8b1e42238fca8e968476d7ebec1fb491d1677b5738e97d0d28d686842b0f435c7687329abdfcc5551f865a074b2a032aecaddb61d80cf7443dca7e01470

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6126f709a9d1a9d443461600ac0850b3

SHA1
4abd8ff51272ea7adf772244ed4e54f90b26b404

SHA256
616ca8e581c0f347f22bd0de52723105c0e094db49bf119ec4624e6dc31fe94f

SHA512
2ed18ceb5c7a3e00f954f428ffa2751cda02d012f43605ed966821ada96def4efca40e6dd0d8b6082814bcbdb6e0233cafb4f85afab9c7ec7608b6e8aeba60f5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c4b8536a60ae390c88e2e2b74f9cc3f5

SHA1
9672fda2c762c3c3e8b0d3d6bd73a231242703ed

SHA256
8dab2ad36c98ebdc9503569128968bebb68f631475a36c1019185f103fa6ef57

SHA512
8822632e9d0f5a2996ed4c79d76d92f4d072990bb50f0e780b8549fe62ffe312da55feaaae5a0c3860b13220335148e1e777e2329bef94acb45e143a2c608c30

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
b2ce551174a6bc05e4fd9fe2ad70619b

SHA1
697f3994bcf8618fa64746e5a758f59bd38434a9

SHA256
824b19bd4991b1845378d85e821c60402e8e8940e47522d5551b58b4deffd027

SHA512
b082d0f657668fa982e13c656bc53d37ebbaa3e853ba28631acdd9c68584a8e145d36f592a8c9ccf37f7cf5383b8bda12a5a4cefec053bf3d02fe9671e9e3b6a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
981fd99215eae7db2505cd1cdf5a8073

SHA1
04b6a4ecafdd7d4722e11a710b8cca6b9497a94e

SHA256
a261221a75910d56b53bde80b6754a126b953fa6ccfdee552e498529fa5d0bbc

SHA512
a92d153251cbe2e32ebeebff6f6b67c4a409dea97df89d18476c3033c33b792ce1bfbd53e4505a501dd4d5c12ff16e624c1449251b98c36bde8f2dab6d34fe38

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
00833cc09cf6db70e57ae88577fb898c

SHA1
701aa560280a19e54695db764fbca379927ec726

SHA256
c41aceb299065aa3ef8fba525a155ef73de86373e0ffc9c883c3f9508df5f533

SHA512
c1bdcdcad2517567d77a54a0e1b13e5bc6956a3e2e654d3335437cb3c40490e6930d2a02354786ce5975f4371c42df12db30d7abf3d6508b5fea9c341defee4c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
608dab7d4b6af6efa3cd134886035308

SHA1
338068ccb835767a2dc2d53c1eb81a3901c2226d

SHA256
27881475dd46c214ea2122807b9e76b9073ae5f91229b5c8511d310d0a1ebdb5

SHA512
e08f92c83f4599509ce9a82c1d473a2da80e7b3cb072bc9d1d26b7ac61c1daba9aa431a8f3905c4f6b695c82b142e452d43b41ee7ba05bd04fb81a3c274b9129

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
d20f8f19d6e6550ec7f31f8c974da77f

SHA1
e39163f84d7fcd66167f37a019610181234be5c9

SHA256
dbcb3e5ff7a22dbb5014958334dff4792290dba5ac6ddf97c949589cece2c452

SHA512
3b88ca7aeee2ec983359f8b61daf055d3cf4c320e6e5a1e7a95066bed60e0bfa56febf1fa64d3b63de419349a1cda4e1a1c88c5b4bcc347b274000824aa0fa35

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
824a5ccbe571af36b4c5c3d35ca078d1

SHA1
966c2f4521198bb974d786de8ec2138305220d74

SHA256
78cc441239199d4f8db535bdbd70e98d5378818f97b35f430b7c9b1b4d371d80

SHA512
a7fb436b502791c35a5deb2d2341e557bdef1ef77b1db90f8e9c7143ecf301022ffd80b4f9391bb3e186b35c5dcb0f1bb1f554b599a808d10a35a04fcdf494d5

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1cdc63969adcb8a6a0cdf18e6d562211

SHA1
a69de42cb87f7f95384c1d636db3a798105edc0e

SHA256
0cc196d7ca46102393b1ef58fb3f942cc5a044f55ee794980f71990e2360b99e

SHA512
139495543495b303364e4c9c3be8bb11a4144af9f28801ccf6a075bc8d5818ca1eeffb916b9dd017a9975256595747cd4026257657c538bf387781f493beafb4

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
2cb268d0640346eb0e8e0c38e2dd69b9

SHA1
9a4346c8ef5dfecfec124c9ef04e5a6f7ac20bb5

SHA256
4143ddc631991cd471c9a15c5efb19fca28c075cd78c8026914cd5ff7860a6f7

SHA512
e1774a7b1d956c651703493fe0fcb92b88e308146a4c01dcddc292fd8416de0bfad1494e97838989e9975053f4ef3521bd1105ac88e2cb22f721d49dea7945c6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
fcf24495e516a92fd1b3e8800d84531d

SHA1
95482588898eb05f4c1a0290d0655ae02c38fb0f

SHA256
5b3ad680f88a0f67f4fbb6017c8ac175d71fd8df5fdc61ddf9e0e32f36807d0f

SHA512
a1b731507dc6570f5112703f47bd3b7246edfee63452e3899051b279049ad1a0b9d6fc002c9bce45b3c0ab9522d188d7cbd9e8fa1f8817863ac017b0ac8bf686

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
b71d4751357cf96789bc11d3c9521729

SHA1
5d5f92b5211a6bac342089b65113a977ba5ad12f

SHA256
4f9b94b2e6e9d002189fa19e8df52f72315cb094abb57ee17bf38484104fff4d

SHA512
74559063fa2d8647c111bb5a57afb04ee533103ef9b4cbc3bd07e8812451522de76b9538d087f2086cdd5ac8a81266c86260d1d98fc38273520cedb88d232aa0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
5e2e3ff7cae6da72946ae1fb5f59f900

SHA1
c28e63ceb8f247d7c7a07a5163fd1b871f2a9617

SHA256
4b38a8fe9b4358497ec8fb1e76e5a122a7a5ef294217675f84ebaa39b659600c

SHA512
068d03ef3c6c4c340a8ec4e34ef4890508682718abe18fb7ab182f78a1c6b7c3bd00a9a78b0ed037b145355815905ee2077cc58abc21b724dfd24db3fced8724

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ead5bc07297285c840c819a8704744a3

SHA1
ad8ab51e185c2d8c26f8cf5d81e79150bd227c86

SHA256
b68498d3b72b9e295d409c70e3c054835b0af5651250964abe5a2cb608723fb1

SHA512
77cad0f141646906b4530972a5bfac8e73c0e6d1dc0a476cc9211949c44eb3e15b9e27a0481366c14177089085289912e10b62724db95daa25db65a9687dd954

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
43386b33ad2ee2cc1c09ec92cd39e37f

SHA1
f642587702b72d53a09bce54d6b187017e326caf

SHA256
86de0c8200a8fed26f3fe8027abdb0d9ff44c96b326b72f17b339276d02949f6

SHA512
c5c0f6e3de5f0e18511540eaf510aaa7a7793aeac1143c87cf30cadb1b9e5292f32e42d26fcb465221603115d19093350bdf26445009ca766c2265ae657a218d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
2127acdc6f7c6bbe43b108eee9482b64

SHA1
5b02e00af22e29a8fc5c159922cd2b590e7f4fd1

SHA256
16a08e838f73aa32c61d3c5fb90219486efb3f02287c90ac174bbe8727fd5fe6

SHA512
35512fe344b1518850be089bad0d92107ec47396a7959f9bb04253eb729fdf43ab4ab61cb4b3578741968db39a0de5d9ea2189008a66220a8c19c62be5066179

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a8314c13802e8191f017f7eb83aaf211

SHA1
a739a46b94d928c8b5027e8ac020ff7b115cddf3

SHA256
446aa05ce851275a41e56725b65562c922ae7f0e3162255da6e3266d2177a0ad

SHA512
9e2c0feaedce42b68ec7f2f9d8f0bbb6f893ac3a390df70fb721f7e5ac425a2fd3a083e16f17fe68a17193c0ac1d4f82407b32413a27f1554e7b398d6594455a

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
94708b222980abc8f2a1ca75225ee897

SHA1
bc64736cb639615a6ca553a39c940fdc7a3b811c

SHA256
a66e8f304fa8bb02c1b61bfd40516a54a0ab0c75c293b24f783a78004a311151

SHA512
d19cb4b884560785c6de672c9af7e958451ef9d3596e77aa06182402aec6392ec55cb9223a7f3a769dd1331533eb62406e786e4fce6b464875ed95e885ef8b1e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
d4e38f2f9e05c3b46b04b2f4110f97f1

SHA1
2ea94a888c5e534d6270402e64b7372bfd8483d3

SHA256
5666c391cb748e0ebf22a8fd8965cbbf42d29dd327398cf52595a15e88428fc5

SHA512
1fcab3c08673fe73cef33459bf82872364959f33897da4c1986f4f60f4a5e1161f102e442d990b05ced8810865f768dbcabd2c0cb3d197c3a53722fc1b5225b2

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
0b0fb90ae9c7e112f6badb2d5978092a

SHA1
bb49fc3fc8a0e95b878d2ef0a2ce835aa1cc0b90

SHA256
bcee4fca884b29bb28e99114c8e827466f3019156cf584ab4edea1f1421f7aa3

SHA512
33ee808f967f760d106a8b40341e6ad2bb4d565558435ad7baed61dc119d7cb09b3857978ea9934e6b7da005662922890e3324ae701b57f1b68208f54e294b39

Download Submit
memory/1112-90-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1112-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1112-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2128-84-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2128-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2128-81-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2128-75-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2128-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2344-131-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2344-252-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2448-102-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2448-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2524-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2524-44-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2524-43-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2524-37-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2524-47-0x0000000000EA0000-0x0000000000F00000-memory.dmp

Filesize
384KB

Download
memory/2524-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2876-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2876-546-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3240-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3240-542-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3268-429-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3268-154-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3308-6-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/3308-0-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3308-73-0x0000000000400000-0x000000000049E000-memory.dmp

Filesize
632KB

Download
memory/3308-1-0x00000000021F0000-0x0000000002257000-memory.dmp

Filesize
412KB

Download
memory/4016-266-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4016-548-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4252-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4252-16-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4252-101-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4252-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4296-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4296-469-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4340-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4340-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4356-51-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4356-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4356-57-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4356-59-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4424-190-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4424-541-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4444-547-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4444-253-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4456-229-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4456-543-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4664-540-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-265-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4664-149-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-228-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4800-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4824-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4824-214-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4844-33-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4844-25-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4844-24-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4844-127-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5008-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5008-521-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5100-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5100-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/5100-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/5100-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download