c9a480970bee8982f5dbcda0b00f8bf86a128a840720f3076479b2aa29a069e9

Analysis

max time kernel
120s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f270f4f9deebe3a6b2c517bce4ac630N.exe
Size

1.3MB
MD5

4f270f4f9deebe3a6b2c517bce4ac630
SHA1

86459c2df80da3d9104947adab59b2ae2a974575
SHA256

c9a480970bee8982f5dbcda0b00f8bf86a128a840720f3076479b2aa29a069e9
SHA512

c33717f9a7f7e0cf76ec476b46b4a1a21828b01d0f4e60ae8c572e9c68c47811c0512dc2f372c1ba330d2bef5225d4374037b13edd7cf1a9dd64e264b21d936c
SSDEEP

12288:FJFGzdZcEAMubvjkcH34CUMAdB8qr0zw9iXQ40AOzDr5YJjsF/5v3ZkHRik8:FfGxypdfatr0zAiX90z/F0jsFB3SQk

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2784	alg.exe
2188	DiagnosticsHub.StandardCollector.Service.exe
1580	fxssvc.exe
4832	elevation_service.exe
4512	elevation_service.exe
4132	maintenanceservice.exe
2212	msdtc.exe
3068	OSE.EXE
4336	PerceptionSimulationService.exe
4244	perfhost.exe
2276	locator.exe
4508	SensorDataService.exe
3192	snmptrap.exe
1320	spectrum.exe
4432	ssh-agent.exe
2548	TieringEngineService.exe
324	AgentService.exe
3664	vds.exe
2948	vssvc.exe
4492	wbengine.exe
2724	WmiApSrv.exe
2928	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\spectrum.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\locator.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\System32\vds.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\1de53ddf77a2071e.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\System32\alg.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82640\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.106\chrome_installer.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82640\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{8DD98273-B760-4BBB-A73C-31CE6F01C533}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4f270f4f9deebe3a6b2c517bce4ac630N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f270f4f9deebe3a6b2c517bce4ac630N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d3846dfdfddeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d66e98fdfddeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5510400fededa01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b15dcfcfddeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d4bbc5fdfddeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeAuditPrivilege	1580	fxssvc.exe
Token: SeRestorePrivilege	2548	TieringEngineService.exe
Token: SeManageVolumePrivilege	2548	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	324	AgentService.exe
Token: SeBackupPrivilege	2948	vssvc.exe
Token: SeRestorePrivilege	2948	vssvc.exe
Token: SeAuditPrivilege	2948	vssvc.exe
Token: SeBackupPrivilege	4492	wbengine.exe
Token: SeRestorePrivilege	4492	wbengine.exe
Token: SeSecurityPrivilege	4492	wbengine.exe
Token: 33	2928	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2928	SearchIndexer.exe
Token: SeDebugPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeDebugPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeDebugPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeDebugPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeDebugPrivilege	3176	4f270f4f9deebe3a6b2c517bce4ac630N.exe
Token: SeDebugPrivilege	2784	alg.exe
Token: SeDebugPrivilege	2784	alg.exe
Token: SeDebugPrivilege	2784	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2928 wrote to memory of 772	2928	SearchIndexer.exe	113
PID 2928 wrote to memory of 772	2928	SearchIndexer.exe	113
PID 2928 wrote to memory of 4468	2928	SearchIndexer.exe	114
PID 2928 wrote to memory of 4468	2928	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4f270f4f9deebe3a6b2c517bce4ac630N.exe
"C:\Users\Admin\AppData\Local\Temp\4f270f4f9deebe3a6b2c517bce4ac630N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2188

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1172

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4832

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4512

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2212

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3068

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4336

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4244

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2276

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4508

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2368

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2548

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:324

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2724

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:772
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
83a712027799058410564ae6198b0946

SHA1
fec8fd070692207020ca325adf62308139ce362b

SHA256
c39d9003db954e9d6fe2cd60c96dd8bcc5ad17ad5383a5bd563a166ee6578a7d

SHA512
2fcb44b1e152c160d260fbf84259328eefbc87ed6960e31fdf408f34c21ff730e6a9de1dadecb9a56e5aee4cddfa4ec85baa9783dd11842f1deb128b796d780b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
682415221a5a910d223408e7ffb126fb

SHA1
9dbf74c764f025254923b962076d1378eafe5242

SHA256
29471120a051dd249a7bd05e3cf4c2d243f88d5cb5d3ed679183df381d8a76c9

SHA512
42c432d234fe1bd354511c35664fe747a4926b7249d2794adef0c4f8474d0159b0f7fe0b5520406e32165d8b2e4f06659e0944056acc509066b923b92e315841

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
6359961abe72a1ed9b65946d00870f46

SHA1
bd84fc544c6bad2d3443c57d8f949321e23433eb

SHA256
92038ed35e74e117e8348aaedd1975926905e5cf1935cd362ab26d3875d183f6

SHA512
bb2f416dc52a5e3afa26af7454002c527561e0cc5278ad634dafdfc78d19f0abdd93c7566ed3ede5574050ede330d8e0fca8989c51df6ec5568125dea04a2fde

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
dda47886caba02bb1fa1c11a1fe89dfb

SHA1
af5841b9ffc830413f8afdd8a155bf9fa49511c3

SHA256
7a248c35d17bda7c492730dfd67955abfefc5c0e9fefb494b3ef173788079cf2

SHA512
c2250d520debf0a821c76cc1078166196d6bc4daab8fd191cd7c67c77edc1ed1d69bb4135230c4364a31b313ef41a982a731e02883916fe4264dfb0e9d6512e1

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
ba699e2f384d989974a433163b312d34

SHA1
e6d9dbdee6e4bc5ba8a0e98c3286bdd0e9589367

SHA256
9c999816afb34c1faac5f345f2f8ce23e23961c92f294c5a8b3106dc20862c95

SHA512
a9757daa31f5f97b07c387765c799c128012dacf51c18e4b4f7e9f050a2ea5dd332e743cf4f6f1de55d60dd92c2749b2146fc0fa8b7843281b35d4231c8b2dc9

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
6aeaaac2add1927d3c39f4b199df6f60

SHA1
d326de5d824712b4936b0c28909162c64c0d4eb5

SHA256
322a0adbc6cd6ed4a2ff39dd3abc93d043c4d9f0bb51a7c765bfb5137c17998a

SHA512
9c821d74c826beace74d88fccf6a05b494c56c54e1f6237b2b8612ea69b97d7ecde5e5fb33e3429f0647d0b7b91106d6e99feab17662f969443a0621ab520b0f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
1ed7b3a16fae11e3ec352cd354ac0965

SHA1
b0faa1b3ed3d645c00aa48a60ea9bf1d23b812b6

SHA256
187ce5fde445a9e296143b1f5d31828feefadd7deb07cf4751d3b494d4804728

SHA512
2e3bec024b39f100c2dcd3f1d1272ce307002cbc4acac10667b239a0183c43910c5e393bfd6933c6413c8935aa027d94d46e188d9e66bf4d5026e51658c647d6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
87c4fd621059dad381bab3d1a621da59

SHA1
fe70265358474c8ec7266c88f1cf9a523ee8a463

SHA256
a8561007e38c9a1a6062386e66b1b06ea36421dedd8fe7a45425597c0ded9f13

SHA512
2d198979038bba8603286117ec44a033616a43dd7be1c4981241b0481871c5e75f92561bf3ccf586701269de49a7069f4ccffb47bfd332f1321138a61e5a16a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
659385d0d414b2e5aac4afa160ec213d

SHA1
b39fa401ccd6c046181ac21c63a2af8378bf9d5d

SHA256
5f5e01054797af3ce746ecfde25aa82a6cbe69920accda5738b6dd93ce8a2fe8

SHA512
1eb3ce6732753d1051f8135c8e3f9e18293d3e8d74f94193e80d7d6775de46fba60f36e1387031d91c82242f44420cdb57f901f14de35c830fa8a7cb15e08cc9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
329016f69aa1f041e6accac639b1cac6

SHA1
502a639f05e080b0451ce9070275eccbbc6a3e11

SHA256
d285aabc890bb6de3561666d445f2adc471bffd49f21c30e7fe1f7b5bf438338

SHA512
b903a1adb363e132eaf223a3c07f6acf808cb0471d5bb80de9c5cf1bb64a51dab0a8bc6dd38bd4168ca1ca321d40d6a085dd915a2aad2f6973693012e8ccab3e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
91138372e1c451027c9f6712e405143c

SHA1
d32675f5733bcf498beffc18d00aa7d3ef74fcbc

SHA256
32e093f522cc95f8e5306c298d19fdeb59861786e9f7793ae6630f3f08c3f798

SHA512
6494edcade7c6832a288b82b0275d72ec595230878fccf27c05be3ede170cf4a9d35320511e0ab97ca2bd28b82b237366d11e12fb7686723717df4c40eb56700

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
88636fd5735e3932fdc35595cbccfe44

SHA1
25492743846ee5b5b421c8e4e30fb583e47eb859

SHA256
3dae0a08e1b16f92517ff591cdf5c7a5f1d43b10b9c68bca9f2950cd6910e8e8

SHA512
d2d1dc1816367d231a35dc929a9338d0820d8ad3990f98d22444ac54ce75aa25e35b23f0b3a4b34d9b6af108f5cc7c80ad35010c4ebc11ad4422334a49f3b957

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
c9c9546c3ba59c926823df7b0f415669

SHA1
2cf15b8ba995131dcae13f224cc06ae8c1176f04

SHA256
fee61da9317b0b5df7047a8648fc51d4aa69fc59d115616d7c8478c954c4e1f8

SHA512
9298dcf99da298b8b4e41af3a84c6aadf598a1672d28f3a57ca014a9060e24e7831c1bf1b650ebf1a13d298ff866d4092d3b1f8d25106c8cea9439fbb5978462

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
daea8279bdd6778f243dbef7a2028f4a

SHA1
288edd80cb601c1b6ba0c306f83fd21efc2a85e6

SHA256
d023e19213c4c4199f4d316f5e99aa1cf46219d743c6670bc4cc00d67811b476

SHA512
81ba7baa84889aa6eaaac937c7880aac92ba514b61ea62045dd98fa13568f14c0d06ecec5e5f2b3674b1fdfd4812e46bca04bfba3d9774332a60820fad77f951

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
37b581604fd56948818a52aa164939f4

SHA1
09edd8c2746ce4df11b2a6fe85767583d9d28cb1

SHA256
73b06743a4090dc3a160c15a2120ad3e514674b236473167427ff434e9e31132

SHA512
23b5dd6204c47505f077f659efbdeeb2e23944b5329d358a4a2ebf130f50c520001c4c56a491ebf216e75a09bcee515d82a8495f1e85841f34a4f68950f12a5d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
f3fdea8a1c93a4f6fd11603c297f10de

SHA1
7c4496dcca582014c9ee715da25872ea19a033cd

SHA256
888462f61b3efab33eacf46d398603998d3d5b1b95e5c2297cf6fa4874d566bd

SHA512
d6eaa2d6fa8691b3950e5e336527221dc7803a508d852c824c18a15408d3a3f8543bbd613c2bf2f79263327d51d59abc5afbc68e7b73a014419abab24f0208a7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
263f0c6e419c186b2f377d7a5a18a76e

SHA1
534f03754b04f26f37e7ad21426429c27109e34b

SHA256
6346bcfff9ad13b838b0dec55c24d88b811b908180c7ee20499cb1fa7c6be2c3

SHA512
a007e4b8c711378d068220aa9bc77cea7081fe0b9549ac65a5839af3aa6cb9625186d7de2a0074a789b541cab88ed544fe3bc92764a1615b6c6d32d6a7c50096

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
b31e725992f80ad014e714898ba8f482

SHA1
b6bb8e57e44d62cdf6511dd0fde6dea230bd9a27

SHA256
71797efec66927a8f085d8eb72d78492616884c2a8b6a29b7da49cd941d3a0d6

SHA512
c94475c929b0a9da3d7e6b32dfe71055a13e07b70a8e66881b357cf7640a8e1676ead18ff58bee160d759078849aaa4119e0dadacb278c96d482a75e479a5f39

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
7a73e354ebfb864858e3e2f8decff7c5

SHA1
d59de73ea2fd6896ba380568a2ab0f279ff8675b

SHA256
1f29b8b44aba59af683d79e0126ba4ec03a70a4b208e4b00640813e507c8941f

SHA512
9b31ce2c668f123a01ccd1af3285fc2f52d4f01579c3ff0f77cf33584ea07f94a5187384369282a6a8da5c84a1cc62d7da66a62d0ede5b21d8ad408edb7dfa83

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
7064c535fb51652fccf85b9ec764349d

SHA1
849767a17661912064470097eb71ecaf9d901de8

SHA256
914dfe57f2023daf3ba85e1ade6b8731ee7fd84398608965f18a62b8aa670a53

SHA512
58b963f11cf261793c2ffa36a7271c5dc787ff810f947b750eee1bca28f8e95967473f7cfb9f20c60333d21d2ab453867d9f0b9e72b5b2982375ca3cbea2f649

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
6b2021eac3478e5b57be7bac5107d791

SHA1
519b73bd03c05f305a9f93fee4307ad4edaac007

SHA256
703853ed4c2f744506a0ebf423cc8bf0c15ec4edf9dffda418b385ff4682537f

SHA512
429b380ef9b9d6ab426c11e65007b41c5156472875c7742fe251efdb047c7929a1b311d42a9b506c62f3a400e0dcae51f39f8a9e877c556cf564edd26bc7c45c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a1c91e268c4efec8e522aebd64311a6b

SHA1
1d89b3096b524c98645b49f680642f1f3132ebe0

SHA256
b696ed88328e42555c9cea26427797af3dfde9459a391a7be4a89d01053c6869

SHA512
59cb82fea9f9a099d489bffcb7a8a98e371eaeee2d0f142d996658512982e13875fe3f7a39f84d198afb5fa239110caa6f8af1fea4bfdaeed40efd0f6815ee2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
8ed398434721f0fe18f8a570d4df9994

SHA1
e783a9f2c14836a1f9907ea190533a90f7998d0d

SHA256
ef2669c575ae2d239dd9804f9d77e630335327fdb22b80541b6dda32ce2c7a65

SHA512
4cb180c48632c2502afa1745d5b0fee40d72ce0ca3c4a41ef94fd79641a9ab4d0c7c2c9619e0e3011263708874425e2b2a0f1b1893536eb9ff9aec8d059b7b10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
962e46fc741eac39f129388bee5337b7

SHA1
ae0cdd9a84934ab956f35eef71226ab462be81dd

SHA256
e0a4abf3a66deaf5b9229e3eca8677949bd685f0cca9176fec647b7b52771f2d

SHA512
b8a7ca2ce6835bdacdc834670f139fd55bece3f714a374db9fab3de6ae02071289b06d0f1a606b4e21a1158d6999682b19441c904d1025227381645f00ca4bd9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
7bce2bd72ba09f4153a905758d505ddb

SHA1
9f5682ae6d3bcf1c6fecbb7bb744698b67f7f36b

SHA256
de88c71d0f5b6c111f897264adc9ea2e5176d9e94ce3cebeeb3334e20ce8fb1b

SHA512
b32b2db968f8cf2c61b9ca4af52c84a383a2bfe23a987dd23d0ac821321564d62ba226704fc3a6149775047511bcaa0ba31b913df46b53e806a99c5aee8a4037

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
97c6c678d8e38f37aad7b6d6945eec15

SHA1
0bb8c7dff4820f9dc0a01fa444e2bba7ea5d3076

SHA256
6adbfe71cd175ff91c50f12482c104a5b7e0d0b93da434a555a2b4ed2c8358a7

SHA512
43fe08f11fe0717515e4b110e949a301fbdd20fdb71a6b3e29c4cd77dcd95ea436b5bac1ec1ac788d7dfa7cc74fdefd97ab34c4dc9a559022fe8e5c8506730a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
d4512ef7c7bd652f2276d4fdd1885f1c

SHA1
ca6a5ee60c319407ca2a671f7ff44655c3844114

SHA256
28a1971caa287a1b516c9445b91a5863bc9569be22c1f7c1431da3fd335da0c8

SHA512
185d906bbaabfb9a01609b94b2564ccb8c73424aab9b04e4fa41c8b19e0516f8cd7ad37d30cf9fb48514bc1d8e7afe146f2c88aabf7a643a48f11946c87d1a45

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.5MB

MD5
4582512d3642cd093d1b90e8c6bef0ed

SHA1
ce94af2e21b8945d9b3f964749adb81f0478064e

SHA256
5245802a50b594c415c2fb1d90c4bf81433c7bfd8189408bcacc1ef32ea3a1f3

SHA512
8289a3e8f5b5096bded38d720b68fe2770fcd8743737a944a16c47e61fce24b0f52760b836db1e05c5d9f135fd165ef421f3708790a98a6ad919a558f4e27e89

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
bcd7c1191499ff856754c2a7b7a9f787

SHA1
b72317b72a6c42255c8a3fa556c2a3a68fa69441

SHA256
02c9f4f7c65f5fe93519826df12231681b84f660b7d5f9224fdbddb56be4d6c6

SHA512
7ebd4ddcfc0005d94ad8af7b1341952638a12260fd7d1aefca4de55c3f4c38136b00b0947de22f3693586f4f5de5a3735eac0ce92222d66950937110c524574e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6e1e251df8d801309f298831f98a8e98

SHA1
d1da62c2ab999059f342ce07b6ce66434b8684cb

SHA256
c2e6875836176aa856b17da4b25c1147337e3c7bed9c3ed3f9e838b9b7ae0e5a

SHA512
cc04ff33e82efea99cbb47e292678bba28d5f188724c9d434a7c34e5b5ef810c3f9b765cb811712e8df5e13a2112b9a7079c1d7beadf3315434966959ec11c22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
473de17bb009dd56e98bae4c300f41aa

SHA1
dc1d4c4b17b6ed9bfcbecfe75a99063977ff9a2d

SHA256
805b348aba88a17a4925a37cd64e33f1abd80ed0e83b76173e3a05082109e5c5

SHA512
85c4bac9016ebc93f92b5714bad15f31c2a5d5a8941badfc7c380cbc8e8320276318fcca5b2aa3e5300ab0ba694d9ea7c288d2c09b0824b66ca8e1096568eef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
461eaac3cb297a801183ebfc05e3691d

SHA1
28c64ed8d1998d5a1351fa8e4179c9262f099009

SHA256
656095e288bce59978783c8c815f912e313d2198c73b95750082908e57dc9a50

SHA512
cf71bb6c270e5272fc9a4c5dcc06b6cfee99b56312645b852ea295d7a44c9bbf9544f26de2ed9d99aadea27ec3ce92de5ad76a548088a181da17a091b45b328d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
f06b81338a56405c5707963036cd7e6b

SHA1
b1cfeab8e901741e54b3e5de34926bd138a06fa7

SHA256
faed320181c949677a21f11251366846a6ed934436d65ed2d686ccb735bbe73f

SHA512
b29bed85d3cc41fa26f791d2a272a527ce05bf7d1c86508ae51c9a5264e87e57f3c0391e07a5ff4617a2db18a83b7bd68dc8cda1aa019ffe47cfaa669a693c02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
f8eaa070e6b2d1d9008dddbd106a36a2

SHA1
0c8e697ad5560d760434ee1107a78884ead94515

SHA256
9a75d2b4e44c2d38239ba9c69c2b1451d9dd78df59728d7c8cf0db6e47e379ca

SHA512
7b2a17b7a0390994234310b7c591513a810f9a6687f434651898430b4b8dc006cd9b21182a61d4192bebed6497b8b82864c037455ae1f48e55c540e7f847c69e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.5MB

MD5
df649b051c5d609b1da3918b87d4839f

SHA1
f57d4b8d38759898b7103f8262cc8fd2ea21fefd

SHA256
c9dba20565be327d1275e1f0f89761e176967dce61fa2e3abbd09efdc425a8af

SHA512
1b2d8e7ecd8d64d4258988af45688564e0b7acfe4b5419ed642bc788fe9fe83883ae05ec3088501361d6f4ff047908eb342732675f33c31c7c4516b727cde10f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
19f57aeae8805ec40837e6bb10403e24

SHA1
3a254bf9189f3e0ab0d69ae644c1e99788ef09bd

SHA256
11175dd83d2226f87f6c9d637f7ac267f0a0aea5986bc5c7eb397042dc298dfb

SHA512
ad281cdbd803406cd031425561c6a585eadddefd404df7884fe338ca29a102b47e95d1721e7cee7be98051b1d33e6c1b395e174caeaeed0580cf67c56b80084f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
5a1cb2fcc3dca07d5a39865b173243cc

SHA1
74f2090616e0964a1d9b9ccd43eeaae37cab0ad8

SHA256
8cd079e399d18288a0267014f2ab61ae58486a79573b6aaad8709f02369a6c2f

SHA512
c7d7011060b20ffcbce3b3808f9d7b21b6fbd76012baf94055f47d15d5d15a9fb413e00deca5eb5d3bf6affdbf66371292ca17b3830a0eeee359b6ddf7fd226f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
161711f0a198c6dbf260a5ae59172bd3

SHA1
8945b76ea896c676682434cc5b70627b9dec28aa

SHA256
5a2dce039de420137edf4fe5e7572ba051e10e9ab4d9765f2fbbd9e7b6b07bd4

SHA512
c1cdd4788391578cd781c85dbfd7b4b38151cf51aa7487eabcbab8fccb8f676cccd9c6938168e81d0b3bbd382f72090f80f77b90806d128dc00828d5d7d64657

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
2abb844cc0b22833143fc99178c2bd5e

SHA1
c5acc8b0522152c8ee4713056f3bb04238c0a68c

SHA256
0011cfab40dfbe29445ab1a85138318aabd69e735fc47bab3c3678a36d882c60

SHA512
07a0501cdcd51fb50315dc7d0e96f013ef9a950b0b9dffe9327ba92a8b172fc249ec3697d6df1ba1845e09fe6d4399c1aa71126dacd978a82c90de133ad6e906

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f5ae90fe59423b81b35f6bc25a4dca7b

SHA1
749a83da4372ffcdd94b085bb3caefa601407e6e

SHA256
aea97769ec677cb60b0743557f8e66eb5632468c13c33d0c54f1b004cdd677f4

SHA512
a6fa6ef9458cee239dd919fd386417d1dfe93b96b9770fc84ae39a16b0b98072c1fc66beb6301481854432d16de44742d22e815b1b01621bb79d6d7833ad2dd7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
5ce6d644eada4a226c583b3178dcda35

SHA1
6cba6df7dd7df82d762c2be3b7cc674d2dbf8fff

SHA256
0cf68888fb6649d36a799fa60233b4179fcd6fa40f5cc5ab6fc2c77ab1c29ccc

SHA512
e07633e633b46a116daba4fad8cee95dce237cd0a46ea64cbc8da309e5722e6085939df6cd16d2e2320af044acc13266f82fc4f6a5336b6c602702d7dbe848e2

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
66be57b97541fdd907426feb8b07ebe4

SHA1
314ee4b4e3438b4e02316cfbf0fc768f5c6f597d

SHA256
bc19492180a8a40b0f5a7514ab227d0d70948b1f023f896688eac274d91cb241

SHA512
2e2b24bb44b362893fae887bedc7e571f52ba1234b048cebf2c5db69b32b9dc9bbc4207f99d22f019237c3a19f624f50af3b59a3c2b40206e3cea49318749344

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
185b3f12f0406c0137a9177cafecf308

SHA1
88a127d4263b00b1c4c2dcc42eaf90e152f771c7

SHA256
98fcbe81cf2157c0eff11fbf3724cfdce17b7c9f3b8e248a1d3ca068d4147785

SHA512
7fa5f88b2b0678eb2defc324fa2a8cc158bb49820f2d6a0c6323394608f78ba351fb1d78ce9e6e1448de5c0fc5de7269081e235dd719cf93336cea73c650bc56

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
5cb61fdd362d7e5a95ac774fe1df5d6c

SHA1
96888a5dc0af04bfe134d2e1c3c4dedaf8ee5589

SHA256
a97b04a9699722915ed569beebac870a6d1aea6c87d93495b6b8f483bc520421

SHA512
795595b538da7aebecb31eeb65b40aee0d7b3fc69dc30a296b48109923f05939c51a640ab44c09051b7b63358f1cfec2336c1697b4397f9add56f7ef64762303

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
bb1a5d77e45215524dfca3253558670e

SHA1
15423072c7aa4f7df95cf62e1b34454b2478a7ca

SHA256
421865a3dbececc50f09404fdf25a2a36beaaf7ea6e823ab7be68057164fa934

SHA512
52a8c7c403553dbe5d9f2ab06a6d9159a6794feee88f0defcfbb32a08caf584fa310d879d8f974ee44bbdf7b616d409c018607f7f6d340d2adfcd423f2b12426

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1a0206f3280df05207c03bebaa8c354f

SHA1
524f2e951440009437f1015c1cdae1c4bf844d03

SHA256
194c775bb2e6f98cd579398ee60146a457548bd3c2b38785bbe662846c7b7e54

SHA512
9c5174329c9364708756f1423870ac67809c4bba1fd9e2ebb9fc38afd1941f98bf8609a648340c2ad040dd9896148c8589dd1685c826534ae3d2fda1815f9955

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
bb8d179fb20f31572854dc575651c373

SHA1
d5545ffad0f51ca78d391c477fefedec8b7d224c

SHA256
c43fa270802edae9e344c69733d940b4bd3e3d86cc4ef66f2f0ead17aebcc22b

SHA512
8a20f7e85648ea015958a13dfeca818842ea71a31297d4c8fb0d532e396b14b2644c2e7c603a4d73a776926794092d7f0c3b8b710369ae224f40e30222dc2704

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
10f8c890eb50153f3c2ff7a43bdaf9a0

SHA1
7aba61a404199f0ae4e9601ee4fea2ff65ae2f61

SHA256
1942f7d73c41b86b095d93b1f55ac172eb2b52c99379888dcdf47f2d4e576b5a

SHA512
2d5bf307dcf52471c9ea4bb8cd919404d5dac62c3362006be87e0ec6f0dc4186e5c53cf29d37c1a85bd008c1d3bbf199b9f879c036ed64188767d8cc21fa1e40

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
09e47c3ff021144a738177bafa895cf0

SHA1
f5004c2101954b8db02df2b333fdf4964cc87d87

SHA256
42a23a63c92039f3ed88772d46b0744f640ba4749fc634ca08fdf90b793c261a

SHA512
9e570dd33e42fb1ac3947ada593e4f6f5bfcb75fe07a675b37a9047c28b57617bfbba664fcf2e4cd28cbdee2810f8aecd637652ee77a220390f8b2f2ae4b836e

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
68426b4411ce14abd6fe8d75dff868cd

SHA1
20b19e3eb821ae6c73ee4f6ada71f7bd90f8f2b9

SHA256
024195c4d78ac17b6fe9cb713965d719650dcd4c827e6b45f9dbf21ce9ac3887

SHA512
cc23d8d0257c1c00c89a19b31086c02c35249213e42003b89b680d12d3346415b7cbc56d510da812c026aaf9555414475fe7c19e86cc1711eb9670bbd38b3f9a

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
ed57f02f86575db89ae31e3e47dab064

SHA1
450f6cb791d71f51c1e43cec9bdc2606d781a025

SHA256
6eeb43e687e4dadc0461f338b0337b6c158dc294359061fbd3c88c30e1ab5d6b

SHA512
0ab15e6f3e0ac9bc0ff88a47915552d4aa9968908484b12deb680bb47650780ea8dd1d531dace7e714541e089c01da0d7e5b22374c33261641e9434ecbc9652e

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
092201c4bdbd1787b5ecf659878db34b

SHA1
629b2dc72318e1443c2da0bbecb72ca488350c90

SHA256
02d5faa360bd06f924b4d7c25f6ecd7337e35f86ba5554de4bc7f5515009cdf1

SHA512
63dd8dc03a1c7f2ad4793dd3a8f6ac41a988b48fff508aa524add1c2cc158ae646455933925185a89267116cffd0f01f2f41e0b3036d6b286f8f98bdd869d235

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
a80cf2b50c5466a2943b004b6e7e64d1

SHA1
accf4d3fe571f7a28dea83406b8a88e2d37dd89c

SHA256
16f355d5deae80a5a8a5c8e57710250f44faa3926d8a86b12cd2a1c2b3083928

SHA512
2094ba98bf1a514ae0ccc424783c2664310f0255dda51ef393af57759e09a518273938be8d21cdfc19a28a34cf0148b9633cc5dcc42e57b146ca800e68a9ddf8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
87ffdd094fd97d3e41d3406d407f0902

SHA1
817d25b0c4b19ba5bc0267d5f2396f9acc4ee93f

SHA256
34de5c219f77f8984732217bab837d4af52737c44b56e387ce0ed00189c2f986

SHA512
a865d016160e609fc83aeb808917e94203d8cc96b8b5824aa2f709d15f0a39e94c1dda866e1cc71d0703f5210368d4114878ba9f863bf082eea7067722fc3141

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
aed576eba7c47a7e883280faa46a6840

SHA1
157c694b5db098191f1cc2402056d100139daee6

SHA256
fa19b8cc55c67ef82490ab98a438accf6ae656f017a010b47612e9bfe78a56c3

SHA512
8550b94342c70c63c73add06d16d9e25ad3f921a653329865f2037ce62f0bd6c17c9ec1f7161da4210f85f73a72ca4c9f043aad6797b41620750f20865e360fc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
6f66a660bc8d17c881d5289afb00ab0c

SHA1
3d8f9ef9c894b8d1d72941a7c9a9b3397d18b16c

SHA256
e472edbf36566c297fce90639923e7d0b00c27d8f0dc295608adae3599a5e0b1

SHA512
bad3a1953e5327c12959b7e946a00a3ffa437ef4653876d27450cfa935ef6af35d9dfb40b76945aa068b91095f938d1c06e93865eb7a45a5376bfdf8afbe2ad1

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
c8e2c9760e0ca7f00319a33e8603308e

SHA1
ebccb8e8d3f3a3dd55a7407884d51f576a54170c

SHA256
1909d17c8b14968bf6be974792affba4e258d1430cd4a56a4805287f49032ee0

SHA512
c259110cfcd29b3f67494019cdd293bd9a7c94f14bc0b940c11026fa3da5775e08fc40981a42c93afc818166629959f2e51e07d9136f0fed3737dbc583e2632e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
af8d67497b66353f24be3a59670d8997

SHA1
ce1e8d393abe36957def39732731e593db1bb33a

SHA256
a72b7610aa129cc0936e52066e298e45a91eeb3e106e8d7c2885ce4b57910edf

SHA512
4576ed6d3b16f54bf25afce17da963e6798757c989b9427ccae6629be6144171877ed8b637d2c9e93cb5ffaf2c5111fc8a3ee0ebde814986862741c871c45894

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
74012fde6aef03bc04986a9274585920

SHA1
f8966f2163bace3deee9327433066767898c603b

SHA256
2973a013caab1159e28f9071487932d3f2c58e06a445c9db9638f1fe5147ac4b

SHA512
a85b6095f79cbc59eaf67f65b6085042850ab0a6a35d0ec09a0fc3ebecae6f3c43d378b8b0b560b5c5e9aaeb31ea77ed5578b10593af4c85007a6d299db9cd9b

Download Submit
memory/324-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/324-203-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1320-439-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1320-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1580-39-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1580-49-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1580-51-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1580-45-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/1580-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2188-117-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2188-34-0x0000000140000000-0x000000014014D000-memory.dmp

Filesize
1.3MB

Download
memory/2188-35-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2188-26-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2212-202-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2212-91-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/2276-132-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2276-253-0x0000000140000000-0x0000000140139000-memory.dmp

Filesize
1.2MB

Download
memory/2548-506-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2548-191-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/2724-262-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2724-611-0x0000000140000000-0x000000014016A000-memory.dmp

Filesize
1.4MB

Download
memory/2784-21-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2784-18-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2784-12-0x0000000000630000-0x0000000000690000-memory.dmp

Filesize
384KB

Download
memory/2784-89-0x0000000140000000-0x000000014014E000-memory.dmp

Filesize
1.3MB

Download
memory/2928-614-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2928-267-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2948-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2948-525-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3068-103-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3068-217-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/3176-8-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/3176-0-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3176-1-0x00000000023B0000-0x0000000002417000-memory.dmp

Filesize
412KB

Download
memory/3176-82-0x0000000000400000-0x000000000055E000-memory.dmp

Filesize
1.4MB

Download
memory/3192-380-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3192-155-0x0000000140000000-0x000000014013A000-memory.dmp

Filesize
1.2MB

Download
memory/3664-524-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3664-218-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4132-90-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4132-80-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4132-85-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4132-83-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/4132-74-0x0000000001A90000-0x0000000001AF0000-memory.dmp

Filesize
384KB

Download
memory/4244-129-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4244-241-0x0000000000400000-0x000000000053B000-memory.dmp

Filesize
1.2MB

Download
memory/4336-124-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/4336-229-0x0000000140000000-0x000000014014F000-memory.dmp

Filesize
1.3MB

Download
memory/4432-180-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4432-485-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/4492-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4492-526-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4508-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-483-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4508-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4512-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4512-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4512-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4512-179-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4832-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4832-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4832-58-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4832-52-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download