f8fd96bb6de86e573c98de82048ee71cdbb87e6cf0b8ea1970962a6b8bf555b9

Analysis

max time kernel
112s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/08/2024, 20:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc28505f0e51a8f49487d7200ba2e8e0N.exe
Size

1.2MB
MD5

cc28505f0e51a8f49487d7200ba2e8e0
SHA1

04a1c17c3035dd8bbb0fb32123bcb2af7a2878b3
SHA256

f8fd96bb6de86e573c98de82048ee71cdbb87e6cf0b8ea1970962a6b8bf555b9
SHA512

b3c6d85c22fa8303ca908f6459b5f0d4d65a4235cecbf1ec63b57586ab49f31a74f29d52ee874d859d784d1b28c110414293cf74f2cb2f6ec2f947d12e6602ac
SSDEEP

12288:8dmMTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3X:CTSkQ/7Gb8NLEbeZ

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4184	alg.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
4500	fxssvc.exe
3368	elevation_service.exe
1888	elevation_service.exe
1896	maintenanceservice.exe
4032	msdtc.exe
4904	OSE.EXE
2844	PerceptionSimulationService.exe
712	perfhost.exe
4472	locator.exe
4244	SensorDataService.exe
2404	snmptrap.exe
3548	spectrum.exe
3756	ssh-agent.exe
2188	TieringEngineService.exe
2224	AgentService.exe
4132	vds.exe
4556	vssvc.exe
1700	wbengine.exe
4580	WmiApSrv.exe
4228	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\locator.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9f08a0f20b56551.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B03CCC4C-2FBB-4685-83CA-78028CCF38ED}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_77703\java.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	cc28505f0e51a8f49487d7200ba2e8e0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc28505f0e51a8f49487d7200ba2e8e0N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000019d069281de5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e15973281de5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006abb75281de5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002b1f59281de5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a9326c281de5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca815b281de5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000960fae291de5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe
3740	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4324	cc28505f0e51a8f49487d7200ba2e8e0N.exe
Token: SeAuditPrivilege	4500	fxssvc.exe
Token: SeRestorePrivilege	2188	TieringEngineService.exe
Token: SeManageVolumePrivilege	2188	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2224	AgentService.exe
Token: SeBackupPrivilege	4556	vssvc.exe
Token: SeRestorePrivilege	4556	vssvc.exe
Token: SeAuditPrivilege	4556	vssvc.exe
Token: SeBackupPrivilege	1700	wbengine.exe
Token: SeRestorePrivilege	1700	wbengine.exe
Token: SeSecurityPrivilege	1700	wbengine.exe
Token: 33	4228	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4228	SearchIndexer.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	4184	alg.exe
Token: SeDebugPrivilege	3740	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4228 wrote to memory of 4500	4228	SearchIndexer.exe	111
PID 4228 wrote to memory of 4500	4228	SearchIndexer.exe	111
PID 4228 wrote to memory of 2168	4228	SearchIndexer.exe	112
PID 4228 wrote to memory of 2168	4228	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\cc28505f0e51a8f49487d7200ba2e8e0N.exe
"C:\Users\Admin\AppData\Local\Temp\cc28505f0e51a8f49487d7200ba2e8e0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4184

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1888

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1896

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4032

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4904

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2844

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4244

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2404

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3548

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2188

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1700

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4580

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4500
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 900
  2⤵
  - Modifies data under HKEY_USERS
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b7e3cf90ea6b75f08b4aa7c42ed9ce50

SHA1
01cd49a2f11b8c539133f9840b46d34c7797816d

SHA256
33f661331cb133edfb2a278fcd0ef8fd1a6140610c8fc7ae3d7a88bcbbbe3149

SHA512
0541f80de6d969a8d4b10da30f7befe178f53a5e6c4050bc0396abcf43049d08990f49998cd7815134e1ddee7eb1d918d1cb24a410db3414040c1641e87b4e74

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
376e1f4cb904b9819f34b2b8ec62a1d8

SHA1
a2ec9a0c1bcfd12d4f4e5f7a832d8232dae34074

SHA256
01145e47e8470651eb791f541ed3d3762e27f8127c256d65ea651183eca65e2a

SHA512
327399385f942edc5a77992a2f49e7d26b4b7b0a93dad32a53fad66cbc3cc7aff0d20a613cba2b4cd08014ef03fa890adf9c8633f085af62bf5947caf094cbe4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
2a9cc02dafda977668466e0580b479d8

SHA1
b7cfc99dd6a5be9da23fd8d1756563138ddda8ce

SHA256
bfbeb60e893fb386a0f526a0257466a857f534f161dd5a07df9e32280b131724

SHA512
7ed0c55cc2bd754354f8e987df55f41c967f086c0f2a022c91a04f11e48bb38596346d6b986459e5689ed5e3aa4d850df6dee7a8558256473979f3504cec73e9

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
79667b3fee6dad4f33f0d5f28748e756

SHA1
c2caaceb021d79680cd6d783248a3c25f3e1eee1

SHA256
bf6c23695af11ed054c21dc0c1d1a08ed02f9823cdbddbcd1bfd5bac574e37ef

SHA512
196e348e8bfbf783eafd0e3636e1921a672546f80202b91660fcddd87d262d69f174f0329fb690987714e2e4387530ad08514a2460918d01ac60180b6fc654de

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
7c16e787d8fbd374082c617736bb8953

SHA1
dc26ab6f6053ae74adee6701b339513ccafbb576

SHA256
07d5a28fb030b0e6cb53c771fdfef0a69bfb801282726ea23177afe419f6ea01

SHA512
98d33df180e57926af49fa575c2fb678c0ae032e08cd7ebee4d018eba7d580d7e21d845d21698a12135c32fb9131093c787fd16fa4b8a4e5b37c6356629210c6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
b13060b7b6b04421b6800c00cb090250

SHA1
bd550d97c2bad60ccc836a22cab8ce861f1c005e

SHA256
2873cb56e242c95b8531f21840cf940affeb9f0bf29831327fa170d284756822

SHA512
15921316f6223c13c9f5331945c0ad90841cd3af671fffe16de8b0a57af319f70a78d6037b63f33623d410e60193606452e08886d9919e79e9aa0ea5e0a0868c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
22d50556af9b0d83fa9e6fcb2d85e660

SHA1
52948b38a4a68d98b50bbc86cc5f470a34972a09

SHA256
493c16ebc01e7d415a72fc77169c43f317e6a549c049a5247f537b1604bf14fb

SHA512
8edebe218163980005fd2f5e464e15aeca71fd615be1ca752f07c8fcd3bd97f609a7a07eb50fea41d62f6c9cea62169dddcbdf1316e2b82d338b3fb9fe6351a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
90c40d37055feaeef5114485796b6eb1

SHA1
16d3e69898d1eddc8cf1cbadf0119be2bda81b2e

SHA256
9aa0bc3140ed2633650b33e93f99d5a004bbaa51715f20a346a409182ea017b6

SHA512
baa78e067af04f013dbb2529e3bb2c503ade17f727c8a69fe3fa7d0a2c9a5694be9accf8efcb8c9fe8d92b692bfab1d641bf864700ad4be2956be6d654462f20

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
834d40c54809d7609288e2ca5c496b4d

SHA1
8e6609f478b3f9f52898f9cbcc50b7b0711012c3

SHA256
90e9f83df6c96864a4efc2d96589c75f519ce958d39910a36769844935116b49

SHA512
04bb4ce874fbb800ae7bb556f410215caaff286c2e212e5b4a1be85efc1f547de0ab1ed12ada61f56b61fada8110e292e8af0b03bd6bb7026279b61b8b378109

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ae43407313588ae459dfc37f77ac75bd

SHA1
8aef19e04b289139d5e8b08c8ba534d89a6a5630

SHA256
e61d5cc15037f1e42a8a6d2f15862afe1ee93d577f793d64ce5ca0654cf61ce6

SHA512
c7fcf896b4f22d272d56d05f6e3647808fc65889a2e32f7ca1d582be0e93e790239ea3caf85dbd8a9ce735c954f6fda72440107b78371b11596cf77a4a3f78d3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
1c8dbbaf62b969199773338daf804fd5

SHA1
dd3344be1e263d5cdd8032ac68e7a1bfca7f9212

SHA256
1a287ed6dbf5b8c9a48e512ef8008a1b961db0d9b28dc592c89f5c5510d5dbdc

SHA512
9aeb7cd55dc3acfe5005c0f234375fd8cbadcec94428f5bf90c7bbe38c0569c1719e254e905d367f7ead45f678e288aa46beea5fab07274904352e909cabc4e3

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8e9b0db8c04337cba6c95a4da40b62e5

SHA1
15cda7d64e29af2d197bc8cb43e5145210c2b5be

SHA256
ade25d5942e7cb94f5c7cc3db6c10a5cab507ab9aaa773c45b6aecbe8ad9d7b6

SHA512
dd0fed51ece483216bc658d27dad91ac95a223700e668f43923c003e39c880c5b5bee682aee29297043166f7669cb52e1fe36b69a92d82c299bee6235aa1680e

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
5e68b4cd39bfaffbab9eb10c8305382a

SHA1
a82af511d46e9f1d44b3d91f9a0cf9d6b8551d70

SHA256
1ed48c2bc58520628dc90d751c2efe3803651530613f3a8b84ade5d2c6b218a5

SHA512
ebab44790ba250364b4620635282d1f781a5839be56053552c6d648dececb8e02189e5be2e9e10858eb97249c9da53d6f9aa99c18cb8f2c0d80e852ccabaed3b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
6661615a84d803adcd5e83a662676793

SHA1
3a5c6fd0432b613cd6a8851b317af8ef9cc0b6b9

SHA256
4e247aee1a4a106ba6502d0019330416c487b1e5fbddef9febe8e2a174cecf4a

SHA512
23b2bbb48711be368ce33954836e699944b7bdc4019e70e82787164f48c6154b1a3af334ba94e0f0d8f97484e10f1d6f585b2d608ee8f135753334732311a3c0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2090bc0eead43c79fc0997dce51bc286

SHA1
eb8c7a5eb2f2142e3cda342d7fa4fdc83ef1b3d0

SHA256
e352bca8c83931342e867f3f98dd5e6d291044d95d9c990dc53e4acac34561a8

SHA512
66fb4bfc773332e8ded2d900b14e73baa30c313082d10df949abb89b7ec153a19ccf58e43200192c4852184622a7384ac3492b8b280ceb83fcc1b2e67a61afeb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d4aad9f2e4f0a51c73ea1f433e7e06b3

SHA1
1158cca10b212350fc36fc63ac6d6df46d25f114

SHA256
78cad1b1f9997cda34919f22680a386eed626fb5c3cb799666ff10799a521a19

SHA512
ca4a08cac04ccfea3a9003590e81f6771a06520ac6c37368b2ce485994885532aa1db5d0b0b49cb3a8ea2d28a97dbd7cff6a0a2930c8a933dfca5ece4e3ea01a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e7dca9dfb921d45a04a125ffabf69463

SHA1
8ef5ef2d08dc18b573f7e11f2c591376f6ba71ab

SHA256
194f82cd78d257dfc7e9fa825ab4aa9fdaacf430fc83943814942a98b30fab14

SHA512
fa84ad21f26234782c83ce848b7fd18e23898b2914b4937682f108771566a1595f4d69ab5fa19a164075059c6d2273afb07628dd1ea6c1058906527cc3eb6e90

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c1a6f9d8d131619bcc4d2dc2ff53ac6f

SHA1
571275cf97a36a8a666e85c832285124b27337b4

SHA256
e629f1bec8aef4c317812856912b5b5e99d9338759cd26bce53d926bddd5eaa9

SHA512
4150da846f8bcad964da62b3c42754d54bb9d9d7ecc8f314b5caea68b64e311a79eb2b0c4aa0ab2a1b29561d666a403dcf32034d9500631de95fd3e183cff300

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
a26a101f8e87bd38f54e536544d41764

SHA1
2ae6d1911bcd573555e0a295bb2a25df41bc1ddd

SHA256
3ea25371e0a134a71eb2ab063bf28cf094813273d387c3fc5abae19799d2fa3c

SHA512
4d44467c5e6d0f18edbd174a05e50b85923235723b1d482844dde209389d0a18f17acae482cbc334bbcde4c3388bb7eb5cacb5cc3d39b6c9806f6825f67561c6

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
160a38d67f6e7dfbf62702067d106aec

SHA1
e801c6b5a76a8c5157d693c39beff8c2ab7077c1

SHA256
ff52c9633dbb1d652b7001fd35a5f1a4b18e7994e290e077f4e2159b11fd9567

SHA512
193cbfa1c02843650399c0f58b6d76afafa89e636484f03d680176b951859687683c6367d142c013b0b552926359892757a0b66d93460a68234627bc063ad845

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
5b29086688b0f72cd2910c582f0d98fb

SHA1
1357470af1cd2720dd6762162bb34b5853879fba

SHA256
a68bf0553b8dea1a1eb44249f8fbc079590fd07eb8faed9c7c912ee77dcc0b46

SHA512
bbd0284e6e17665c17dbd231330f567e6f0cddf0d21614ec500cd5373f870e1149d92eb3b85cbbaafda988e1fee25756cb35c0417dc0020955c927b47de80858

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
56c5d44a4af573ed68a794b95044a0fc

SHA1
a13417894c503b3dcdc2b7efaeaca73d70e42a52

SHA256
c7785310cfa764f10fad745a0abcb6d9fb172b0e54eb74948f9979116ebd41d4

SHA512
a992007790f66f632d30efdcfbf82e48182e162c9d094a78155c986683179a3e68f8f1bdcd668376cb9a630ddcb14a0a2efdf451b6c6cf1bdd29d5d2069525d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
95929adac8c0efef027a6ccae916745b

SHA1
c0e0e2393e688bd08ae51d6589bd1985018e6675

SHA256
ea1b44bd125f4c1c3faf9847fc03c4f26e34783eb5d477df4e4ebc60717fa30d

SHA512
d93088670a7f6b3f95ff755e486c209bf5df61d57400e3ca870fe0407bfeda3b3d3e369ecf14e65d754b6eab0a01af2145c13f28156b9121214b3fc3ab86ed55

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
59ee483768b41c5bbb5a55ab360071aa

SHA1
7526cc6aada74286c3fb7052ab5e55775d4e7c1f

SHA256
5b04ea31d0b1169c57175c7e59746ecfae4f45740318d0b2bd7e178b3c5aa20d

SHA512
8e9912356777aad5c12bf9d9021f79eed23f4405c47157d956690fb8f8d84fb3cfdda98ecf27175b065fc4bbfc9aeff0beb03ee7d320d07b48457b74756c583f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
fb5b5d77baab72f88aa52bc3774904bb

SHA1
1531243361cda6dec842e1c1e24ac93477d8dbfe

SHA256
1b2d07a6e1f80ccee50ea7a9c605c2928437f98ada70c47f39c6b628dc3a9fb1

SHA512
ad13d88d2674e203aa96e887dc0099191c232e2f779658e0f73fd145311d19b13cf3d45c12dc0200ab6460a617dba08eddebc6f6c3deace1c9de02ff949ae43c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7f42eadb226ca1c8603adf4590693924

SHA1
a277321f271585a65880ae6ff2e23c1e56bac9de

SHA256
de037e7525b6de9ebac83ba419f1c357b60e3268358bd79493e39f7780eaebfd

SHA512
f47622aa9ff0782d5de7bc01e25d1cd1791785e85f989384ca8ef1754862343dab5e121dd4b6df9d9e1eb4e1f0beddeb973adf41c2e4b114d261e2122e009a50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
7afbaeddd09b6dc5be80e12f5c7a0862

SHA1
9457bc0f81a3c50216b97617a21d0c832f5b984b

SHA256
adbb1b6e626a7efbe539c4ea44e1805a3bd14c245eea67a70636acfbb34af9c8

SHA512
736651a65bfba37083b4755faaa236d7d2a2d7c4d01f89035d7ce2064790294b2b17208ce250ee68ff1f8083705f4d5830820c16bbb95cf49b87f1da0f38dea6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
89a645a42283f025440a46bc56b95430

SHA1
14ac3c4c55f8813f743ab20f7350751195ea3bf9

SHA256
4f16bc875ef83c260602c90796a20072db16dfbfae7572066a7a9c97dfce32f9

SHA512
2a87f1cc0321dba9c1438c8900fa677503f8365461c1320c4f1d98879421b1f740761edd0bf47e5c3048c8701b06b9d614e4cc260ef487708a6e32cd8d7f9c8a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
20fb5a06fb97294cdcb2e83d42368444

SHA1
8501f59ef8331bb3d519e176b9ed5a6cac5312ca

SHA256
4b68b1c7283b3478529ac5cd65691506d86721ecd5b4578233acf0d8c520b597

SHA512
16ca601ff6015271cb23dd5541a02dc2b517f2b5393f596ceaf3fe1c91f10c27e73ddd124f460b937a2ef2db74c5a06f1f6bee02cfe954b383696eda92822035

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
6be473326ade29fad38a38a5b446a664

SHA1
5c4e9ecabae9d244d070d7f65cc3c9bc3c36766b

SHA256
68ad19302f10f9b5eb22728708ae61a57ced409294d4c2029b34659de6e39c32

SHA512
c9d196dd5e5e25d609e926729801acaff79403ab62908e6d9d3e871898f77e2ebb025a4268da4b6b1ee7977e4be37033f6369d6a5c9538a46766ec72c6afecd5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
f85b337b56df014be39c46af8be91844

SHA1
e17ac3e00bb75678a3a720228640860f598d962e

SHA256
c820ad64745190b71b5c912ca3eb81901defc2b54353b9c6f8e29337569d6c00

SHA512
38f5c9483384c00344eadff0cd988f0511306f646bdfb94607c4d436bfb5dba2d35a38b18b4e8db8cc95f1cd7b115014cfa6ae06f07121b4fa944091be371efa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
b3f69ac7fef33ba1552e388d2dd94448

SHA1
fa8d7fc31af255a5475992f6b52d8530c389751e

SHA256
3ae320c1a66793da75838ea4cd6ff167bf371b7c40fb082f0e5f0d2ac0cca52f

SHA512
e694816cb7377a6f3ac44915ce4ab987326a5656a203a1aa6e01e98356389fdf26655684a327b07d3a25786dc80bef4b505e3a3097355fd7a9cc1b1843831d5c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
0c9c3172eb3da137b932b20d41853227

SHA1
186e3c766c087aaaa2959b7b61284253c6017a26

SHA256
28ac9ae948a153a5bc4552258e62173328676eaa2421bf802f671fdbd7b72c7b

SHA512
45f95b1d26bdcb8c6fcf27108af40e09c3ee1d886a070358a98179efb9793407b20570db7a33b603eb5a2de9daf8b3d3cf6a9d9a2d2dff71173b40661e73117a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
57412a02f28fd2fd9529439e11dc107f

SHA1
566d61866abc3800636fee933a80fbb072f16486

SHA256
959b5811f9c365021ee9b2ce4296b79d759a9a34715c3e2429d05f74747380e7

SHA512
e597a11324c003e73a36086ed54041167ddbf2a891b1654c02d2459fcab33e9e4c6edb401c918dd62db2d215e8d7205e77295dd90687180c7a7a044a10680a28

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
bd0c8fc4ddc4003bb4350c9652845d7b

SHA1
12f0d64979382f56429508147e791fce9ec8a93c

SHA256
68cab4f93d3dbf1abcf1cc7154d8b644671675c80468a5d23c176b1095c2321f

SHA512
eb550b39829dab5b116d05512d6dedbfea6aff2eb0171aae547c0dace9d0b4fb15ead3bfec13c42459256487bba6b8b1fa6d13cef9e36685f9529912288514d6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
68a196606b26b262b73f8b3066ccdf0e

SHA1
2a53000e96add37a00ac789ade03ae71e4c3fa5a

SHA256
2b5e6e0d0f5e2c8353964937b6e3b97dea2855a69f91cf8892f005251d6256b1

SHA512
0a1f04b1f948ea00da816b8a8d081157892007d227b426e14861850be94581d200613af440ba01c39e1bc02aa81299b4545ce8a6b41b041875b7345e47c4f1cc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
1fa27b6264ce5e9124e82a96c3f6da2b

SHA1
28d24dc35632133d9464e2d729b249d0f537397b

SHA256
ca0686cc423462427a9d74f65759072794a57b7c2165681f41477696e5c696aa

SHA512
b0933a06f2582da148689e87cc442f9e02cac113fbc177312c1c09688615a09cf5019b67a5583cf23a83b7a209efd2ae36cef2647b6b7ddb8a24722ad8e5e141

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
cd8985c15526a5600e4ea015262eab07

SHA1
08e3da62820fd780d102cd1a467f73151e7d9093

SHA256
f2933eb62e47a60523a28ead843603d31896ee86222eb3615603f74f79e0689b

SHA512
a36ca36d0017d8b5bd09629c2b18a2c9a10583df4157bff2d86a441c1087be5e82d647efd871714e95564e3b28a56a30be03c712dfc37eb86a6c2ff900f98772

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
415669cc9d8bd6a9df7ca16caabc2d27

SHA1
36318a6bfd0ed3513b4b6f4e26e72962817324d0

SHA256
187b5e5df91879a557ac2e2c6705d647d8774d754e9b9af0ee9f8c4dba3c202b

SHA512
31110d5e983a526b201ee4fc72c95db97b1b4ffb140a13b2219179eb6307f9301461dc6b18b15325954fe056b2b85a60f695ed913bb9e4eb224cb9eb391abecc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
55c5c5f769b044941ac9977d3e95ae6f

SHA1
83962ff150b0ec4c6160124cf336cb7a33c60254

SHA256
8099f59f835fe51883d5089b7283c99acbab3fb6fff567bcc755d8f276c26116

SHA512
3acb8409eca2c1e74e2d90a031fd99338d2c576dcc1e80417ce7ed09e2eb11817cccfbabbab144c26278e9364b896e359f199c6cb76a31ee3e5830d73ca67b29

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
47d77081686babff95feadd52160940a

SHA1
373ce16760f3b771ed11bbb612c7143ca65fe135

SHA256
6bf4775ca1294da549cfaf62aa4dedc5430427128aaf1f71bd6599f0945308a1

SHA512
5b41d3d78a53236989e1d550a12ed50f8d54012a4f6b5811e5fdcc8fca950bf3a2c36d4c4dffcc58f918d4afcaba9112e5426d834c10f3f632cad605d1fc418f

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
83d55ac4cf6e382665118ccc1da56b8b

SHA1
1df4df5e267c212932b39233ebd6aa3148326ab2

SHA256
d78c7e5604814c78f959a9854c4f8f58a2e9e571f6990e387f38b5f5f3554f20

SHA512
be3a51ce64d8b31ed0ab7d0f4c38a746dc8a1cabbb7bbc3ad990381f06fcda263ddff8f285496bfa474d5ab93abaf8b5484311c9810b9f4f4d95c599d5260318

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9268e4b99cd4f86bb3845cb2efaf23be

SHA1
1eecd78d64b261151717e64e9bdc63c931a84dbe

SHA256
cca22196ec1999cc7e036a5b15fd54419433e3fe193e479ddecbf07c61d36af7

SHA512
49715f73e00889cf7438d5cc2232af94086dd799e31df4124584579ca385c0addddd4aa51f230f20f07d69f344a6e25eead9251d744ee32225b4c0611f5918a5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f816c0ff7c5efe5f88d467c30c1d84ad

SHA1
96fe78fb3254560fc72fd9f90c53e981815f046c

SHA256
731a33807f0f59a37cafdeca57cf3560ebde447b9a53314f9a02d1ca7e19f62b

SHA512
40432813142686b46e354a5defd3e32cbba27f0d7d0255c987971e2c00c4565a2fe7de114e724f2787644bc11217f52f2d80a7988581801c2d5520aca0fffba8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
54635651c5e5db06e242a6fd0152fb00

SHA1
d7bded9b3130cccb67e7804638f8da8e11d43b10

SHA256
d01ae082411d48b71942376e88c70aa0bae59b6b106becde7a72720d6d43d457

SHA512
0424d613ce1fe11fac16426f93e3b785fe3a17d1d5def4b073b666d5512014597bae52c760bc8f17e43d420e73907317a67047b26be2073301be8c5436fb51e1

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
890056d8d882405c7ba4c9b079ba5f6c

SHA1
bef21175ce2c504ff14d857b585be63a6d6f5053

SHA256
77c454f5a797642bf2a3ccd32531f50fb48e74fd2c4050d241714c50c701548a

SHA512
030b32f8a4bfdf22751c7860807faf3a214300a81162c8b5c34c439d9b59c91f3dcac1fd872d4f21d4cecc958bb77d35e1f1a6058aeadb382f1809909b5cf4e1

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
80cdbb46d35da2618085e4c1b6263075

SHA1
4491a3fa4eff6e266e48d687bb305ec829ccbb63

SHA256
64ac11791ab98108781335ef1bd99b628be7eb61f201bbf0154eb47ab03637ed

SHA512
d554a0307fc71744430ecc734bfd2c96463aad2e726f4bc12d4ba6981ff7462d5ddb087effd4781a005fa249fc48339d665d216ddee27789c9947f54d0072ac5

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
5890bed917e63ca11263c9ce208e05a7

SHA1
3bc6c7d129b44d87f6d536ea61f16362e0e2752f

SHA256
fdbd9296bf6d59c84bfd072224a23883e331674db908a6a57497f37db798e23b

SHA512
18567dd91beb76da6f4893bf220f41b916a03c68afb987729903e78c7d7e84f4047ba94f0ba09bb78760c909ca195dbfb82d7c63dad370f19a16be210adb818b

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
f95651357003ef64321e2080ab049408

SHA1
c3684db1fcf3ef04b6ca8632f86ebb38eb9114e3

SHA256
41b2737bd107d1cb73657bb80f895af1e92920b9c45ca2fb99b63255d46a9427

SHA512
96dfb50989f380b24384f0ed69e64df779a040b1b77ebbc4d74e8e97f01116d73484d228700151a4ff177377d22da3ac81d69f345626ac9d234af2c5df84cba1

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a218a2837887502372a34111776db633

SHA1
17a64f3cd1c06198dc05b1cfcaec365c067bd21f

SHA256
13e4dcd9fb883d5945565300005471322b625dc707f0e435fc782f8d3b6f7235

SHA512
80d2c83117c72f9534c7007411ad2256eacc892abad42ff0ad507b0f8246ee544f452f507025165b6b3f5a38ff3642c24ccfe5e628c21d3b3f4c2ec7106baf21

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
a36be7efea41f6aa88ec18477699756d

SHA1
07e01b41160c92ed99f6587eeeaa2ed9b561c27d

SHA256
e8a08e256693ac3ba6f61bdde815aab8c31f5332c082f1b49a79307a6c3b8707

SHA512
456a472581ca554d07d9141cdd628abe472004ebeead156d9f6aad9209592f4dbbcd3cf2100ab35b4fb20484add56d20ba805dedabe6cbc9dbccfe4846b7b9d3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
6617342bff3cbe5c2e2328a547851eea

SHA1
b010ea50b58048d66bb857833cf4aca2ed52fdc4

SHA256
c4bc2d658bf0ef212540f8b384a47a0bf010a3e951868b09da040996dbc389fe

SHA512
fd18e2bb4906b79644aebf37e93a065109314a251960d22d5fdceec32209b59165010213cd939b619bac33b193aff895d01999dd0b79342647f5f34922fce5cb

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
8c5bd76138b8ab5ba72eaf8e1b6a81c6

SHA1
c33dd57fe259783f38948f80ddf6afc46ef4da5c

SHA256
c03860738b20d87eaf63a421a59ae43a7f4f50ba13683fa8dd01cbecb34ef0eb

SHA512
7fadac75ed531959f154b600fcd9ae1a85266ff98654a688017c2f52f404e41eba41f5bb0347127e6c627c168ff5fe5d6e614e338493ee1da0af09c35cb1da88

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
ca912aa092b1b355082cfbf5232f3ce5

SHA1
4503ddab652a74bd6f70b07baf4abe5d0ba3bc8b

SHA256
f263e8cd4ae87b05e1ae555fb2741b50a3077fdef8972c24a3a2a9f2e639edb6

SHA512
9344cdcbd07844d2568242cb34df8ae21b3195af59d69c75ffbe530ee428e4e8dd7f9595044374514c842f1d8a336e348155a11ae2f5bfe6fd6b148bd78a4dc7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
46cf8d03120b6f8b1a3fcb93d8620350

SHA1
106c3efbd1705ed9bf68a9a6f14e645481aac286

SHA256
31bef0fc8de3f190b3dc5a29e253e93a10230203765c25af0c3426d945abd70f

SHA512
bceeb4e36f634817498f4355a0e7b8e65f82124a2af99ae07925ed7e22c714abbdfeccd1e0e3cb6ed6f7d4e2c654e75d974e8bcec6fe21c130a24102ffd4b36e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
154018131a9ce2d619f043f1eda398c3

SHA1
88d26bfa390faea0db5f34833c030c6fb9ccafc9

SHA256
545290018f9b399e4711e36c8d93be3ffaeff86a7b9a505daebfa21b65f3f38f

SHA512
85237410edb6bce39728d0766e400791eb92f8c0845bf528f1c8dcb27fac860777c0cbc75ac7f8acf9829574bd67e11c1c4ab573e55bfe89b66819b9e22c3a4a

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a086a8a501d498feb6bc623f15a81311

SHA1
c3b554e6d3a3351278f40ae70e72a8a80d95209b

SHA256
e53bd32e807319adb74a94ece229f8340ffb8e4ac180ba490db5d00c95f585f2

SHA512
c061f4863fcdeb2184d61cdc345d37a2b9a9aeaac81fe20d282f61b448412335ce9498767e81d990658daf70b7e54ad0bb8b28e93c501b638e6438d2dc48ce9f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2b659471804a922c939c708f64ba4020

SHA1
e072d01f109576a2466ea3b0493ff0c794e44a81

SHA256
33a0a6f9d6518bc441327f96c732ca411c2066f38c6c085d71bba547915fe784

SHA512
266590adee9ffa2c08221425e8b49f89039a76c798a96cd9e780e5c3d16a46ef0b652018af91ad77d24cd148934afac12e670bb55342875287f598981bc3f553

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
75717e41041cb60e1465039a718c0947

SHA1
2a9077113bad954dd4b763f1f18e3902e92df492

SHA256
5340d24ff143e868f08a8b5b423816a4a05c1c1e284b32e3c3e415740cb65dae

SHA512
dacdaf27c32a1a3a201c5cc6a878f7398f7f5647320bd328297bd4ea6d5a5ff8d6dc3cd5db2f05b7a0be8a4dd08912afebccb1a42f486269ba6c992844b394a8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3afa7a06326d8947359c553c38e7b531

SHA1
15158c8f0f96c21e7fca35506765e5d474cc3cc3

SHA256
7b4d27a62ed151b7d0cc909b1afc439dee08797d5987260310bdfef2cefff33a

SHA512
c0b512bc7cced44ad038e2a4b188f38af0120c0882ceda153e7b445d8ae260560286c7b7e81ed20f48508fffe3605ac482cf01ae4f2c1680b76d9d12a6e7f2ab

Download Submit
memory/712-246-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/712-127-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1700-671-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1700-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1888-67-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1888-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1888-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1888-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1896-84-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1896-79-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/1896-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1896-81-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/1896-72-0x0000000002230000-0x0000000002290000-memory.dmp

Filesize
384KB

Download
memory/2188-666-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2188-204-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2224-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2224-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2404-160-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2404-610-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2844-115-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/2844-234-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/3368-47-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3368-53-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3368-54-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3368-171-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3548-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3548-661-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3740-32-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3740-126-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3740-26-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3740-25-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/3756-185-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3756-665-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4032-90-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/4032-89-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4032-207-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4132-667-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4132-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4184-88-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4184-11-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4184-20-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/4184-22-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4228-278-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4228-673-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4244-664-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4244-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-0-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/4324-78-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/4324-1-0x0000000002370000-0x00000000023D6000-memory.dmp

Filesize
408KB

Download
memory/4324-441-0x0000000010000000-0x0000000010136000-memory.dmp

Filesize
1.2MB

Download
memory/4324-6-0x0000000002370000-0x00000000023D6000-memory.dmp

Filesize
408KB

Download
memory/4472-258-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4472-137-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4500-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4500-57-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4500-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4500-43-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4500-38-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/4556-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4556-668-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4580-259-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4580-672-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4904-222-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4904-104-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download