445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
Size

1.2MB
MD5

94000a160f3ccd7e2e0e607cc8b58c66
SHA1

fbcb18fdfd5f61bb7fa654f7756884d02e75bc85
SHA256

445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d
SHA512

689c9b664db7606da041c47df5181b7905ec7d822e31b0b9688301700512055ba28f2a12c7bc4afc23d375239b47c85ed19e91f30ae51385e351cf9b9d3322b7
SSDEEP

12288:P2Z3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:+Z1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2624	alg.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
2644	fxssvc.exe
2160	elevation_service.exe
1240	elevation_service.exe
1000	maintenanceservice.exe
4280	msdtc.exe
2736	OSE.EXE
532	PerceptionSimulationService.exe
2712	perfhost.exe
3720	locator.exe
1948	SensorDataService.exe
2800	snmptrap.exe
4424	spectrum.exe
1580	ssh-agent.exe
244	TieringEngineService.exe
3544	AgentService.exe
4948	vds.exe
2484	vssvc.exe
4964	wbengine.exe
4156	WmiApSrv.exe
976	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\53b2e09226e8edb0.bin	alg.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\System32\msdtc.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\spectrum.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\locator.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_84546\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007cf93f87bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a8aae86bdedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c84ed286bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d38fd86bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6519486bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a492f87bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005e62c686bdedda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000411dfe85bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000023ad1287bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005a8aae86bdedda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006789cd86bdedda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe
1056	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3768	445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
Token: SeAuditPrivilege	2644	fxssvc.exe
Token: SeRestorePrivilege	244	TieringEngineService.exe
Token: SeManageVolumePrivilege	244	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	2484	vssvc.exe
Token: SeRestorePrivilege	2484	vssvc.exe
Token: SeAuditPrivilege	2484	vssvc.exe
Token: SeBackupPrivilege	4964	wbengine.exe
Token: SeRestorePrivilege	4964	wbengine.exe
Token: SeSecurityPrivilege	4964	wbengine.exe
Token: 33	976	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	976	SearchIndexer.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeDebugPrivilege	2624	alg.exe
Token: SeDebugPrivilege	1056	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 976 wrote to memory of 4568	976	SearchIndexer.exe	117
PID 976 wrote to memory of 4568	976	SearchIndexer.exe	117
PID 976 wrote to memory of 3548	976	SearchIndexer.exe	118
PID 976 wrote to memory of 3548	976	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe
"C:\Users\Admin\AppData\Local\Temp\445200757953e4b85cd025c46bc30d21784bc158854be7ac64bbd7dcf97f1f7d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3768

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2624

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3508

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1000

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4280

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2736

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:532

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1948

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2800

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4424

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:864

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:244

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4156

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4568
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
de45fb781cb4556e06923749cb06cae4

SHA1
547b77c83e2aa08479e3b0c8859a87c111e309ac

SHA256
66d407997c651ae4f6a05d39d6da9a6d427f7159c1e870c4c5756d3744936e51

SHA512
f5649dc20a7ce033cd37fd8d5d64f575ed1eb9594e5790feccad511f0e738bc9a6a21cb5d30ee886ead3577106b3e7f1380ac21a0d8925227a2de47842d082be

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
a9679e81f0a920340d14c93543ea3a3b

SHA1
63de88886edb7483504fa7141ab64872cb08d493

SHA256
20bd6318a1402bdb2b65a3459589f41d2d7d447391bb3a096cdcb53a79845c70

SHA512
3b8e7a73f4c2799b8e6a5841ede96332b70af8c3f00df3ea60b4b3f193d8fe323b0eb5cc52310949ad36c68178d1eccf166f81fb409466213a1f606914b05b3d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a2b9c8e5198b61cd153fa768069b720f

SHA1
ef38701cf529b246dbdca734ef29be4c93d84132

SHA256
dfed622c7c0075d3c8d6dc58d518c7177a5fccdbbc8b60b9371b98109c7e0f38

SHA512
35dfba2bf0cb402bb0102ff23bde89c1db0d220d4fd169e2e33297db83549f3d5fe52e62f9676c89613a791decceffde1bc4767a341726c2a8a63f0d8a0f9b53

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
04cdfb1ce70fb2d16bc16916e42f1fbf

SHA1
4294b32b20a8bc99e7f4aa490c0b0d1fde1e0627

SHA256
b707f4d0d052a20566a71c1f43114731dad22ba12bbf939baadfc287b1c9f3a8

SHA512
468bef3fe26861ebcfe2f575fd294ddf52318f29b0b5a11c550197a826a63555cd4b0378fc842a68ea416ad129b86a5a87a958842216d8cc05ed07bcfa65be38

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0a99b39838f034a205dd1ce8059b44f1

SHA1
af4e2f19484550dad1a48b1bc11fbff5139a1342

SHA256
c9c1ec846adbb2dd774e1ef89980df2c7dce448d6283b25b339f123d352851c5

SHA512
42e71bb4adc8d3b987fd9b69e13ddc696f5007953e7faa6da29440528eba212926e0a7c355ed89a38418b52bf8c823c0b4442a018cf998fa1e3b6d917414bd6e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0d0a8c19891e261da1ede96fb2e021e0

SHA1
d458f2c1d79619136816fc114c7e61fbf6f909fb

SHA256
2d4b0b5c2775b91521451a194c7d670c119fa5037f3d05fb45c3e52dca7279d1

SHA512
0761ebbc68ea78b84bdb4586725b57a67e14de97a326660c2453a4b1cdd8af406d4ab8a2c1af3d20db83c8ee7f0947ba52491443572b0fd6144d7187feae4de1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
d4ba8c7cce48444c4a64f7b7945814c0

SHA1
633754a8e1a3b456f935e543cb5d849d96383a12

SHA256
82ff84983d2113f3159d39c52a4b3cf9b74b8b5b08c0bb9f7e65e217eb057b62

SHA512
3d2c26166e2ff59726bd0547f5921a193446df1672160a544890c4f0a9c5edc0c1ad9b899607787a6d17d83541a4ef8bc6a897ae3fcc453595e29cc5e618b895

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2d277e2c2b6ada387170e5e01b107637

SHA1
9a51a316183ccc1dde00d2a2477451ba78b4d573

SHA256
3b22a412e4eb688b9de443a0b65f3fe99a79f4cd18496054af6016000813addd

SHA512
8548cc8ec4c50a86ba676643dff8a66e2dba9abc51b9b828dbaa2665accff7b4a670c39485025362ad5736e2ed12b63b77c7d16d21b24ab08aaedea6c8fb78b5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
1d7dba1f8540d2c15090d6affcc15f7a

SHA1
48dfc4c2ee7119509c1f4170ab0d43f696e6041f

SHA256
99ac1568ad219b260fe169178142d0f9e1228c9c48c5cfaf3bcbdb960b1f33ab

SHA512
5091a21c27675080859090320ed9456cd3c9ca07ba96d17783e74cdc1b02374547f660bcc8ee5d4d29558ffbc91e1d13947711ff6f0c2cf8daff4af8133930b0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
962321a6c8d64a34aefe4a224898b93f

SHA1
e510c0008c7c3388fae451c48f80a13188171a58

SHA256
4b506b3039995472b9f6bb77712b77d10f5a4d2b288374218a881676b9f4c4a5

SHA512
0e76544eb30e539304ebc1eca41b9da0130b6929be3278f23b7f1a1b8e218ebf7664f438c7f3dd612ea488c273b5c316d34b782661bc7bf4bf5544fa9f3a1a83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ea5a0fa01f02ee0c7d8d1d936de2f083

SHA1
5e9710a3b66dbe840e493bfc0cc1592fec57b279

SHA256
d2fcc349dcb5bd614dc67923e5389ba3455b56c9da85e4448105d522a18912e5

SHA512
e873ec53fc87a9ea104254491a0b997d8c2efe979b688c39d65e1b9098620e36ad95fbf4a125ebc191ec98ff3f4e568c86cfa25207ca5b5f6f2bf1ffed3c744a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c541ed06801e9e541ac56e83fc666523

SHA1
11581badd3a1302db66fc8fc297d223c4bc25049

SHA256
3e074ac9981a7ef259d7ea48ee34648527be9906e8282de3dcaa89095db4af5e

SHA512
355621d3f9ea28b2f493467a012a72f0ee753bb8810487a9b461057e3ae68ad75ad5f7e3a64439d9fcda1fd575567cdc5ccb61b3128ae3b7daa04a65a41258e3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
d25006814dbdff0146b9c16f01bd2f9b

SHA1
05210915e1339fd5feeddfa08e31f6234c5dc9ae

SHA256
36c20b6cd905b65f8aed38aca2b841dd12b1dd11c815e504cb360fa809d25c9e

SHA512
4940081719a3ee19e5e477b8e09e15edf9040a2cb9b69550a53ffff26f42098e27d16f588bc12eef2a6800fb2c6c9727808fd6a8d8a14a0533991c9580c73e30

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
e19fa92caf52fe0091828bcad434fffc

SHA1
a78c3843a065cff8e49c797cbc48cd5cb9f383db

SHA256
58c2c58366eab868ebf8966d22e7660813db3ecf19019f14c3fb0bff0b10ac0b

SHA512
87295ad706d4fe84f3e2d4129018a751225bead6c123520e0ee6a2b84e3894f43342e2d343a514a332669eeae317aa708f3a8edf2e6f350e1461bca4f91d04fc

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
91f180cf059349e38f575279451e8b60

SHA1
a3d7590662d8dd846c0c4c2fc2e45fd3591ea9db

SHA256
49cc141ebc1a3905bac643981ad6eb5c44bf56fcbce37401ea71c111be1936fc

SHA512
8842012b9f1f0332f02e87e2ee6831e3e53ab5797a133486ec4f7c60935e1c1a60722b8849423e2c02344e2d3b3c98180548e04d336f7fcaced8e7dc9450dd36

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
98e01acd1ea5464cd67a0379ba5e9ba7

SHA1
3db0141e745629f17be1a2376274fb8a08cf9a95

SHA256
75ff602d9f89ca5b93e239e4c9e2312c130ceb6d518982cf6bc2d56f8a709428

SHA512
5940214e67855d7039f070a1d30e5e088ecfb549005e79f44aa71ed2101cca69f4879e17c0c3e152497143a4133b439fa3115a493e76efd7e483d94d436d8f8e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
f1286e2020149c87be91d1c2a60e7820

SHA1
7b9fb85a3fde52b71fd8dcf81e4be1f147b86fba

SHA256
ae9bb8291aefe58b2e6d814e6787473ec03740c7de7b740a7bdee41151513a55

SHA512
3d93b97397b057c6f1d5c543866cf2b7493433358be8ffa4594345a27f03568243fda9d92d4485a1c1ad642618f9a5ccd627084ea5292d2c30be1f2e4010e119

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
d59a8d04f6f6ca8527a5aaea9dec2e33

SHA1
1287295bf4fb4c3158a8d46c05b2c3d05ac5e8f1

SHA256
71a9f20f56151257bd377c544f99e037c98a54772074a1d8a0bdb27ef1c9c1a3

SHA512
b49ab4d51d0a7c52b3dc38dd7604618e74c8d013df5d00e6f5d1a980530cf4a78a22da4d79247f5dec2a034b067c7045e2b24f07a6c1eff706b798ea76580a50

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
e4bfcde6419df045e0334be9ba1c174b

SHA1
810cfa7d7e8c90e7421889bdde6b40294c2a2aae

SHA256
a4c6e0ce11db9d488fc5778250e6afc2d7696635a12472d9abc2d83d4b4c2437

SHA512
e3f90fde9a3c15c21c77d5a4c469c1feab69778eb98d94d9b491b5358ac71acbe6d8f5ca63f06c8beb344fdd62df77af6a9e0cc2175ccf4d3e439a96262412b4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
6354206035cdc02aee3ad1164f9e0cf2

SHA1
2791f9e29e73611af880837119ffe0e287fb9597

SHA256
525d9c4fcbbca81a514e64a1070c449cf25cb35adfd61ae115f53b3d8cb20d49

SHA512
2e438dcacaa7891521354cb308d4ea5189fd8626c2d1493eb114e1941a9e3986d1b5d09ebb2863e51508b587277f52e98c892a18d6cdd057676943f185495d05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
0179ffcc7a98d069477660cf99252c7c

SHA1
56c05927623e075fb3d94222a4f53997c1673cd4

SHA256
df5d2b010e8e7e0360bda7599ce36e75603ebc0530eee3ca5e119694291490a4

SHA512
886810965a6b0f0aa29c6e5a02c3ea7c1f2c3bb127c392f608aaf97ddaa59c7bb243e4ca98485557740cfd00a8dd35f5fe49ad20b0e9799fef876386c72e9d42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
7b7dc84392b2d368cd225f7ad9516bda

SHA1
f3989b9ac46f1ff6f7122b5d186812f40fc1a283

SHA256
ece2709ff9a4c179681d4c2e351bb79faa1893b5ec43f5ada88e34373ef3bfa3

SHA512
872c0d45ceb15288017425daa89dd8d5f989e72b457c039ba27cb6949d34fd013d164f9918a4e7585ea9a6409737f3bd6787c652ceaeeac35f325b2894e39e35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
c0173f36e1a1dfb4624eeeb26af4ea79

SHA1
808d2912c645fd9eb952cfe467d48caf40da9945

SHA256
f50664ef0ba794cccf2c533870c831dd044a5dfb852a21338ce4d59458be86ea

SHA512
b0df7a8dc67e74e4d673ab9b000f4b804d763badd9c5fa6e6b1fdba0101007b3b1a968d292d7d608c52c54a6dfea8b2384b191e0c97a951d156a8082ace78506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
66cc9b0006b74f5accb15ed01397f8ee

SHA1
c788fa65a1e017cb88d9c04525c9fa9eadad4ce2

SHA256
d9752c18c8600ff294a1e12980127af8f7a7522386f7d292716480fc26323d68

SHA512
08afe8e557407c1269935a730bc9ccfd88eb3d9bd8bdc4b429322766cb168a8b5415e5c8b6b9bdf7ced1fbefde86a42d04f6033ca39564f1388ae27142ac7172

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
796f709a4247789ebbdbca2a336d6e4b

SHA1
21b76555e55afe409aae1590b30bb16aba387a28

SHA256
dc2c9e4402769c87ed0f2a96bab15f2bd5a683ac5b26da5345f77af1e2cafd8b

SHA512
c28108a825809576ee63104c20a9237ff216d4360e308da956c30dd48ffbb7e7e9686eb34be4ea52660aac182f7de1ebaf3fb485d2c8a54e2903eaa633ac0828

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
7ff397c5a0513f1fa1fd1c08dcdfc5bd

SHA1
f633ab21234950d078a91ca88731d28b098633b2

SHA256
dae05c444743eeca10ff2cdebdbe40bf5d29dea0ffddb258a5271cbc26a9f726

SHA512
f1c07f518f452a3bc66f08ab1f59c23bc782f1361dfc76dffe8e748b4788edf3bcd46cf6e5835764ec2c045faf6c60d36d2e736685a31b7b265e72b1ec372068

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
dfddce50e6e2b600ef91a18cb8bf9f1b

SHA1
2f68e8159b7ed63fbe89973f06c97efce1e8f533

SHA256
bc29074cc080af351957b49a9fefb5b5e4572acd6113caad59c556a7dc09deb1

SHA512
7cf63aeed42018bf5d236abe0539af729b65887402cac49a9402dbb0fd18cf9ecb62f3da00c632a93c7d1ea829d26bdd3a29095aa0f5b2082709c67fe479fa6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
6642a691ffd837765e3db922bd07bdc3

SHA1
c22b409e42150495fa9bb440dc8c8db96fc4d3c0

SHA256
8179c8979c2ab52e1a1c965666d5d48c83924cd7937519aaf2f8e75c89881cd9

SHA512
ac495e78d530a072393ce5d3f337d7e128cd681542f3b24755d411ec4f27f680c9bece11621af11314b8190c1cbfb48ed2e16ec51595b77e5b55ac8ecbcd4ca8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
64d42c1bea6506c0129f3a607e06bbdd

SHA1
24da60932d76dac1c27303a8cea972938bb92e19

SHA256
935982a11e17793a137e6c90afa137b2bf5c0f80a49550102dbbbd88b8654aa5

SHA512
fa4380083905b6c44fb35ba57631c145eb0363292ff89e1196d09c8d69202bb709c9043d670e2aafc458ae8bdac9f976fd7f748228a238661e9167cbdcf61fce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
11d3883e187bfc31ba2fd26eddc6aaac

SHA1
f6402ecb0358fe4dde83efe11eb244a66f0ae8ce

SHA256
bd258e97cdafba5d7ce0771922436ac76cba0954acff43af3c0dc775c86c1838

SHA512
fe9076809b0485dd3d701e7a297f2cdf2860201e83234f500f16d862034b4576b5875390680739e1d006b4c3161759ceef2cdd07b7856c65a7f70c1f79bb9354

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.9MB

MD5
6f152233561a8d033d09cb17d358f643

SHA1
61ef16d850880d40c11685403ffc43cc46531b5d

SHA256
547e7a3317e62909bfd735a4a98fc946c2bb4318508eccdebe202c5a73b66253

SHA512
cb03bf90c93ec9afbac0ea22947120ff474d2d2a7227da523d8918aaa99853f58e5760ca90884b97a95559fc429c340d1cc7996fa5701f58c2c403c70e757da0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
4cc9bfb1b5eb3b74fdadaf6e4917263d

SHA1
c17a82518990a024901396fcb3253bb3d8fdf833

SHA256
cc38e51bad8e8d33e0a6ef2e14c8f0e009bca482cf926bb2a7f2d6cc3cfaa2c4

SHA512
9d34f30a1077807691c09519c63dad41b35700ffc00c189af75583c79d2fd15fe363fe558d6022e2f0f0424304e76b6f5d07867b6b59122210263225ec326fb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fc3621881afdaa87f22cd83457683b8d

SHA1
787e71f04f7db6c9f0593864b5c6294fa21fbdb2

SHA256
d684e71b71997f6174d9002bf971880b0d56f0ca48f0b48e8e2a83488aaf403b

SHA512
6365e819af85e79e71fc2323f4ee6c26ea2ea56e7840de198e84d2529288bf04ddd8b59e724ba85d247e5c2f21c5a4475b7dc4e49da675c3ef27ff78001ad497

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
cf7ea3fb237b1b7e2d9fc13351702d0f

SHA1
00c1fd071964b6921d98c723b6eb0aed8be37922

SHA256
501d2a9f7fc0e1ac1514bd3a90c766824011d0529804b7415685c97d6e6ba9dd

SHA512
674ae62cd30693aeb5da12aaa5d0e5dec57a523fe3b562875a1ff024601dd6b2e730688f71c22d0140afa6251e3d0b80f8355fe8d2b60d2e6cf2a237a33ca153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5ad2a876ef3d1d77306e4236c4ae786f

SHA1
9d9d62f909c71c9fca9178db4b4bc8c929d52058

SHA256
9db6143acd0302a5183b86c3ce1211de53f69025b0e4246f145f8ee4942288a4

SHA512
11ba4a29a459b5ee3cab3a2e1e776e9763f97ce2cde51db2f362ce0f4d9b0288128146999ab636480722657c33aeb9aa97a7793657712e282d5965308f0d31f3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
eec1fccf28b647139bf44e07a22f8e72

SHA1
b8956a65f191e1a38e048108f2aad1ad011fb76f

SHA256
a7990b7d8639cf8c284c996c7a9bac246166f47d23e9d993acacfedda8adf9e8

SHA512
a3168bbbf312c8df8d08dea95fabb457db465ad9d88ac7e8363bfdb1999c5ba411a3503bf63bb859a73d1de60111a8a4ccbad73566b40a723873011f14f37af7

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
94bb0f1a46cfd7b79dbafef4464625b9

SHA1
d803baf62ebac9a0100765d12029d3b909f41700

SHA256
fcf80cbddc201ce547a1b8b8efaec6e28b2ed88dca4d2fb2a403d49a1d600d99

SHA512
0189984aefeecf79e8b8cd8432806e87e280470907af436c0872021324098262a5904adbb30793405cb4949242c3f0ddca1daeb29d0a3dfecab14747470764e1

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
3c2643e84f4aeb297f735b86dfd4de78

SHA1
24bf959a6f0fdf55a343cda4abbb793ec311866c

SHA256
251f35e318dba435cdc83a6af746c413ef635426dbc1c96fe5bba00433944c59

SHA512
cdff574403b44467ac3854027b7897dd3c297d828a0e1a9ddde512d65ddb604c3204aae2c13327de4893dce8e714351e5f9a4b96dec85d778a19d290519b1ceb

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
659f41aecc3631b43b4680b5412da49c

SHA1
732a3364910ca7643fb7da2f2e2e066cc2e6f95c

SHA256
d6f303c79185acca242206a6b9c975a678686154d6bd3231a411d00345d08372

SHA512
17b0751ce35040f43be4fbda48219f5879ecea68311c0f2e9ac7567fc51b2987d741d899565a8aefd541ba2056a44ee4c371de33809a4a48b2f987b6d8828b76

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
0a25c06f5a5a43aae70be7f5a0f1299d

SHA1
11a9f1f3ce39091ca3d1dc9e98c7c16eac275470

SHA256
4cce53a640084fa5dcf2f955412c22f296d1ddf6ee2e0ba89163750459e15516

SHA512
27e3b9949143890326c257969462d8cb656fab959d096d35f753b9db77043de65b8733321a29f8d519d80b6b7441de0a3756b571aa962a9faf340ad21f4275a1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f71a502c84038013db26dc0a7cbfae47

SHA1
1c20dc11f59dbdeeed369cc744aa61ce6947216e

SHA256
cb99bed3c0b3f39c79b2b707d38b31137d37be957e9c7120305ecd05eabaad65

SHA512
d63b1c6da5ec21d817eedb2eb6e016e66d99371ffede45ee7e8056bb912e88232e28787bd024ea4f4a4f9d951a536b3676f0c3e5f21f710a28748dbbdb837be5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
f14cdaa4435ad246324f1c5c885d7f71

SHA1
93f7a3ff94f287b5bcbd79f88263bcfcbf0a9ccb

SHA256
4b7441401e3e7fd3fcb8ca254c3fa06b7cb3a46dc84bfec110a14b72a0fd1656

SHA512
c8d2f6ecf1b76f1a82359fa9b40969145a505767ddcb3ab8d2528b4a1c913d9420236185a96d895974ba7e05df40d24031b9bc155fcef4f74644150c61b46272

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
e20d795787400f0ec03e06339eaba85e

SHA1
c4bcb7c977de990c52bbebb3082e26f590125a3d

SHA256
479d629c0a0e682bc32b91442f846a33dff4ccd0e9658b5b54aa1332429bd320

SHA512
f364df96a8fb4940018c257028eeeab031bd373cdcb8dc47612fb62535d8d6c1d0cf910cab1a24dd9e457a3e06774dae150ba2ec813186123f6fa7cd8a6b564e

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
0eadf3175d0dccd3e4c4d53b18fcec58

SHA1
e29dbaa0ffef50ffe84b22d1cb5d9d97d6407afd

SHA256
f8ae9f22ba30681551b943d05e56fe8fdc604ade8e9b408205ebc08da6940d1f

SHA512
236aeecd3be8d6c7d77869b41c895873e8c5eb8f9554c1519d6b0cfa67ead1e510237db4588abe03133a5cf3a60188c7804c6b54e5d087e019ead26d1fc1bd22

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
834a2a2009dbe4d0fe4564c41b4d2b73

SHA1
e5086ad6759f495bbdde3998b5d49edce6879f56

SHA256
0d7639fb51cb94a5be9f976eb2f4a490154cf6f4a37c9dbd209234d265d4f5fa

SHA512
2e854a6f0d0bfd8943993ecaf6f337671ed7de52857159ee5a133705b569d0afec8470c6cf1e19e723e7ae12827d91404ecc059ad6ad1627de83306b13fa5137

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
76d71db44c3453dc637ca381e208fcd7

SHA1
68ca5e134af73bdee1ddc2f6f1183a0c0bcd4aab

SHA256
21b1cdce93c6ee3c5c7ab91a035b3f0796c7e53c8ec0883a89fc94bdb7bf51c2

SHA512
b0d354229901d55c17b3e3654ee2c74eb8b04711cd5801feabce1725b34696f35dea7590b8d1151e2d95e13d33eb6a4530e44f01c0aecd39f574af17b9ece58e

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1f32fcafbcb314ea2bf8b701119d7c85

SHA1
3eeaa4bb4315616739f70dd015d4a2777a4e43e4

SHA256
944049b3963925d982c4e1ab4d0de9f73246b7fad5d1c7f61074c0caf590627b

SHA512
8c9eb0cd66b9bfedb61302c4862195e18989ab882d3e7476c0251fad649cb2736912dd2cbfcfe6b34240675d46c59431b62bbf60d8a424239667e9be5471e6f3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
a7d766cd0bb9b897b812128ef69c8f7b

SHA1
ae6a1c1fd0209aa2c57de459035061e1ff4f8094

SHA256
3481d636fbb1b7b731601e1428d9d567a2f1fd23776b86a26d2164d65e38dae1

SHA512
1cad1ccde33a848869e48ed321e723433947f5588798a15d0b7d690c2105676ef3e4d8d45238c56fec687151002e3587420939d635ff1d4f297ac44543a7e7e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cd3393e3f0e48468512c210fcfaf71a8

SHA1
9320452ec6a23f3c379729da8067b71ec085da12

SHA256
f8d2b8216397e619f8b560cdd72123242765ff5c8ef81cb69c6b21f8073a9a19

SHA512
47c56d9006f6df058edc4cff5ffbbec1fca3aea49cf1424c7583e60edffe1749d8a7562ce360c6b0ff0f86c80d40e17f4ae511f5659e65d29517d7659ae050c1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
8fcd74a1621ccca2d1966297f6ea59b0

SHA1
7f43f95372d602f79b61c9f93d04370798db7368

SHA256
9ddb75b2953ad1fe93264521db4b13788e1a189da813f92e5406813705cb5961

SHA512
a534535eb051c67c50bf0004660975b90237726b62a24350939b877b2e3eab4d2796fc3604d53dbafa3aaf034b424a1e4752b9fde8ebefe0d92da28e41e98486

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6a8f1b2445e1d3fcdfc622ba3195619d

SHA1
9ecffa3e4e0e0d97984946d33c43342517c393b7

SHA256
92a8b559ba8f1e49e38d07c3f0d0060bb5e4642daba992ce47bcdc38d9f57666

SHA512
c94ef20da2655b6f41b9c72cd265f1862c1dc4ee2064e77825a86f765d9b9178a6c86f4fa7ba30d295fc277ac90a43a0f6ad607f2ece179170866d97ee34d1f7

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
33ea2e8cbfda0bfd592d9ea3e2e43477

SHA1
dbf4b56b136fe643851621cb2ba567ae4f82683e

SHA256
f497729317ad690d356e1d0b2744c9802e052896cac0d03ee726f68519faaeb0

SHA512
afbe56cdf8295ac4dbe070de1a03751bdc7612e6e76d14eb14f5e21c793fcc76b8024356bf7419ba333aa58e93e9c2f6a446aa43895fa4841b2c1ce08e450cd6

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3e3de69dbc3a2695cbd16e1966ea8599

SHA1
a16db03c2853962252df8630c0605ef96bb44939

SHA256
5c2920968c22317612665b85b4b9cf50d91fb51d365508d7e08dd9441557ebdc

SHA512
634f3f41ec02cc6de5b27881973e459f89fe2e749df81e6128d0e20c7b5d68e022f2fdceb8e2ebf919bd67722655d27eeee2f037db878227b8cecf3d36f01fd9

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c3cca4cfc5e1fcd6ee4e5872cda78b25

SHA1
0076b35f37ee6d9b168bce32384ae32946070567

SHA256
e286248fd215abe1e70871c01081886610c6bb207c37370033631b3ca09455e7

SHA512
23bfb8d18a7f7698ffa36362d5892432c3d9561a1378e345eb970058e6deb6d4ce6805cd216d4015443df3a107c9f9230178895b2c065a56ee4362589b354297

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c4d254d59fcf03d6850e901eb4fc1bd2

SHA1
0d1c16b8c0438c74f1af666e897fa6c3900bab22

SHA256
fc018269c3c4ffc47a778153ca3820e44a7e7eb635352951492232735236c4d4

SHA512
721e1bafef17e3b9254a5263921da8d773834478dca92acb2324d8df3bf796abeb61cdce3c904134b7a0a6497dfdd6f1bc98fb3d134a803df5914100327109e5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
361b138b8f2ff772f818e0be5c177d51

SHA1
1914a7d02471bc00804be386e55b8aaa58cdddfa

SHA256
6bd89e14e6f01f6633633af5d86cc1ef5255cc19b6194bb63582a8925afa47bb

SHA512
e2c56405f0814f632550d958c7944e384ec55fc42048af14e670600a06bd00c0c9effb46186c8fde86c7e647896ae7278c8ceafffdd1ee02610fe07a0eefef5e

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
d8d9e8e2e55d70c0c280af8057701fb2

SHA1
656f9af8968712c62f6cba8aa577644a65da5754

SHA256
94d1e8f1515a798ab6a7870b6ae14645c91ff3be88aadb1f6e478c5e94996ae0

SHA512
ddaf414d6ce24b4f632a4094c70736c57dee40d6a6b5a0a47e25a94d3c95edbf5a197d65ca90ac134b7a5560318e863e07e8ef3f8035f8a212dc43d6f752478d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
d998b077e80564af7aface65c47c2e32

SHA1
a501fdbd598abdfc1171ba3e3fa481214e604797

SHA256
65b330a401f30f9ca7a5cf3c97f712c40585f4a33f4278e8b63bacd90490618d

SHA512
52b0ba733e37733a05329cbc07005199476b78fdac0a25b61ec3d8e93d7c5b0ff56b957d0179e949eb2ec400f3bf617446703b0f32e2a565bb5102dd6d353f29

Download Submit
memory/244-580-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/244-198-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/532-126-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/532-235-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/976-587-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/976-281-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1000-84-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1000-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1000-74-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1000-85-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1000-80-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/1056-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1056-25-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1056-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1056-125-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1240-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1240-63-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1240-69-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1580-195-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1580-579-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1948-150-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-280-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1948-493-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2160-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2160-59-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2160-53-0x0000000000CA0000-0x0000000000D00000-memory.dmp

Filesize
384KB

Download
memory/2160-52-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2484-242-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2484-582-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2624-17-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2624-11-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2624-18-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2624-124-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2624-19-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2644-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-46-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2644-38-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2644-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2644-48-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2712-129-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2712-247-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2736-113-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2736-232-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2800-170-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/2800-474-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/3544-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3720-259-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3720-147-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3768-1-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/3768-6-0x0000000000B20000-0x0000000000B87000-memory.dmp

Filesize
412KB

Download
memory/3768-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3768-351-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/3768-98-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/4156-586-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4156-268-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4280-89-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/4280-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4424-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4424-513-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4948-581-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4948-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4964-585-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4964-248-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download