8f7f03739cd8e22a6774c321fd38d2e26a5497127f7365379404cad0ec55b6b1

Analysis

max time kernel
119s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a827a0ddfde4070906f151e70b04230N.exe
Size

625KB
MD5

1a827a0ddfde4070906f151e70b04230
SHA1

a6b9ffcd43dcf9ac8b3495183866dfc2726bdfa8
SHA256

8f7f03739cd8e22a6774c321fd38d2e26a5497127f7365379404cad0ec55b6b1
SHA512

bacfc49c9ae74dec2f07338d64627eb2826d4ec42d13cb000f80441bba9a8d91d79e32b465bbb6c84b149e757c82576e12ea2928eb3f06eb2a47867dcb56c1e0
SSDEEP

12288:D27FCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:y78NDFKYmKOF0zr31JwAlcR3QC0OXxcm

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1620	alg.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
1724	fxssvc.exe
3204	elevation_service.exe
2456	elevation_service.exe
4428	maintenanceservice.exe
1644	msdtc.exe
4624	OSE.EXE
3756	PerceptionSimulationService.exe
1008	perfhost.exe
1992	locator.exe
3988	SensorDataService.exe
1152	snmptrap.exe
64	spectrum.exe
4312	ssh-agent.exe
3648	TieringEngineService.exe
3212	AgentService.exe
3696	vds.exe
3188	vssvc.exe
3400	wbengine.exe
4084	WmiApSrv.exe
3504	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\locator.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7602d2f9d1b02b8.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_85546\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1a827a0ddfde4070906f151e70b04230N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1a827a0ddfde4070906f151e70b04230N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006e47c4bd68eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7e1ffbd68eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f7e0c4bf68eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f93f1bd68eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009d58f6bd68eeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000710907be68eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ef412be68eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ca71d9c068eeda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe
3012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1576	1a827a0ddfde4070906f151e70b04230N.exe
Token: SeAuditPrivilege	1724	fxssvc.exe
Token: SeRestorePrivilege	3648	TieringEngineService.exe
Token: SeManageVolumePrivilege	3648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3212	AgentService.exe
Token: SeBackupPrivilege	3188	vssvc.exe
Token: SeRestorePrivilege	3188	vssvc.exe
Token: SeAuditPrivilege	3188	vssvc.exe
Token: SeBackupPrivilege	3400	wbengine.exe
Token: SeRestorePrivilege	3400	wbengine.exe
Token: SeSecurityPrivilege	3400	wbengine.exe
Token: 33	3504	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3504	SearchIndexer.exe
Token: SeDebugPrivilege	1620	alg.exe
Token: SeDebugPrivilege	1620	alg.exe
Token: SeDebugPrivilege	1620	alg.exe
Token: SeDebugPrivilege	3012	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 336	3504	SearchIndexer.exe	113
PID 3504 wrote to memory of 336	3504	SearchIndexer.exe	113
PID 3504 wrote to memory of 2572	3504	SearchIndexer.exe	114
PID 3504 wrote to memory of 2572	3504	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1a827a0ddfde4070906f151e70b04230N.exe
"C:\Users\Admin\AppData\Local\Temp\1a827a0ddfde4070906f151e70b04230N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1620

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1904

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2456

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4624

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3756

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1008

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3988

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1152

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:64

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4556

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3696

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3188

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4084

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:336
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
58a04d67dba7fb865bf5c0f24300bc61

SHA1
5c6b56f8ded865a2b93a0ae875eab6ae5575f843

SHA256
2c3b0d3f3579ae899a414e6eb6c9f1a8bab2a40d2eb2ed4142997e97c0eeb1ef

SHA512
09842db68b6d08466ee014c76574a4fd7c17ab51c2a3fa0b9dc05b0d90e80274dbc5e1fef3951c8122ef00c89dc5e7d6e0f0388d2bfc3511b39740f1450472a0

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
263ff84a325357f48b629deeb22d9059

SHA1
3b9e2177cfa0351bdea71ede420e7fb66373c19d

SHA256
d09cb8a8fb43f8f3eff65a18e58964730aed3a49f5eab45d585c911bf3d2ae33

SHA512
6e856d8696a48591a6a73917598fb5d7a7c8ce8925e435ef7d24ecd49f4cccb339e7aa4e02a03372e7c4a6694f3b2ef3ef26afc2f460122a76ed3aae186803e9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b78900435e84e1477ec5e46c761cc959

SHA1
224778b095ada1d747492483090031325d7becd3

SHA256
ad3e64a3b30fa28ee2d4f8d52e69da3f2f2159c59044fcb8145054573493aba8

SHA512
9e877519eda2324995d58cdd603b0da5fe82fe0fc8764b29a584475fcc3f9e95e7a2e30cab13671635b3298324be55ecbb77530b0144a5b01b275531314cc60d

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9f3aeabd806719cc3c0dcbf8cbc4f702

SHA1
baeab0ec51738d7f5cb557becd6ab5fe3c06d886

SHA256
b480b3882f8b5cf7ab1bd30c0a240b934600cfd943d1ef048e4fe7bb830d3f2f

SHA512
f9d0787d58fe1e01fceaec50cd98a8fadbff8f0ba0c0c0a87d30a8e2a4292b1f0558597a73275d39ee4df6ba1adbff8c78e2425869706942586453a35f7f49b8

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
429d5d856ef2b4864ea63afea208f363

SHA1
99e7ee50de4cd2b29773f95c5e02b5bfb3c3cda2

SHA256
2d3a8da2a20739a33672df6968f00fcf6471bb6a6ff07583cb8142725cdc3728

SHA512
1de108573040957ce41fc92adbbffffc87de2479955c8c9c67d2cc7dec27da4bce7a29f00aecbe24384eac918681ee4c954677e2fcad0d31840b8fa4ca07da52

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
fedc8c35f992bdb242773dc2d9a5ecf4

SHA1
61a13a83fcd1571e50748bf0826b53452f1152c8

SHA256
70a1a61c380869cf02f44d763eb628624919e12d1e62893acf9aed9ac8a7bc94

SHA512
9a4638bf360c54ca144e378c8197814e59c9b329d70d9e4a9787d30f6ea27bd166e65e994d4ee0b401ed1fb247445ab9f9811692c11f9fb64afa3bf06e21db82

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
366409845fb0ec010f8250b16882eadd

SHA1
d4680c2f775a7d39dd8977d63ae7abe1351c8400

SHA256
6c01c4312189253e6dbc32ddc3a608ff7b510ce4ee145038cfbeceea228cac49

SHA512
4a2230408f3b8ec9ff5cbf3691742d009966e8a2230128817dc754da96ab17b21225dc952e97865d1c3f88d2aee6eaa79c906ca93d53c7e296e180b7d6542624

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
78a65fff79cc682935331c9a30ed1607

SHA1
048298b5c597f92376856e650f1356bf4625433b

SHA256
5e26c379142f4096da0da4687e0df2912f95fe157025e39da658aada0bd15c24

SHA512
64be83cb92a1aad7c9b443a3a239fef1b7e2f936975778de1b62b822a14c9d17dc173fcae75f68ae173cde1ba9955242de1f37eb91c8c5a965832e7d4afafcbe

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4796f6001f8abb9f074d9aa8009560e9

SHA1
a810446b6549f7bbbe11a58da9d91d113730b525

SHA256
ca11a53364d7fc5733c620328a673dec367ac87fef6f572bdf693eae861e7d6d

SHA512
fd1e7edaa73660533c23126de94cb435cbe29cdfb49cb0a916e10261cef1e6b12ccd87f25d856ec3ce14ffbfd6e4969134c3dd5962657bc8de6955d41e5ccaff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e920eb21641f5c4316132cda3f85dba1

SHA1
21dd7c11047eff05e7020729cb300226fe0fdf9b

SHA256
a62f4be8748b23a48af00e91932b2461894d0bd3a91c51b3aaf087110fb98dea

SHA512
5d81b4eba099d34a376d353bf65a6afcec0288e1eeaee2d914782d2f388683e32e1215e504ed4c50c8d3dd8b950a0bf153dd13d073f601628afb55bd987c39a8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
af608d9b570a9b3a4e991d3753a72a28

SHA1
e5a172b7155ebd1a8ba75d5432db90386ab130db

SHA256
df6c8eacad1154daf8e13e403ca7da6116c39279526b57360fcbe65f5c2a8e89

SHA512
37836b233c7d8ebaafec1ab84da959970130be99c83a36640293ec4203a8845b6145f70e34956b615f4e78b3317c11befbc7040b479762a326d2c107b4dd08db

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
e00bb1dfc65595714fdeef44cfda4e51

SHA1
bd5a6327075315320c41448372c8996fd7c88ef7

SHA256
1838e2549f8ae72204da467dfb69546b6b3047cc62cb78350cbb39ec51b1c0e3

SHA512
6735f77360270f300e2367349c5101a7ad7e08ca966f175db9d7412427b5557b497c027e864fb0c633846d4a5023050d9806c750038f11d85a87911306b658e8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
043ac54992015f9566a9e37f6035547c

SHA1
61c5ab8ab7a20be592e0c6bf607a4e59413b85ca

SHA256
8bbb8a98142a936b95df4fdc666a16c55b1e7679cd1f2227acd4c62707a8f2ce

SHA512
afd26c441e6254ae2c2ff0794e0554e5fcc9cd22f4d83fab308bf55042541b2d7e0f0eeb121aa1ebe2c816feb1d7d3addb9cd347a807d2ecb5797bca4d62736f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
9feb4d1ec526c01e8d8db72977478643

SHA1
ae4ec90377e3c8c610a6d03e45e2f9d5486430ec

SHA256
562757fa4d2ae58b688a1270949ec203bb859e2db81042009c87337cff1dcaa1

SHA512
87ce1bac740275bdda978285f0c95a3b84b00275604059a5a08a4d681eaa6d702e7ae7d1ab4874c6aa43e410bfdc0cae1a05200d0dad37df66da191427c0ba24

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a639ba14c38c1395c8dc6c67a3898dca

SHA1
a040bb2dadf694381d7f681f27fd1612b9e56f8b

SHA256
dbf43749cceb63c6119bb4982d8a671529923b4803bf1af0a650290745b385ea

SHA512
7bb7881d03c26651a1c28b2fc88bacb490165806b81c2c7e9200eee32b55bfad68e79233dc1c4bace77c1f62614147b091538b53471bb5c067d21f7391860445

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c9d008342209b871b1004ee2d0ddd493

SHA1
092c6d86513ce59a4f9827697c12af7cda51327e

SHA256
4e7fc16234f5d237c053f4ea34b3a5d945d1a455bca588f3cf04b2db8dc889ac

SHA512
e177480cdc069d923cc44caedf98a8725452fd74d4d20d3feaacd18e3d32a6a7e022b76b9ea35640a2ba0f1c54808330061f67090f70cf77add414a06819fbad

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
e8c9da85aff350b0cd2405c58fbe088b

SHA1
d50157b0db497f7359434dcdc9df398345424de7

SHA256
a02a70c8d786efa517f78be128904063e11bf0613086883f8c576ebc3b6c6618

SHA512
e490917d3bba2b5176306b7df354c792f9934f6803be48952211dee7b668fa15e665acb89e1c2f8aa2156fb75355fd095fb4ddd32f5896fb51d19f7a38997c98

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
97b6571603c90400c4646765d1620f7d

SHA1
6019fa7bc0fa093a3e8e9c8c345a9a240941929b

SHA256
47cca70e779bdd41b59774d79fd03ca6e3b39036bf6592d8c5e9241bdc528076

SHA512
5a425ac71960aee5fe658c42c91badf45d135c48ebe322b11d364ffad17c26427df3e1793c7ade041629b350addb651a065c46ca8d1e351c35bd0e0c02fc3b37

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
d03562717958f6bc08a41694b006f0d2

SHA1
854aad35af2d5d837cbb74edf493c765d071ab85

SHA256
9c4063ff346c218bf8d88ec4a4ec702184f43e0591ee668aa639374d218a4058

SHA512
b0dfbf892f2647aa1f07df6a8dce4d3442e9f24d5f326deb20d37088783b216876e0be4e5baaff1b57da413a2faa4d6369495cf551d1895e3596cbef4be57452

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b7e0d3fad685abdb9dbad6d138b68a92

SHA1
6822f40711b4c41062bc08e6455a573b8bb598d9

SHA256
3565b5b9751fda7efa08ea5e16dc19015e8818c9255430768593ed3939343548

SHA512
d75c4080820026703bcfe27badc049c2578a0ed8594eaf17e36ca25340eca01dc661eb14da68a54641a48a94a7bfa5d6ef05a7c963de073894fd015f21f00ee1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f44a011ddccdbe23463cd6700fab163f

SHA1
0765d015b9e282a1e77441cabdbc7219ea143ce6

SHA256
45790cfc6112eebec282c8b8ae1747947a8462ccdae221efb3cebdd0613a6827

SHA512
618348a5d3990abe1074efb55eec69db377a15e3f0dd8229ae75dd03762855a2b28d1b944786dcf026a606086ad328ddb20aab5f99581c83ae34692b9931d9ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
bbf8ab8be769d85bb39374d39d1d4907

SHA1
a2205775df4513ce45036d91cddc25aa255f74b3

SHA256
26a761623481741eafbd3aa2ec3f3d0e3663df18329547680b186f5f7f09b349

SHA512
6e72217c6865dcbb8e01f1b0ba7019e77af2a8aab367a69cfbb2d58a3eef4d995e3e2f82eec72be8339a426bf53947d16d28a7fef77a34071cc53a4da4323bbe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
58e6f80cab98515eeb18b891533d5559

SHA1
72eee713df3e2a5b7b9f35e98c4d3e5e9effc693

SHA256
fa03a9bd9812580c52bf0f351a3ff17689ee7e0710b3430fb327d58616368be6

SHA512
65809d3d1a1c622e1b311c62c05802fa9d2c916b10ef8fc653b77e94781f6c0d5243975ec3fc37ef602e3c9f3e576d6efd128189d246f79151a2c5e12fed7268

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
13215b6ccba643034e934b8b0c3fdc33

SHA1
8362a579d5ec36e6b28e79fef6c5c52bfc71e4cd

SHA256
f3b9ad46ded6030e005c3d563c54a78ac1f4dfefc6ab0c98e579f128593acc50

SHA512
08abb47e7f49163165ff23d719b52e7ae7060080754a3104b5f2569a13d8d7a11edd986d7d8b71f8b070e6e532cb4fa910fb0dc08fc39c32dcccec5fe19ffcc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
399526c49039175ec90d932deb04c5ed

SHA1
9acb5f7ce49581412c295cf21308b1ff6fda68d8

SHA256
d08f4a132487a2fd8bef00e0c7c02d1ba27883e1f111272d27b5acca841c048b

SHA512
2f724ad7100860c180da4c917758bdb8a2252517f9984bececae3959139b01f19dc0325cbdfb27bac9dbad06e4fa49c20057101e2d65b70ead699ce03f4453ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
30381fa82885f764f8016d6560c366ad

SHA1
fd30212ff2010f8cd09b529a9a84defe3ff9b368

SHA256
8fc9b86a73710e0ff3d6e6017f5d05ccc617dc591e2d45db5af59db9c0ee0b8d

SHA512
13d16dacdd3d32d0dc5e7f89c12be670bb1edd0afa2852b1d9b0bee7bf19e77c87770012677c57a12576e3e0c45190d68cc11d30dcaba275415526eac601f178

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
a8816fb8d770cb4bd90f0bc97a02db0a

SHA1
9a756cb0e767dccd9f9e325fd0168aba45536981

SHA256
3a8266286caecb16e9a377022404375d5b132c38dcfec8e176e38e5e5847febc

SHA512
b81028fe30e52cd0a52425a37d9ff048ff2e3c7c152df1154fef59b5db614e3182be56dbbd3a4220eec0b2d8559a97a093458853651090195349fee6dd954a81

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8ac2e775470b8b2337bc0addf433f236

SHA1
525ba88374fa390a3e0ed35247a19d9dd5197edd

SHA256
c27346511bf3307e9a2db1097a86a53cf37652758be93de97f87ff8607d6d75d

SHA512
c81879c20e6647cc2301c8c1289d8c28e3f52dd35d6ecc4b95a2c6bb19c8548334415b0c87ec2113e99c0492a1882358615663cb1ca265d11f0062aeaf5a3cb1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fa93df2a639668f554339d7dfbea4549

SHA1
d923a5a79a3688957ca2d8c816439b176435e0de

SHA256
72d5592e3972d1e786c901b8424c8e283461766e931b517ae6f6cb49beb721f4

SHA512
d86558b92a73930bbdb47d09750af4951894688467b29f26cf2c4afca0adc272e2e169456225ca6354774c11efd3404fc4b401279b7a0ee68e668a151e248106

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
1aaf647f1b2794c9b29ff747328938d5

SHA1
41bb18ab24341abd5ea9e05b433728607b153338

SHA256
9a22266ce8267a0531b115a91b9bfe94fa9317e924742d68c36076c214291e82

SHA512
b945c5709a35082f8748383ef2c3294f2d9a180a336579dbcfae954b4d7ab49093d00a578b68879f5b1968466649175dd81574b285cf02c4ea422a84ab9a8bae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
de5c91710c55e295c10d8fa3b417e163

SHA1
c852dc1de5758217b94c1193b49e7e8253be9a0c

SHA256
b7a4e6f9b39bf1e20592e6bdb5dc853bb0cf3f17c5568b4db8b2989673a7aa78

SHA512
f6db7072c977e0e99ecd8f7aaf343984000285d1e5612dc635a0994cd00771e07bfe01d1d2f073476a845167a5e272bb83bb9b3f57f7614a2799cac91a3f823c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
341670ff156069f04fb2ecff1664477f

SHA1
ad5887bd633e2c8c0c51034610303a591c30d4b4

SHA256
2b2957876223c321c9f68a1296aae90c4fc3cd3381306c5768aadd3072989fb1

SHA512
b15e89f3b911ca3e4fa422747732e1899a5c6eee366d98038b7e4b3741f01aa6559a50c59716a7dd8da2b7c041f56edddac61f79648d4b6c4db9191d23d3f390

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
c53fb513a9f5c774bfe8006708b439bb

SHA1
0ff80eed951fa5071abd609cfe4052c0a3ab2d58

SHA256
7206d4c9aaac21652bb63e5cbebcb06f0511b6f69fed5e168a68c9b9819c49b4

SHA512
eb17f6bc8f0ac2fcdda781a311298d4b11b301f466198279de1f457a3dfc6a77048a2b2cc6402905d475badde084013d0de9543830a101cf52eb37556e391efe

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
5d01b257d31d8630f658760cfc181a2e

SHA1
51df9324532b905116f521fbab5257d7c7146910

SHA256
ee8908ddc207c880456a8ba4aff3a7d11b978876e42ebb3831bdc468c8e1f373

SHA512
af5f3ab9916b4369d4ac655dbee61643fec0f5e006aca8e40bc059480e6243864fe6c55d11dc09a5cb5ada1b57c29a8546c3fc72d21b4f02e98cdd49fc27b2a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
aaad97722b885195e2d35d92d377ea2a

SHA1
d87ed7599a60186fab4b1bdd57da5cb93bf6be42

SHA256
bf50a9fa7ef15ebf1a2616c4d4a126e802785ca55d8714b596823ce29b6c6369

SHA512
4840adcceb5bde9d6f7a3ccea3e90c170e468e4fcaa25dcbf7238ecc853e3fe1aaca9cd79acecb80cc24d4f8296caa64c2b263d3213190f9bdc15d20f8009665

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
11377cd4fad6d4fe636a711ef284fdee

SHA1
22a6caf9b5e516c49e3a626a48424629f6a5bc5a

SHA256
2ac656489007a1b471a306f63cd4477ffbd77a208e428bdc3ad815d86f2e50d6

SHA512
5b54e5626e25b96867e8a80f4a85949b6b6e27cdad0c8a638eb18ae5736ddab47f659321ec15bc9acaacbffa989ab469863b766ee6c12b5ea127b83b786eaef9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
31c71b3f5a59beab54d0d6f688c48013

SHA1
568ff6072fb98944cff6b1cd55c5795882bd3427

SHA256
305614a6e5b8dd8d2d60ab9b2d6ad46233dd9e9dddcc737dcedce3b6545044d0

SHA512
8ebc95d1a0e936105007e33e34a2da414f366a0bf0ca2751fc299395e7fe05017f19d343a34e780d07543263a2e46ff86ce8bbb239851b323b6516de9299b3fc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
61921f37b2ffaf8b2e975a8ad5d3d9e0

SHA1
c059380fbdfbe3bfc9c8b499cba9eb6f7ae0688c

SHA256
79afee60e6dc0aca1d30c647d52bd0f9b57907a439ffdc180c045f218190a78b

SHA512
032a8174df797bed0d7794bb74329f6bed751e617af8f64085985477d89fd9e8b8ca31af11d9973a404f2a8600939504743877a1fc9cf2be0e3d6717b004577d

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
7a8d21b440f7e9223af5c22b67e7c183

SHA1
58b2f25e0669fde476123588cca142b37acf0cbf

SHA256
ac5cad1d31f4451300265784fdedf9d10f5e1f2a89e300b30e1eee02003e24a5

SHA512
29f372da36844ac06f1c1164d809955d6ff6f08ef6f0abd661304cd321849b77ae1aba82808b0b5f475daade3e0d40139a0bedfb79cd9939305ed2ebcbe12042

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
84b0a06fdeb63eb4ee90ef3b5f7d3a0d

SHA1
37fa4b462678cc7ef7e09151e872293cf2d9a53a

SHA256
0f7447a8ea9445ca3e3e1d0f064ffe301d140b1f6f7c166ab6ed02add8428a67

SHA512
e94a0240c1479ea559e767fecbf76c5c935ebecbd198e08ae13ef476f21a6904ec44334633776a4c47ad060c957cbf6049b7617897878c3610247bc5e436bc84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ac2e6ebf6e11fd1b7e793da95e35cccd

SHA1
d3a2aa37cfcdd89acebb8549031854b873c53681

SHA256
fb2f0fa4f32788f3a813c33b0e13b63829cd22aed193e4572940ded32a833876

SHA512
338278c9df25422d081e146cb7500ae0068a1a04b5618b3afe3b38f31b372442488750172674fe97c2c335dfedf6fedc8fca27c8ed39539849de6aa4a6d3f88c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
617be3afa5e62f75525ea454098a6fe4

SHA1
5cd20501a094f229bfe34fe400f63926ade1be75

SHA256
21e14712767d1e4772b0257ba4d2fdf63200acb54341a81cb952338860b38258

SHA512
f89fd381382dbe219bdb2c1ff3ce68bb8f9e1df88036bb8e47ddb0c29e3cd32c2c09dadd62875e3d4034eb7999f843ec7deffcacf1c66d183ec09d5b9dcc7201

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3eb7f731f7babd5e65405f1a4ae399a4

SHA1
7124390e0855f32c5fc791c33eac3a1352994d63

SHA256
85e44bbfb237e9c6f805b0d576b8262037012802af001b3f5a27c9a014af8caf

SHA512
5ff3c99ba47ccb0dd70a0fa4acbf4dab99b86d77357ce5d38206f389cf0290835d740ad73ecbace79bb983ebc8edfd52640452836f2bf4a3dec462173d8fb28c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
04de658721674a86a41b4da4cc498bfc

SHA1
383cdb0e99d6a605f35288af92cdba2017d5e859

SHA256
45a4ce86a8aef484d667b5abdf015b9e24fc54c6f166db08bba837201c2c0c40

SHA512
84263eb55a3df3accd4762270e5079202161f343bb267c82e6cf9b7b8e1c8a86ab2c6aac9218adaba3f373d564987e984558c8d30c87ccac962091d3530aadf9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
dbe1c9f7ec88ac27889ad3f096519bcf

SHA1
24786e262247d81b3f4e3d455b38d3418dbc887f

SHA256
0179a8f7f1afeb4521da3ec62c3baf29d3e6f04e18fff7e529f1beb1aa345960

SHA512
c8ff29f30efd73fbf32a9bd446b760fe242feecad58e4d317be563d00c94f969ee4e40a972d7e947fc4264d2b56d323f7f9634e1986f0b7964d9b0380d4926af

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f9bff7095cc0a68fd28622dfa94341f0

SHA1
5bcea77d5eb9537ba0d390d36b43b5c8db90c092

SHA256
8e4bdd7245d0c2e93867be622370b5d872a6183502b62f6fb2b7632df00d2de7

SHA512
156746b02b39f7212d27f0aa277edf9ae64c6e89697327656449d1b9bb5887698510a0469944dd376b817c1a7a4955199ccbd3ec88986fd48765925c63f0ffbe

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dc407b70583239a5904deab043bdd5ca

SHA1
ecc07424b37b5972eb29a2d652f75b59a826f1e4

SHA256
7f1a0fa1623e1f8aadca1800c284bcf03372864a9da078efcffaf045a0137723

SHA512
207676230dee6605c56cef31868ae69ea6b314ebd97a3ad65404a08cb62a4753b2a55efffdcde6713c24b19b128b9562f0a5134eb2ff030b518205447ebbbe76

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
299ca96c9fcaa843aaa19ea86867b95d

SHA1
fa1c6b5208e2e444885ead435f0ff9eb50a25f46

SHA256
4a0ce0233bb98f29ced564b510c0fad00968f3a3b0e697ff03b98879b5e2e353

SHA512
d2d7273726e215428d9452e54d8893163e32e914e0adc5e787e8743eabc98563744df365b7516900b8800cc6f0f355a26f36314f0f0d669654120cf3011a7d24

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
ec0d8dd24db5a55c620498adf77f4ac8

SHA1
9520f0962f4de69131705270ae2bcd9552e0455c

SHA256
caaba7c9c4787724defebc54cb1f7e7c44c712a917b3c19d1bc108d4234d24da

SHA512
73aa1dc8cac1836013c1f676f1ada2f031f5747095be7f3c8f4d6f91a5f8c6ec549e3891ea7d0c581f6d83f63aa2c2eeac2d3066d295aad816f0711ab9aec5ce

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
ded21d27f5c6364d4eddb9bd256f1618

SHA1
8453fdeb23a1ea7fbfc8cff6258e27ff2d43575d

SHA256
a7e2cdcbb430f92cdecbf922de8929d9537583f72405c000c282163e42e78e01

SHA512
853f03978c9022bdea25baeb944b478b845835b865829475bf350b907442cb98df6f736e545299a0467375b53aad87d42c5a85db547033738d4b959d945157e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b64e3e43b0e31ffa705f6b85b7110190

SHA1
20ac8acfbfb6a8a9f716eed1c93dacd6f051ed88

SHA256
7fd73969b8db0b3cdc06f812e4a99cd6cd3e21e3005bbac964e38d4a4759984a

SHA512
9c909054f3690beb67a0f18a70d35bc1f13c968aacb53daec180558dc621715531beac60e42f5847a72d42408f5e3d28ccc2f566d6b2e3ec8355022397bd5275

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
21a922f6ddf37ca790eab66e4e56cb5a

SHA1
bf360f24d731ecc1cb1decd92f89d0e339fff74d

SHA256
f8b034fa6e1e3ca2cc228c433538a3ceb5b95acf6b59cf075bfa695341cfc195

SHA512
2c839ced75d548ff6a9478d078d9fb3be87580cb3bfa035b9072a9592ad9c90a0b128fdde61c29cdffd09ff9440b0a2765241415b25c3c05b9be1c875ecb6caf

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
964f9c897f327032e2d0d2b418ef20e6

SHA1
3fb9f72bd30e7a4a4111610548907dec02173a43

SHA256
cfa3db41894679524c8c95aa93a8bdb580e58f87b65a9659efcbb5530c1b4076

SHA512
79307b1e309dd22a1a933dd2bf741506bf04b150babfb8ff00e81d6c94dccd392ce535ac1be1ad533ca44381840d7a426f9a0bf49716c65a5d55f836cd6c9f7f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
cc1b1a14b8c33051179021230166dc47

SHA1
0cc7d2a4f1541f9d8300a69f61fdee22331c1993

SHA256
89b9aa6c05f5ad9b3c40aaec3e556049f55693316bb18452b0ac6474deefa714

SHA512
a3b28cc3661bd61f55593b2854da57d912b58c3690288d53b1072a43ff86aac5579bbf6433dc66c2fc52ae05f7a05d36469ef637dc07381bf0951414fd5eb823

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c8b99da28faae1ab75170712343f7604

SHA1
33236ab9d3e0c06eb1959a3938551fa00f1d03ae

SHA256
dff3a67fada16fc751d699251c780ac9322097cb0959d3119f47dcb67e55a1c8

SHA512
3d9a14455740ecdbfd296fe063e259de404e68794fd3b7d7bf425bbf83fdb2d8f76fd30f96e44f238736ada437bac891a34a998cdb330c2d1b93684da245f72c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
48ee4f0e4fb1a4584050736817908807

SHA1
a05a5829d1d54683057d21282322251cfaf6673e

SHA256
90397c20da1b1096123a72ab29e4e8d09a5ed1e1327bdbcd0e05740fa3060534

SHA512
8c8417a69806718215e96cc007c4bfdb9637d08f15571ab5b1687ad2fab2e56e1795b4808a47a9a1ae78093ba94f104ee643b8d3e34d61625512d7a9496c6079

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
99dcb850839cb2e0b5a2f57a3e450e85

SHA1
cec89961c5342f412deaf33ca1ad66e5ad407c00

SHA256
71d17098aa4815a3a389942ac64334abfd2da510e814a74b7ddc0eaa4a61f44a

SHA512
bf978b7319afd59a47244bad91bbb6bf5a71cb7ec13c119161398ec6c41e5cc6b46c80c53b49345b9369a504e168f434cd71035c28ad64d3d03a3670d539788f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5247b6de8b8f1f65168f5a2a6915875c

SHA1
df747389d1569244b9063c7897f2ffe33e6c43ee

SHA256
d38c9d21df9f54c0c6c2809baf0f7e2cda61d0721de4b9586f28c1807b26d281

SHA512
900b0be50ded8ab095ce604939e0ef80f99330f0cff8a12f956d104c12ce33c38516838a035b887e1d4ae9a4969583865fbf601fecdebdc2a703f2052a2107b0

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
1afc27010ccbfe7359ba34f0b8bc284a

SHA1
8c82fac36827010ac9ba5dd2f441fa32a68ed408

SHA256
c0f73715ff28cd22135444209dc0302d43eef692640af6eb93aa37edfabf9a33

SHA512
08f3437bd02a31f6907ae8a2ef3dd488b1ebea9f21b7d2b015b5116dd125177afb029813e069b3bab255a9fcb9820f498eaf3acd76428ddbe7ff90f4210a1ca6

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
bdde01395b85d27d3b3c84535542f874

SHA1
318f92f0311e06f49731b10d9b1775bf5c94c21c

SHA256
e7494146a19d7d16524f3b9ee5930545044ddb911ce4da82d83bd796adc3167e

SHA512
043e012d40fc353e13b2d1c8fb515a876393810abe9339bff7217346153f85bd19225a00e691ca843771d7bae9fa1d33dd72cd260ca6b40f1d7905ceb81ce467

Download Submit
memory/64-532-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/64-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1008-245-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1008-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1152-482-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1152-160-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1576-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1576-72-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1576-442-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1576-1-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/1576-6-0x00000000008B0000-0x0000000000917000-memory.dmp

Filesize
412KB

Download
memory/1620-18-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1620-100-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1620-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1620-11-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1644-84-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1644-94-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1644-90-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/1724-43-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1724-38-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1724-48-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1724-45-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/1724-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1992-145-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1992-257-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2456-65-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2456-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2456-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2456-61-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3012-24-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3012-32-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3012-33-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/3012-115-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3188-542-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3188-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3204-171-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3204-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3204-56-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/3212-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3212-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3400-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3400-545-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3504-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3504-547-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3648-540-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3648-202-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3696-541-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3696-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3756-233-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3756-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3988-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-154-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3988-536-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4084-264-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4084-546-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4312-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4312-539-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4428-98-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-74-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/4428-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4428-80-0x0000000002290000-0x00000000022F0000-memory.dmp

Filesize
384KB

Download
memory/4624-221-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4624-101-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download