a31625b633c6bf80b6f9040a6278bd237706968e3f977907ef77f3d168e9b2f9

Analysis

max time kernel
119s
max time network
121s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83d71bb2969e713ce6c7f87b23dd97a0N.exe
Size

648KB
MD5

83d71bb2969e713ce6c7f87b23dd97a0
SHA1

4959c38b39853f496efdc5fdf3a83077cc37d349
SHA256

a31625b633c6bf80b6f9040a6278bd237706968e3f977907ef77f3d168e9b2f9
SHA512

8ee2947093522e05b5cb67e77127c7b18e58f3142d1a1da9979537490a04e44c2c57644ba74b3f4fd6f03147b9b291e9c8ce23241c4a91222c5b58cb1097fee8
SSDEEP

12288:8qz2DWUdCFCrNDFKYmKIiirRGW2phzrvXuayM1J3AAlrAf0d83QC0OXxcpGHMki:lz2DWn8NDFKYmKOF0zr31JwAlcR3QC0q

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4356	alg.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3876	fxssvc.exe
1488	elevation_service.exe
4244	elevation_service.exe
2412	maintenanceservice.exe
4028	msdtc.exe
3828	OSE.EXE
4304	PerceptionSimulationService.exe
3740	perfhost.exe
2912	locator.exe
3108	SensorDataService.exe
384	snmptrap.exe
3212	spectrum.exe
4228	ssh-agent.exe
4296	TieringEngineService.exe
1172	AgentService.exe
5028	vds.exe
1740	vssvc.exe
4772	wbengine.exe
4740	WmiApSrv.exe
2556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\System32\vds.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\9edf20544521e136.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\system32\locator.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\javaws.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79125\java.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	83d71bb2969e713ce6c7f87b23dd97a0N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000220ab894acf0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000220ab894acf0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002ed09d94acf0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000090bda994acf0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000dcfdb94acf0da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060ccfa94acf0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e6e9b94acf0da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000033a8b594acf0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000082a7d494acf0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e6174795acf0da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe
3464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	752	83d71bb2969e713ce6c7f87b23dd97a0N.exe
Token: SeAuditPrivilege	3876	fxssvc.exe
Token: SeRestorePrivilege	4296	TieringEngineService.exe
Token: SeManageVolumePrivilege	4296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1172	AgentService.exe
Token: SeBackupPrivilege	1740	vssvc.exe
Token: SeRestorePrivilege	1740	vssvc.exe
Token: SeAuditPrivilege	1740	vssvc.exe
Token: SeBackupPrivilege	4772	wbengine.exe
Token: SeRestorePrivilege	4772	wbengine.exe
Token: SeSecurityPrivilege	4772	wbengine.exe
Token: 33	2556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2556	SearchIndexer.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	4356	alg.exe
Token: SeDebugPrivilege	3464	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2620	2556	SearchIndexer.exe	111
PID 2556 wrote to memory of 2620	2556	SearchIndexer.exe	111
PID 2556 wrote to memory of 2416	2556	SearchIndexer.exe	112
PID 2556 wrote to memory of 2416	2556	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\83d71bb2969e713ce6c7f87b23dd97a0N.exe
"C:\Users\Admin\AppData\Local\Temp\83d71bb2969e713ce6c7f87b23dd97a0N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4356

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3196

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4244

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4028

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3828

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4304

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3740

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2912

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3108

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:384

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3212

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4228

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5028

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:316

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4772

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2620
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 908 916 924 8192 920 904
  2⤵
  - Modifies data under HKEY_USERS
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e9b16cc05dc4a04fc4c902bd67fc2593

SHA1
58069592672bcb4339264393998eb63393da0d8a

SHA256
92afbe7dfacf3a3142a47d314859c10e05f604415ca3fd505960cc206e1fc5df

SHA512
335c22ecb9b7ed17134950c56f22806d36a3703d31984b0ebf619efe9bdb994172408a76306a6d5c0336fe43638af7c4c2f8bc20cc91efe16f960a6e78450d4e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
3e5a7a711093e8a1eb72c3ee400fc304

SHA1
3041bb411bd8ab2948da6e0d190cfe30de5a0d0b

SHA256
4355db7caa7f85e16bd0ddbc0040b2401aa31d666ffe145debc98441ec83f898

SHA512
d9e3c01fe7fddf450faf1e00ae7504ce8014df8783e0adb8962db90e791df9aa6b56e990ec9a06ef7f4442fa986f49d3e5b3586942fd69b30b42befd64f13222

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
a6ee0a00c3f5c799bfc1db3a6ae8df83

SHA1
043b33cb02e7dc91a9d1e42f2e596bf4bf49a97e

SHA256
59b6b797562ac3d1d4ebd64ef13ca5c9d3d9caa40e6452d7a0000bee18a17e9a

SHA512
a35bc9a80a9656325074c7c88e68b47c4e42ca5efe1c340897a2cd776b3b2bd697b21889864cea1438a87c885b9ffc537747bf80aff15c14f58dc9d3263816ed

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
29cb874e4622b7b1a36d1fe6e872f213

SHA1
08a90a4ce15fefa79c1dd594d3b29ab588547a24

SHA256
3d54f48d52e8484828ced581cf0d4f4b1f6ed145b5ae72ead2b182ee3ffa3a74

SHA512
04a095a4ec7dc9f6d4778a24650432f090c6552d80c46149436451f3a9d324fd36117e1e1f800ab45ee814a4cf110bba4c23935a96edb3971b84397cdc29e921

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
25b31bfae7b0e281257e2770ed15429b

SHA1
f9772ace83169df392475fb147d78c191a63d0dd

SHA256
13036d318252198417f4ddf4a5ffbc6f82a8d87c2b1ee2e549f71520aed4fb57

SHA512
cd80af604a2258063a798e38e94435dcad790bbd0a1c030c0829e03407ddea401f8fc9388d6b47bfb5bd4d1782b0d5009cd54cc966e0bebc0dd1b90b1beb7ade

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
126f73fb0fd94c64d47ad98a985a917a

SHA1
8b9216e4cf782467b925a7e5693386050ba8002c

SHA256
2f0c2aad2f9eccb5224c45355b1fcdddbff5dbcf60bde82de0d1d59c01e04ca0

SHA512
ff400022f3abbc37de0c3e3e6b71033906b9917a0e9983863335a899c2e033da9da8669c198eb124d28ec6a1fbf672e0a182c95923f3ed3b80d807f9b762975d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
040f4101bdbf396060fbe7aef744c818

SHA1
53c9f1bc2dbf489f37db0b00eb187349bd9af3ba

SHA256
d5d4c9bb7aad2acc4ce4d04d6b3ca73e64afb162bcabc12c7be423b89a48e168

SHA512
579708dc93d8302cc180f0e475697bf0c311ef6861d7806a8b09b5180719fc6853dce02844700649cc25d72cac07ff04f926777b126fe30170fdebc23876ffe0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee9b319b2f7844293af1d1167c6860e2

SHA1
2deb27f96e5dfc50e257d19ff00635dd6689c253

SHA256
77eeb6ae1f03065a5e085377242f43c665a7e9caaf2f7d9633bd49e38e5c14ac

SHA512
a4bca65c8b25b59677ab800c6f7214fbebf2e9f5a703848538f7805bfb494bddaadd0ea77b6de5f14fd557db0cf005ce35ff78af2ca50444041d0e40c141d4a0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
826a862ef608bbcc98714663d15f866c

SHA1
366bbfedd46a8ab23fcf035cbf3328c2159c6b82

SHA256
04fdbf27e6344fb126dc34e3c7325e083f7440bf55a23296e7a90d225e0969e3

SHA512
6dcaa45a47479d9bc0b45ba342b0ec8bc069476a786af9117c5c0a7c06fb12c1f58ff2078a17d888f9c658af16f7c620cb643f5bbfb72fc66b0ea33895b02c33

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
e1e855ce959d9839bef143a9a8809b7a

SHA1
7b055f8d33796e80a2a5a9dcf608b4ed0e0439c7

SHA256
77881d34fe33fdd32fc598c7acf94b7a6ec7d219118f1ab3c4e79cf0099416bd

SHA512
7ff8452c06f5dbcd6a4e21ab40b611e6d7059a8d16f80cdebaea725662a70af4d3f5e768104f007dd711076676f9679e1d9e29e3b50570f84009e676b7c81cab

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c2390ee0698a1c8bc34c6652f969fd2c

SHA1
e999b1234a85cb382d4dcd4ef08c0f928600606c

SHA256
2a6b06e75fa6061acfc36b664ec2085317401da691d79025b47aee2e11c8a076

SHA512
144537c172a967167b9eb9e6a932f297be9bde76bff342cabd3ab1632d8f0cf0f94a56c80bd9af655f12ba8f5c852ddbc29472d8d3f7dbbb982bb050c7bbe0b0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1196551dd6269150d7dae535bb361bc2

SHA1
0d3d8dc8cb7f2575e90a144dfbe54f18d1ec47bd

SHA256
bb22c3a6f305c4dd54d5cab06210000dad5ebc2abc4d3b0e49d8f1a01addd3f2

SHA512
326e21febd4a6758cf6758104d6319bb492d0fc344832b717257fb58f858226d1c0d89d03b1f7ffc449d8cbcf0593f5f5f494894e6a8dc061a7915fd570ee175

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
94489de9b361230ed3c5e9641481a948

SHA1
9aadeb78e8b77813585fd1490f41f3b8913a7edb

SHA256
d1992f25ad89960a932703b8eb2e5396c80fb4dd5bc656e9e29431c8e8bfde90

SHA512
7ccc5cd47d95f086222afb67bc629449ae2219aeebcbb2b03313869751d5a6c65efba5dc26f93c0fd4248d40b5fb5a5d5b0ea0b530c883f1bad0f29e6111c956

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
17b608c51253851fcf74142ca7439753

SHA1
6b01be4cb47a6b71198b0ddfbb21a40d0ebaf37d

SHA256
c153e80eaf420e28472db3fed1dd6d0755d11028079af2f8b26d6ac38969f84e

SHA512
632edde4e177999cf1c7273dcf2a376c47ab09206bb8c8ccab560294a73afb4e1796d40d36d30deb0b2d0389120035e21b5e15ba0131ad69ad70aa93c327a996

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
5e12a2f15dd7f4a714b187014a41cc6a

SHA1
2385e552647640ce476a616ed1c8977faed1d494

SHA256
d16ed5e3a8c4c6acc2878b0b5af97322d31362d15a7d03a047d02648aea3ecb1

SHA512
343cc32056252ee59798fe8edde4286c0461c3d8c52ad222e7a90d6b73fe520b33910dd8c1ed2d5f2dcbf87d556231b470ce96eaf2b2be837e3d2c7907a900ca

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3ba70983ff86f247de0bdbc445d9e94d

SHA1
558b2ec1ffcf43d69aaa207770c37893d8edf497

SHA256
d1e8c5b52378fba0f12e3f0536272a6ab27b9c8c31c76bffc932519c9febe471

SHA512
a934e484487d10bad2100e8b7908e81d21fa9799c0f12474dd4c8d17f12fa2feaeae7ad81ab1304977ebd2b889968ab8626e72622093bb091ffc059f9ba03db6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ef25bda1a2a19d1f9b018ac85f723ff0

SHA1
193b608fcc7b255e98ee99dc6846a81f92b1664c

SHA256
8d4897baaff0c18c09646c7ea04dab23f599abc9e3df9c86de1f28adeb7f36f0

SHA512
a2318a5cc4ac220472561c5f1b8caf437015e489a6050327f8ff14345bd6f4119dec0f621ef2e31cb7cb99a1d383a56098373e5a75b58cd031df7fe8092c4af5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
7bdc20f0b1b91f77326e8e50bff0f619

SHA1
8f31b39d322a42027d8031738edb25836c79267c

SHA256
2f863d107c5f4f8361a7ee25575953dfc2b589517fe3d8957b7d6de7ade9ba00

SHA512
45903f184064dfca47c45b335164df75f582b0b9626a557be70ffa7abd6bb9f2b76f498b9e145a0004c30484eabd9f4fc6315202c10f1f42f35516ae199bdc3f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
c75297ecaa60d7a3a726424c9deb6f25

SHA1
57b64e21f85c3e307247fa82234e94e7e37d267e

SHA256
0a0dcd6194a27b6617cb034c1ae4f05163188436089def2d95b524544e34d64b

SHA512
a8fa2bfe778e771be66177ee44fa607d190b31e99492cf56f7259c420b706c35e45783a7658f92b458e70f181d2c79be28e9b8e58d3db3486ac4276a142267f2

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3535c0f6c0ce3d551b3684e446af9b36

SHA1
17a4e22d2cd99a903d95c38b65f82b0e095896e9

SHA256
a7f8c3392f718e1d2ccfa84dc9738195fd6cc2664b2ac6af9f440ef838ef97e3

SHA512
a61cde6ef6c46ddebc61b3e1ace5c6d4f875a12dd2f35b8e8269d936956b70546c3f9c6f554c370ae9d38cf20597179caf20a1a994bc484698e7ab541b9823aa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
0b58f388b1395d563789bb97b662bcda

SHA1
ac5f14be8c72a54fb0ed41541ccd36b693be9da6

SHA256
88a69d11cfe330cc7c430cb5ca84044028324748cd81ac522baf679ac85bbe93

SHA512
8b54b890aefa94db0a815bcb685715b92ffd35f43ed4d7bee7283ac618d4fa3fa1e1f52f0f9a441ba7c17515028c68d8f1ee86dae5d074c789e45b778169d92a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e3b33bd3391d6a24d751cf2391937d52

SHA1
5e0cae9d562f2c3a014d3c6c62f0133f9edafab6

SHA256
9893882dd24396b4f7ee24620fb95169feb9b5464daed0f2f4047749ec14ebf1

SHA512
8d5948d70bc2e2fbcf8afeb9a21ec97c8b2bd0e714789396e645f39d649a28d2cd4a7e3eceb9cb02d63f5293cdb4e6be7ad9a914897150995949c62901d910b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
6a6bfc99ffc4d16130e0c4ae8c172618

SHA1
1f05e1805ee9bdd9044dfa8f452eb2ebc4079fbe

SHA256
b46f48c8d73ec55c25bea1e2957c2a657ee65733afb7093796454b24d860475a

SHA512
c21e5f8328a233424f1ed359f935b9379ff6573f402a2ab4396fb592a4d9eb5f7d2a269272632a19700c0b11effd43a887c22b6822328dce4b899a1d40de92b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
ce6ab76d7b8d0fd93e1916b1c90240f5

SHA1
c06abc5fda9653f4ddb5f275d6b18f2273be5b24

SHA256
96f670768cdb98961eb17d4aed9a0564b7199be014de78f0dcef8f855ee3be27

SHA512
adc294a15a8b89b9edcf2213799196601622af5828c3d7064a0bcb54d43e29f74cec11faad05121c675f37545df93437d738ef29bfd68f9ae24ef98db0711e97

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
ecb0fca94d4a602346690254d53beec6

SHA1
046b2026eb707117c4de46bce2b9659a73a326a4

SHA256
aad520d3bd3ca621f27850950553a72d7ab2c88c6170fc93ef0dd936d60aef0a

SHA512
d55fe3979c30c5b5b8f0e81a096fe90ca54011426372cbc19ce4211d256a036b4de16a577dcda4b528d37fdac26c014446e8a43bcf0682f82bab02beea6e36ef

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
6ab034da86a771a5dd66d19f9ba2065e

SHA1
b288c96b2583f3a1169099195abed9a60253556a

SHA256
2dc728468f9049e4c2b0ce68118e397987b8bb86e88dbf9a62dfcd73122cfd4a

SHA512
0a5d8dbff171bf5059bc189190fc56f6086ad929b4fe3f59bc62bce2997124ecfa5cb97990a334bd0466b9d09da9f1d403b07ca6a20a7441d9d483eabddbfc49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
dd930c5d6013bb7aebd46fbad8f1935b

SHA1
5031792a16e25ba4823cfa2a699606cc3bc46012

SHA256
704cb26f459c3dfc6d46361dae162396e56d7457bd318eb0fabff6e9fd9eb509

SHA512
fb99070718f8cb2e6db6d9218ca1aeeb646fa75eb8cf7031bb0091193cbf856c0e65078710f4025a07243a8cccebd7eb524759e6f5d1a48bc1880667e9809a67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
0a2837cd255d765d5fa18e1b657fa038

SHA1
22a0cedf1e2cc6f43adb9c2c894fc0595632a807

SHA256
ad863467c21a1984a724aaaa4f61da4bf5fd82a87836c8c774388911a1c4ba2d

SHA512
f7d8430386375de7930718b6786902a45837e7bc3de571f4d13a4f671d8b056bbc411a645cbb27395066e1b6eab9f666681ab1892c8a3170e09b76819953bafd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
ecd2b01bf7d83c208755c90bede9216d

SHA1
50e5f73073d60347d34e0ca8e25830c28241ae44

SHA256
f988c692a285727eb20764f09d1a95b5d98c349ba38f8352e5a79bfee132b247

SHA512
98543875f000f8ab5bfcc309243d62203f896c8b79d15f0490e3d11f02f4970d701853928e7608ce5f22cac4f74ae27d6dbc11e19174fad99adc5a1e8b0ec328

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e38229ccc8ac4180997253457968071a

SHA1
e8dce8f14bd52af17e0601c6d00adb1535693624

SHA256
12ec0bb2b69613c94977558136aa264d594c732392782406018510f85b741ff6

SHA512
e862ec08b4b890d05cf4a5ca9c5088d1ae305700cba69290822a9fb3beb28010f05b7587afce9d38a9c01af65be3272e710ee79bde9dd1a195cfc852e41eadaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
7592a274b082dc6807fe630b855dd437

SHA1
86f33f2cd8af52adf79e32d2efa3e684579d417e

SHA256
07e8303794d46be59886fbeff00553a573f1bce7a5911242b016d0a025b3a9e1

SHA512
5e37bdd89607ee1917d47e9c6159efe34e3af108255c6d4abcdcfb941ae4ec21dbd87f560df328b8cd0933495b831fb32d6d6803777d3b27d8f0d997fe4998ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
c95a197a6ce56dcaa99bde39ce8048f9

SHA1
c5766119837ad596e2c66d74dd8f28062da86514

SHA256
4a2422cce29569fa31306ce23c50b3f1024965ba7e670f0ecadffb0f886da097

SHA512
f0c5d8ca728e56419603e831defb18eca26f792b7d3c48a846b40085e39c4da81ab1595c32648619ecd524b8e55855fb505b10d98469516f957375406b2345a7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
5b96f7e266add4bbc77fc7faeb947e0f

SHA1
5996bb3f92208c645772582424a14d10264fc10e

SHA256
a4fe6016030c9671ab0372a4bc2237ab1efa2d01f58196b0d771e39550ba605b

SHA512
ab7c7ca7ad626b8d65c9847f0e11270201fcb168688ec6705b60d8bbbcf7106dda8b5e1e630c58454b15390bea71fb598630554ca364f5ad20cfc0a0bb433dd7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
f19765ecb667770d7fdde6658444dc01

SHA1
be91d347eb7d931165b9ae10058f36cbf4a3d4bc

SHA256
330dce56e5db9e6639685e881b562c01de4febfbdc52896d8c86f0aa96537fa2

SHA512
7a0f6ca94da1845606c6c3a97138e4e3a398c7ff7eee1a04951278e53c6b3f858e7dad8038048e9a01cb84125b59890129c132f7a9c272ad8598e351e180d660

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
748cb9e5578fb97302852c279aa264fa

SHA1
263c9f51bbde377cb02bfaacdd23ae051b2b0fc5

SHA256
2a78ff4d58c335a7ba7cb7c5853c4a6afef2d0952aa8f20a86df415ae65286b2

SHA512
67539d2878f714b0eeac8a40ef4a9c1d81f2cfc484d57cabaa8444bf5c1caed213b3d871c0b9918d105b725e91e0ab973b561dce761b0e65c96b551d5403e960

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
8228b2a6a29d4d8c42417097787de1fd

SHA1
7b67f99b88d24c91a34750e45c28eaf5b13be9f1

SHA256
ed594c03bae1e054e71a5aef3510a806c6ceaf73191d17b31b053360bd42b333

SHA512
1d07e3003b95f7d07c15d76b042475e3341634dfb31c5f603212c9cf9054334d244857ae96e006a6086ba16bb3fa1a4cf28daf202e9315b5fd57f07acf49dc01

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
8039b95236dd9686ac9de8ff611c6da8

SHA1
b9a5caacb4977e94e638a6d4792e3086d75dd7df

SHA256
4577a88636dd7b95e6e154074de217ca213fd14e7fa7f51533241b8b9e01348f

SHA512
65e7758216aa4ebb3164b02885b212bcb7ff617c1bdc003c7e349cf550b0c74761a6ea4885cd861c070dc311876efb9b9552e6a63b72be67b7f38aada390e915

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
48c258c67c09df00e7370be9f305d69c

SHA1
9958a2c6635091591d54fde80188d84e9f215ae3

SHA256
253e392259e8777123529f8b3ca8e31c4c689da749c676e29c79f75fe19b5f38

SHA512
c33963c408ef5f664e84dc0a40325674734eb5baef5ff7ffea3f2f69600b792e1cee6f36c0f692954ede01354170dcc634910cc12ff6b1a10f9d50fe3d4635c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
4abdb198c381eeeb2175cf199c205122

SHA1
77b2557a7d230ebef2ce2f8122538799b30b185e

SHA256
08b0bb52527f19435d632a0b16c5428d0df6742320d091452ee01da8f39260e9

SHA512
b5f1a6adfaf3af2c22010978c25deac3592972ae520b2c20d0eb22fb727e041a71ff2cf7cc1e91a0322337c6a86932094cc0632c0c988981c899237b9cd3c41d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
9b0415e74d50dbaa46cdc8d97f0cf792

SHA1
6d9c46e5fd4a760060e6119027014e6dd9bbd89e

SHA256
c81b0e381b1180272a356766c06f334171fe55148b580bdd5faa5dd0289aad03

SHA512
4c8588c74d887cfc0eaa9662866abc24d7100adb62ee85b654f7731ff26e0e57a9c12a6bd361694463f76973a6e7d06417f8ca335e69a94c149ee3078e2ca49a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6ae1660b0985782b556b0781050e31b7

SHA1
05117ee2e5a7f3656423b54868b6f553b8f34061

SHA256
b0759b99ce79d2423ba761e73c4edeb34f2d6c683ecd9d1d5a04ad97059ad539

SHA512
7c7c26ac195ba19f60ce4f8d8cfd1344adf94a7706df74223cd4470dfc8332b8f1b676e08048e45a50a150c182d3ec67bf5dd3dc4030ab2374e470ae9a776378

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
cc64beec5fa1d08344037bb93ef5ee7f

SHA1
15088c40957e80c50a4e41a797dafc305793e596

SHA256
ef114d69ee2d30aad5396178cac7b78349f8849034934f4244b0a9f1782c5f8c

SHA512
f00707878faf91873a4ca0145663baea5ee7cb62951d88d9b52d00d35a608a3385817fa41196dfac1cf6406c22d9fa5af31a3dbb807684ea8bcef64c1118a67b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
77a9d7670b5166e63c65746967a87b5a

SHA1
c61b97086c86e591f920e00aeeb6f82b3e4c6aa0

SHA256
646daf31fae11c2b36e4cf6a4618da556c06d00eaed96f6fd09b277557d2d8c3

SHA512
05569ce7e0fa3e34c508e0b5cfa9e7ea29b0bb238109164da38b7ee82317de53b9052ca325206f3a57ab2d135725f418df2c9aa4ba04610dbbcea4ede1fa2f8b

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d16dbcc57f7ff69c392e354e27ddd78b

SHA1
267bc7e81366c5d718481a55078e6101dd2047f3

SHA256
d3b6705bcf840b0bdd802fb8e46d7904eb725d9aaab14b5dad19652e8dfda36a

SHA512
d16345ff94767875bc90f704188ba3c9e73e3e4ec7a21cb05286b9e6a8c676b8f4367a049c1c57c7069f0e9c9fb7f2505f1a688b13331e89f0c72a9841bc42ca

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
a4704606da8af5c2a2b8604ab1a18c27

SHA1
7f5ac7ad0e220a29f488ef4d952aae248c821bc9

SHA256
064144f8c464a9fcd69120aa525aac1b17df2538ee3f6508feb37e6a93b8520d

SHA512
f78ca47c020f64f9464b856ec2dcee0d3353d1c6eacdf4cc478393b068ecc47f875197fd3f1ffdb559b6ae385b63ffd2bef1cc6460997404fdb8137513a603c8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
b18dad53c2152ee7d044f07c34da9db2

SHA1
1d39dcc842c5a6a381e698b4a83d35c454c31eb2

SHA256
981ca769ce0da28721d9954a9ae393fe3d2bd886fbf8c225ea62719da988fd7d

SHA512
acc306d068a74e5e799e3e52f84c82ab94eecb5a827850d4c05b86d0f080fc87f7cff23db9e088881bf930b729cc9e43471a669bbc700c49a9c44b19bfaa82a9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
01a65258bd864b0cd6a7b3e23bce499f

SHA1
bf11d40f34200f958689880eb026ad9d857ed9f6

SHA256
ad1dce95390ccc274ff2e33db75b056e9bf50741d38574885b37037dfbe70ee0

SHA512
d5b767db285586c724d0dd921a895df3a9a7406c1f39db49a351e8ec948a6de92be1ccb5432cefea9712af1245809e11aaf64975f1784a36165ed7fc6c1ffa92

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
e6d14e181e2898aeae15813bfebf1753

SHA1
9d7f9cb5ffdffeb3252b6b90ee02ee7ca59243cb

SHA256
4bb641618c4499466ccd666ed1fa6ecc1ca99376d46bfe5acbc1b5cd704037c2

SHA512
989818152c6f4a61291d3aabb0ffe1b590cee7f52224286645b093a24dcb59388868f89f091088823fb4c7b413f9361245e7d3cfa973906d77ab90969c97b348

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e3677b13fbbea25f10c70d24ded1d3f8

SHA1
bcd1c0fd0a4dd70508886446cffc41a648b66ee0

SHA256
4b133cad047c21d939651477502d16b353b2f60ccbc1477421167c60d089fa6d

SHA512
063ad8359679f00234c8f6a59539dd5992551bd7e0b768d77e715aa776a17ede7462d7840cc1f0224896badb0ff17002117e6d88d1cb8b27db98c93ccc8a974d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
72b86976a2edfba5b886d1eb2ae8f6e5

SHA1
3c55908cbc87bfa51f154ebe23820fdc1df2a8c6

SHA256
27d0f5587751fed06f03d0db73226d520504dd4ddbb97a748acb21c42396a21c

SHA512
2e9d44f51a87291c498a4d475b17798d814f158ce18dbc2f6344c81f2fe5c75d3844b4f556bdb639f6f9781d8c482a4a1b9e8be071cc280f88e4e28fb492ec4f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
8f58c7210e25fcfbd05d0530378bc9fd

SHA1
0a95d6fffc941a5d0d6561a71e95263143bcd2ce

SHA256
61d2ce1e2580958dff667a5f64b69b9131de192948b5fb63094573c500588d8d

SHA512
c16bdfc8a7e7416b81dca7ccb6371c89f6ca1e04f3febe67794ca8f4b529e4b6042399fd990e73b33576ba6585c20ca7f9bc692a7ee331582ef579b3ae7b4d5f

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4e189e1d51eb0f5486eaee1798b853c5

SHA1
29b98feabad9d80e776f53c7e0304228f446714a

SHA256
6180ef78e5660c46456c408b6003ac24405a7d5b405a3c807d81fbfb4312947d

SHA512
3f7466d1c2adf418d96eca4f8f80047cae01570799ff326d822a097628a289a7f5029344b7de299cbc43304f2f0744b515b922148c835f59b7d0f8dc5542e455

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
2b3f7353f866d3c1513d80cc3e7fa481

SHA1
6aa1bf8488c48726d07eac7daea6fb36f42dcec4

SHA256
8e9df95cf143da47c8699476793e0559a697b35b97e6c3fea91278258b44e039

SHA512
092b782008ba7f42df42171afe36dbf88283db33e2fe9efffbed50ab0efd4ece0e4ab95b78e0503c5b624eebf1c90f18f5dbc55d8bf380c7ecb2abe1a949d177

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
b7d12f4e6f0b88ac3873c518d4842101

SHA1
580764f53edb41c654f856b6ac179d09e9de5803

SHA256
1077140eb52cbac43e25b756dd2ce90a0dc10543cca4f507096727feccf951ba

SHA512
2d3623ad5567e59726d3b2608c72850299eab4e30c40728dc4c81d2b90e396472e8a5d34f95ef957fc56058aa7d135a68afa18761a3088094e82ab6b8f84658c

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
92d4bccfac3962ccba9525e5ebc30315

SHA1
6989ed21355c79a8a3818686a12066cd4126bab0

SHA256
feabde106acc3e525cd5feb5737e7d9843ab79367a5c08d085a489d73ddc7ab6

SHA512
6d84c1199a87f64f54a2840a35db190a29f7ba898c8b39bab50d6b60a71139c1458da889fc0c767d201d9954c234709e01ae39826f853bd0fea64eb0c90d3c13

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
10b1fc29d1ba9ddf2528064bc3bfc70d

SHA1
06bb3a823e826779d94c49202cb41e25cb3574c5

SHA256
d88d85711a1f63ad43b8becf40ae337d81956e3f9ba406fadbe90c5d06d57340

SHA512
ac249cedbc8cb0fe153f56ba9cb7cc44c0d8975e81f92c9921a8916a5f3595ae2e8888a394ab793e61844b5c807fa57b9f46e0388fde554cef1ea0b068ad0be1

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
ee6270897aef2b8269f37a2e66acb2f7

SHA1
acb6f1ba71f30da766dbc40b293a08a0b31ad372

SHA256
c099031d14db811c0b95d524be9cbbda54a6b8e22c8230c00404cf10241841e7

SHA512
639ca9567eecf2d5d92d10a9048e67dfb6def4048d530fb397c59668bffbcba13c8d02ecafa9027f6f802a0e12962ae0d4c5db6daefa51c9e1f0a903a8999f63

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
afb0c0da64f0cfe5248f3a7217a96565

SHA1
e83bac856dbba6cee3cdcde738abf7ad09b96008

SHA256
6abdd9b3a9189a6c5e4874531e9c25b2f79043daf292e117da9ca9fbbf87d22e

SHA512
81674c0b173e430d13d33c0a5e43758e405b94a4c0a8965b582a6370382cfc9dfde468f8702fd514e978e02ead5f2a2043eb74cd64c941ffe019fc736489e5bb

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
39c23822e42b9cd71858e2aa822bb409

SHA1
9bf83ee335f933498f3e12935f9c58617d2f1609

SHA256
a71adc83558662b493d46b33ec6c237f0e14aa2cff96f305e6067fa634cbc653

SHA512
f19294f97aa798b8c839a7c7807faed6d7e1dbfb0d21cfed8f12b05e7db53b1d56d7cbdd2b8877bfe119a336d3548b3d9172c39f17875c363c19dbc04aa96217

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
93d43a767b1f70ccff1739849132f18b

SHA1
37acc0a8f307f405f289b71d4e14b888f32b0980

SHA256
3d78fd95d960eb53926770b84bd1425eb2f48e687fb97c9e8d3080db3ae6651f

SHA512
907d392685e40423d395d99faebb0323040f8e0f3921cda59cc4c5b71f936585a39b2659a861a84ccb4dd6ef4a92ba3b64b5db426878bc53eb6e6225baeeb36e

Download Submit
memory/384-171-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/384-326-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/752-1-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/752-582-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/752-83-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/752-581-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/752-9-0x00000000008A0000-0x0000000000900000-memory.dmp

Filesize
384KB

Download
memory/752-0-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/1172-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1172-218-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1488-50-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1488-56-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/1488-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1488-182-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1740-236-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1740-633-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2412-88-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2412-84-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2412-75-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2412-81-0x0000000001AA0000-0x0000000001B00000-memory.dmp

Filesize
384KB

Download
memory/2412-90-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2556-288-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2556-644-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2912-149-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2912-268-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3108-286-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3108-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3108-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3212-443-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3212-183-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3464-36-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3464-27-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3464-129-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3464-35-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3740-130-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3740-255-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3828-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3828-232-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3876-46-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3876-60-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3876-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3876-40-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3876-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4028-91-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4028-101-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4228-197-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4228-472-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4244-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4244-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4244-72-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4244-196-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4296-474-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4296-208-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4304-124-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4304-235-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4356-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4356-24-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4356-14-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4356-103-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4740-269-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4740-643-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4772-256-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4772-639-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5028-529-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5028-233-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download