43279195deb2632f10a5fdc742538af4e3d5c7e9354fc76d6b2d39e880b8f096

Analysis

max time kernel
117s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f411335b90a998cb1ba0483680ed3e90N.exe
Size

1.5MB
MD5

f411335b90a998cb1ba0483680ed3e90
SHA1

69a5e902399b1e2168b2151cefe151c8f758868d
SHA256

43279195deb2632f10a5fdc742538af4e3d5c7e9354fc76d6b2d39e880b8f096
SHA512

8c7a1a4981eab076b9832f8e8ba3e5d050bd99d621c02d3ccf8603038e939118073ba6627e1fd72b01e53adbd04422a4752eee6bcd2fc8a94026b09a8293b6da
SSDEEP

12288:Jj9OGmCd0Un0pIYwHg0PXhKQ8rh9gMrufZBDpgAgDP2HotY:F493U0XwHg8wv9aTHgiI

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1520	alg.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3400	fxssvc.exe
2836	elevation_service.exe
1240	elevation_service.exe
4784	maintenanceservice.exe
1996	msdtc.exe
1280	OSE.EXE
3636	PerceptionSimulationService.exe
2828	perfhost.exe
884	locator.exe
2840	SensorDataService.exe
1224	snmptrap.exe
2936	spectrum.exe
3980	ssh-agent.exe
1232	TieringEngineService.exe
3468	AgentService.exe
4652	vds.exe
4868	vssvc.exe
1604	wbengine.exe
380	WmiApSrv.exe
4636	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\System32\vds.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4d21593089816891.bin	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f411335b90a998cb1ba0483680ed3e90N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\LimitDeny.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A1342620-C3E7-48E4-A8CA-2B9DD9AE1E3F}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f411335b90a998cb1ba0483680ed3e90N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f411335b90a998cb1ba0483680ed3e90N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c836f8135f3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b208c8135f3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000024828e8135f3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016ef038435f3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f396828135f3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000002e84158335f3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000062e9d98235f3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ccab578135f3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b934808135f3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe
3600	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2820	f411335b90a998cb1ba0483680ed3e90N.exe
Token: SeAuditPrivilege	3400	fxssvc.exe
Token: SeRestorePrivilege	1232	TieringEngineService.exe
Token: SeManageVolumePrivilege	1232	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3468	AgentService.exe
Token: SeBackupPrivilege	4868	vssvc.exe
Token: SeRestorePrivilege	4868	vssvc.exe
Token: SeAuditPrivilege	4868	vssvc.exe
Token: SeBackupPrivilege	1604	wbengine.exe
Token: SeRestorePrivilege	1604	wbengine.exe
Token: SeSecurityPrivilege	1604	wbengine.exe
Token: 33	4636	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4636	SearchIndexer.exe
Token: SeDebugPrivilege	1520	alg.exe
Token: SeDebugPrivilege	1520	alg.exe
Token: SeDebugPrivilege	1520	alg.exe
Token: SeDebugPrivilege	3600	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 3732	4636	SearchIndexer.exe	117
PID 4636 wrote to memory of 3732	4636	SearchIndexer.exe	117
PID 4636 wrote to memory of 4516	4636	SearchIndexer.exe	118
PID 4636 wrote to memory of 4516	4636	SearchIndexer.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f411335b90a998cb1ba0483680ed3e90N.exe
"C:\Users\Admin\AppData\Local\Temp\f411335b90a998cb1ba0483680ed3e90N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4452

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1240

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4784

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1996

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1280

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:884

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2840

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1224

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:908

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3980

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1232

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4868

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3732
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
2841fc2d6d3528cd90e1f4371acbfab8

SHA1
5d09388ffcfd13bcc7a878f2485a9f44cc1a7954

SHA256
a18c0a5488fd0bdfeaabdc01e6dc7247fc0fd5778a889845d4dc45f08288130c

SHA512
405ec5f9f4359c92ea0bbdcd05388d4b6d539d70453438d5db6da2bd8ca3b7f593ba9ca0cdf3ff1f2999ab34cb3d1e2bbde09d4e0009e4ced4560e0a1cdd1f1c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
5449dedb977a1d7be738f8bed3222d72

SHA1
692a6c10bcdecc9c366a5230577a36d785a7b888

SHA256
f47745ed9315d56289893bb695e6936609b9f17fc392b57c7c113f0af873702e

SHA512
af6b00be018b4de529feb88e58d6e326ca5bd25bf7cec03a82fc8ab336e2075d9846d593cd52796d93d68282ca3cb0223317ec3d231375ee086e56fb70cf547f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
cddf3eee14f21601db126a098dbb0b0e

SHA1
fd1a3c0184b37cdaf3cb5ad5476948ed45f78b87

SHA256
9019dff6603c9edcb689eb405e3de4e09751399801c140733ddb795549b347a6

SHA512
e644d8e0700b396308c1a332e1ae6185c3a8646525b5e9c22254f8e487d9f1d6d5671971c54db24d5f154db1f6b2d6a952112255d8940965e8b132e49613ee3c

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
df6fee886bad8839811242b8db0f7375

SHA1
9fd4f6fe681bdd3f62179828fa5d4b3ad5309e4c

SHA256
92e8f21b924e0bed2fad10394593b6cf5ccdc39923c36b8e758328381f0dccb8

SHA512
dc24672e18e93f70e35009b971336646cf833cbcf51c31964511be3d4484c8381e1b158489822cfd3886a26528d5a268e149a2a05ac2e4cb79807842a2451267

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
352debfa7675432127047a5d19fbe4b5

SHA1
c04ad4446c566a778bd25e5267c924e67ac33741

SHA256
928a6c965dd06cf9d09d0613d95275e7f390bce66a163790c67fb133773e3699

SHA512
d85e76f6e2b0052e5d6c3d093605a8e1cc86c4da11534e71b749ccc68c284886e1483685302892f45cf283eafeee0f13e539b6ec194d8698d5ed77d46fe32aee

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
23086483d1a2d2ca45061b538bf3cdd5

SHA1
6e6b21726b4cfb7a6a5dcb98402c4f5efc9b4223

SHA256
c1ae41bece08bf0e7de22e387ede4df5a09e11c60f5ed204afb0b7bd876cce0a

SHA512
bf7004186f68648a0edaff5a01fbc5b2203fd84a01877371e9436c686d5579d47f61d1fc6616c2f1e6ac3aadf1b8aa336c9458f1dcc515f56b0353f1306e84f1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
b131c39c71525e1a128b87e838562b6f

SHA1
41382ae5795b3934afefb06ddf4c13be9ffe425e

SHA256
14c931b1b9e043fba90a681f4486c4768462e19f3e3c05e5f4da6890d1a3dbfa

SHA512
f107808407f3576cb5c04b6a48b6131ee6a68e86e2b62a97364e6b3676e2ba5656977f0157585e5d87cbdb871d95ff54957ce48fa9153d6b84ad482ce53a3d70

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
30e2999c460c8c6164ea903451aeedca

SHA1
8ff368a0bb0204e57e5b1ebb474a8332b6601420

SHA256
5d9fc85645525b14ddf4b2702dedee620edbd8da440008d85e9c89a9af01ee4f

SHA512
7cdc666690a2312cfa931293067de53ffa974cfd1ff65b07fd7a789a2996556d138e9bbaca5bbd8fe77a61f2d70763f74ec4d5d7f2308509bda79c9ab2b2bd47

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
6392daaefe7c094affa89b6903e9289c

SHA1
185aaf90264784fb1b43f502f868ea0713da590b

SHA256
db545c5199cd8616018382c35571419c1520ff89021e4abdd8d4cff20424f572

SHA512
d6e717b022e8f25e15b6da005f27fa85728444146d66144201285ae76ba3acb29782f1e3db08823787d8d1573332cc4943c1d0bb282be29f5a625dcbd72ec429

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
28f4df9f625ea618f5a87fddd39ad9ff

SHA1
c23f5383a93b7b7f1d8e7422a7dd46c049d5e876

SHA256
955e131cfa025b5028027a717c2222e29c6014e08bf9a06e30e3c260b89b4671

SHA512
14ed068859e1138dc64d8af7432670920ba40cdb2757b187e99fcaef617421d8884dbd37b972273853c827bbf41af6f806276963ce8f6e23e8354e2509390e19

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6114a88dffb495a44dfc790aeec28349

SHA1
a404f327999d6ec8c81fbf4de4d9753e2d50637f

SHA256
c25f05f166f02c251b7db5bfea31d842ecd34ca491f698e0702da6dfabcd61fc

SHA512
1291fd26d3d98a127993e99ee71e1543bd29f13cc95ef2e75131942c7b2dfb3c082fc756339044918d3ce48cae32cbf9b53bc081a41589842fdf0481155b7f93

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
f71db0a31e3035e9b570378c6aeae7b3

SHA1
17cc40442d5dc5847b9ba5157a64ec6b4f651e9c

SHA256
35cff9b9c17a0c803f8ad12104e9b042af381bad74ed278950ca3c4e6b27fe3e

SHA512
b006e10f8ef6f6d98c24b0310a92dacc82816928b0b4e94a35035bdd1fd590c8f763e147f9307099ae417a19338db80029f24194a922c6efbb2bef0489c686a3

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
21f5db4df129a6deeb82d8b0b2c48550

SHA1
e7286795e88b20ac659ac20d81d7bc5e65a05644

SHA256
ab95dafae3375f7b170bc2a9062e665c8a8539510befc24a672d44116f9aad9a

SHA512
657c43bbebd7e136f7ab353a6a918f6e1e1c0368feb483b8b214502401cbf0ea82d5c082cdbda6cf07f62545eb7afbfce569e80b27c4d77e67e76f69e297d28f

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6f8b87ee18250997c893dab041b6a4c5

SHA1
9f1d73380e2d7fc8468400d7a8becfa5af75da2d

SHA256
5da56b617d5c11a9bb136fee938e40170a7cfd015b4e766e3f1ab702f3e50a29

SHA512
bf96946b13d96fd450c754343b5a84140a90763b76ff77cc21a2aa658c2405cfa068fc04a87f2e63afe83670ad164a96d98c208bfc0b7aa6faedd8c1da19af5a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
21cc0d7c581e87b190f3536ce1733ebf

SHA1
3c65457e0089b3cc6c2872707bd1ba9469bd15b7

SHA256
7be618e03e86b0088dc2cfd53865f6d3b52d93418463e17d0202fc8199af9521

SHA512
30a54c52600699848e5c7cd974baafd3a00a3fc7627ba855470a2572f1d14dc77b5b207fe758403ccff5b3c8ac73ffc6e8a78b8f8fa31375722f6ba8fc33d6af

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
c76a40e8e08559868d077373d8f291ab

SHA1
57ab9747eb8e239a2ae2b29dcfa08a8dd5fc24ff

SHA256
5c449c66b417ea4fc4b26087cce93c7cd147332bac8a29a2436fba9f2018a5e9

SHA512
ed15def2bf17dfd78a21997b52f7c7509883c6f477c63c59bb68a08e130f814ffc533609e429af87cc947d2872af5c2a0b06e30737b39f5ae6dd833e9615689a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
094134703dc9c92e4c70885a6ccae981

SHA1
8a62b78000cf3dc6f4e5c54363b5e1cebcc8247b

SHA256
3498490ff565cc0cd30d84b60f1c1ce5f60f9e5ded0c07e79fe2a1f2af3e660e

SHA512
8d4f9306655ca4e66d305b32dcfadc168cbde9b919d01d1ec39d0aad38a956b25057f33cc4ba743c71df26ad1de419a3b81140f1808237a8eeb624047eb2f1c4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
74861a8676bd11c033ba516e33a45e01

SHA1
f8c81895124dcbf25e72333818175524287f09df

SHA256
bda6b4e6ace382328449a2a59d8c14373e730ea38172357ef47e5dc966250771

SHA512
3d9b78603c4332a8ed6653a50341c5435407c60f7448ace20b148ca8b7ba19c538b3d7556cc171529ffaed2d2dc23ba861eb74b106f01004cc82ae7299fc1e36

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
25fa6786a6ae8faaf10072d903840cae

SHA1
523ba9e9dc512aa76ccee10365ab8991bbe5343a

SHA256
02d2a3c8bca05499b62dfedcaeda394ff691ff3060c07cf8bce951ef8b551047

SHA512
7d63c434e4e74fb371680f209f3d1b8236ae013da3b6b9cfa7ba1b9827a2251ac2e405177bf6a72e8da44f9efd7ed75a1b988002da498fa99b4b014ea6903067

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
0881b1b91c1614df9dea2e63bb9f6bc3

SHA1
9818832063b8f0f2983d631be8234e8639f250b6

SHA256
974e0aac4071b008889b021a4a939ff29078283b4c7e6d905b65fb6e93596333

SHA512
70209aa4f4229962d7980663b1d9dea76e32b48522738bd090b5a5bcde02d8f6bab298accada62c0fe9dceb59797dd22b5db5b73dc96b0db7942bf099c5cb825

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
360a55c97f5b0ed07603e30d2ebae42d

SHA1
f14e72c9d97fff5718ce699298bdccfdfc938fc6

SHA256
b43c6dec1cfdbe5ece909b228aa3ce6ba4923e795675975c82f531596c96e25c

SHA512
9e5806a30ed553228d33d8b67944680024e90c8b78a16bfb1261a088e8c9bd57eef48aad187a012e8b339a34aab5d42eec3d5374ba91468bd811261f2533b03f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
d9bb6b9d240270e2853fb9d56af74d0d

SHA1
152bc33203c39f404e494471212715498cad9b54

SHA256
12ef8b92dd59882ea4d715987e62f1ffa14a7c85ba4f7045cc065b1daa4dc02b

SHA512
4a13cf0c8e879f26ef45d70ebbbf83d197728986a36306ddffb3f35f20e47388a393ea7e4f067daf2576e04af217f1befac4fe17291492fcbbf92780eb30dd7f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c6b8070ecc28b4260d4b36d918acc80f

SHA1
55d048dc62cb3b6d688c7ae52b406a7e35386567

SHA256
7bca7528bbda14cae2a02cdeeeab72d169edf437872b87f0bb91b36b035ca484

SHA512
8ecc566dc9e3982405541daa25309a376a3c899ba7500629e11020a242f069f7b09ce45818cfb8d85d962a54a47309678605902f962188c916a32078b7593818

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
6a30dfce7cab46e2a51e9b68c047fb79

SHA1
03228daeb18785ceee08b8d78d2e8330d61562ba

SHA256
9810e69d0ec55e8479dfe7a755ae1f9105f3b14a0a0bd08469c94f0a9bb45fb0

SHA512
e55f839f7531e74300d105f8e437174923fa0d8795ba0af815245c490ae5e341295fb6da122e0d5e3bcf3e1f5a99ac3e1ac2db26e41ec2f93de0053eddb93a51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
525164317bd6db21f713379e117bc7cc

SHA1
825c576bddf2bb3f895e8d6ba5f76ac91b851195

SHA256
8867006de62be2bf2b53f135b9b97411475c480987d6b3de1fd74fb90b628fef

SHA512
c0f44b98b880e4410c646b0045421f5881ed9d28e86cd804cf811155cace5fc7108fe35d21e795aad1ba3d70460a27a569d8d043b5e69cfd2d27fe968481cf5f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
18defa440954ac316873b2fc325a6ed6

SHA1
c8c8c787c5a72a51eb12977d0cc06008c6235283

SHA256
74a1bbd8cc10a360ebd697de4d27d8cc17af267c34404e9b8523d36b16d8f175

SHA512
a75972d6a4c3319fbdd15bdda49cb059698c7dd48c3d49598c2164bd594dacb2437df784e920fec7940e5d42c2ec11507239c67d965d972a59b7cab2cbbe507f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
c50e50c92b4515b492ac7564d01bdc9a

SHA1
b771b4594cbcfcb2cfe5931ef6d5d674eeaf0376

SHA256
e45c5f9ce969994342c69dbe02e3edf837a483ce726c12152db65e1d3786fd06

SHA512
44cdd48373f12dc3f43b25e98b5232fb86617e0442041dcadcf3cc8af43cdaa63e47eb75cef2259908936d4469f38ffaba00aa541309a43f3c8e9d8f1199d599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
3777732691226e94a4526f68268b2a83

SHA1
ffe594108dffefe03bf16ec5c81a9fc4ba6af2df

SHA256
1a993f963b41966abae64ab7d3b17e931498319a6623c7b676c9075838254740

SHA512
3da9e554cd96ebac1e61be522b8440095db6545696a5c3c8f66293b46d505ac0a2130ce3f850110ade4c3407340c4834a8c0acdbc427ad0fa854b5028f764675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
1dc5a6a132b56da636313561897b3c56

SHA1
03f79b4464e3b4663804b7df18e8a61ff125cfa2

SHA256
694118ea5acda653c49ab2fe59eb432433b73e748f9a5a88aad2a99374e618da

SHA512
28f115b130b1a3e8742c7de1003d8424efa21b415615ee16261a0670602c681bbb3d6b3c5d50400dd77e57a2aad4ac069d19ffe50e2bc7f54dc95e849af5a120

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
da5ba6cbba810397832bcc68ce371ffd

SHA1
9b3f6d7691c27ab675edd8f9d61eee49514d8257

SHA256
547c1185033f702c30a16f2dd3aaf1068548b1993634e692944d5597179acea6

SHA512
b2462f75f0656f6fb9ff10544575a0f0224ad040628126443f89898393e8d73ccce8bbe0dcf9c2b5c447ac313c7473489e6094793eff830e8f5883b20971cee9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
fbec9f583815c3ced81a2652c3dbcf9d

SHA1
6d357aba765617ed928ea0e40d0d0a4dc809e5d0

SHA256
e2b601c708a5c203db0b94798975cb9611a92a7ab31f9dd8c79f06d5c35ce5a6

SHA512
bb4d304704037840baac9cb92f6fa3594abdb329beb1178664783816d087f683d71f76167279bac6c7d0b8c948dda5279e9e11a3e4a885f103d51ca0a2fdcbf5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
de7849d2edc43a2c50e9c52aef62412b

SHA1
99e52c9c4efa0b5f96cad7f567f4db7b34771cc0

SHA256
a82acc5554c7b9b3e8460571d8d3747e20ef63525a7d57486b843481685b2a66

SHA512
40f20a941c9cd98124f2aaa923d288b12e1da21a6e1bf7c2b1a45c2efca80b3231cb94553e3c86d2614ef636915a10cfa5005269a6f5220affeefcea326a4f48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
e79eb7750433534213bf463cdd155488

SHA1
193655757668b5eb46fbd98d09902f4a78d00da8

SHA256
831abbcded667c9e2b91d8cac91ae9d559af344396c5021d4a2441915ef8dfaa

SHA512
fe174f20f67a7293da6e81004c72e367aac4679c554eea93ca09673d3cbfe90c5ebe7a4bbf09fa08b4ba140672095c8c2125a7ee37890a4a6954448c3cefb967

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
3a60b41050d07d8c02cae5482f03e465

SHA1
88669bafbd1790c7de9ecda07693daad808b36df

SHA256
b821e625c356499892c084d3b4cdc5abd8d87089fdc591d723e6f314b31eb14b

SHA512
e3652655e7f98f3a94d3127cec90d4a4369a2b4105e586f7892f58890c18fdf5a732155ada8f3ee1c1c65d3c40d3bcfacce74a977f5002680741e7f8f4eb0b0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f6140e6069c0fe76c3f42e1b2e280ab2

SHA1
fb1188cc3da91c4076c2d7b119b5ea1ad8b1f4be

SHA256
bb7f81f900d9e529600699ed65453987f9e61f53638d13eaffede16682259117

SHA512
1a7608ed15ce1e7eed58c5ae7bdc3a6daf17b98c9750d31971fac71d14f9246aa7be08b64b4784ea89567651d2a8379c45ee01a78967dfe621773563dd7515f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
8b810f016fb3b885cf4c8778d08cc062

SHA1
6e66bc325dbecc16e0b0481373437105c9b0d508

SHA256
d98d81f9bc80a82a9f1079f73e1658a9e3165ae2670628aa96a7572250da2aca

SHA512
23ea751f75702c2f60eebc215ecfccf9c7d269912217a66291de31c53363f6240e992813d092eeded1eed0768d284fd0b2a8086cf6f0d11ca70c805ef2a367e5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
b1a1e24c21d882b829229181a04bd10e

SHA1
4a02bdcdbda07b840d57ccf90928f5d1ffc950b5

SHA256
cf1bea75ba5d057a9e06c4ca8857bbcc94959369cd3f5a72744ba39f657a7f3b

SHA512
1eb256fa6ca3844a2132eb294e3016b7f7ab44d89f4a66d4e06105e8624c9f8ba4aa87cf9631da4502d37177536b28952a41a25661dec4b806e243351da25d7f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
1ab1f03f18fc29bbec07fc064510744b

SHA1
da4c7386a33b0d01e349dda4e2c48cccaf0abf7c

SHA256
1a5af33abed1e4310f7eb7ee54cd6bbc9bfd331d2fa962fbe8ee571c77b7ed31

SHA512
be9dfa47d9df693e9430d91a611ec15843823ff3b2646bcc0f38c31923037ff3731cb0f88caa3e785644cfa651bc1f4e72a068c37d29e0b46cae0fdb3c3a5e27

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
a956b9656858c65585938f2580045abe

SHA1
ed1340e74e6b329d021e22e3bfa52815fceadc19

SHA256
6e4bd4368ddc1dbc6a30bbc2fda1296f461d9dd09c8c1ef667c519ab2c533002

SHA512
f33605e018cd692e2e7c509118f857b26c4e3cbd26686a35c2e28d418eb61f716b1a705a1f3e121c60a73fbb9721a24fb4d1322fe8a0d7b4d530e2c99e5b2388

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
c0e6961d46182470c2f4e5a3493c9cc8

SHA1
84b5805982400d0638c669f4d5ef04b794fea3f8

SHA256
071e7ec1f87e9c72de93b3f6d3ca1b406e4ad5bff5c604123cbe5e9f67d0b58f

SHA512
d0121c1cd537c5d947fcfe880108014df2fcd91a73e1df7f421ea84b7c59e4e96ca95d7be94a1b2347cffbbdf426d085fbbaaa8a375f5d86c5cd7e1f27cbb665

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
4ea7167c3f670f5f3cbc7077521f57d5

SHA1
79c8cadeebeb2e4dca9f0d19afc56e7106570075

SHA256
e23658f6c8bbeeff1bafdd6d79cead58f6307a021669488da5d75b92274da542

SHA512
84201a7610977e3e42167cfa88e099ef3d7112d2d2fad62348fc2e02ab87a7c2a5692adfe49a29905f6cdf333c2341b87808766a430eee1a1e3aa212bb925651

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
c2367d3b186015de9b7d759aba777117

SHA1
181e3f46986d43939af4b05136c801d4bf3bb720

SHA256
fb66eca31ca26211559bf15b24cefd3db0de776c37f3977b154a14db522d828e

SHA512
83386c52c25b5a6bc7abdf2ce3da145ae519c6ab03391e61bd4ac37c92b45b2c831bd0a6fb8c3d34ccfc3290eabf564f708fb67e14c91fb27728ff7b7f5a51bd

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
dad943d0cdc72d04ae4d003b62dc4db2

SHA1
99b1452bae2a5ea8aa1aff2ad54cb5530d20c43b

SHA256
0788f7d2927ca676b65496cf4787b18f73ea0d5dd21419a89ce20f1f7fbe10c3

SHA512
bc3fa902343dd405b6e0388201d61ec05813ff2f40d91099c26dbd68060d131f99278a1ff43fe188535cf9f59bc637293553aa5101d87638cdb325d083893df3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
51dd60c223c5896d2efad4d5b40faef1

SHA1
76a7e0364edc67c67fc95c4105fdb5ff4b720ab1

SHA256
dfd67b990f9c4013b88a480e1e184ed6019e1bf8885e5bb20b21e4f479521a37

SHA512
620128abc2f6a67b719b174df28184e50cd9a8a209108d336564f7160dde9e53a5e82bc36801b4e42be30b5f411e1caff89b1f1bba4e0d32b5b24c90d60cd6be

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
2ef0645745627849ed29c7b803742b1c

SHA1
a6c4074aab4865f913ecc9a8dc3e64e5da031ac1

SHA256
518e4d7383c44af3c10e5c371b4d7f31850dbf4f4b0829c66a8508900303f15b

SHA512
11d3b507c7675e85b228ec3db678acb859be4dea5c3ac9b93419c86cd2b0ad4daefb637227c178f7909f67c1d915be6a69352cc57f10889e142c4e9e8f9f2335

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
36150ca6ba7d89e4d202423e8b383412

SHA1
5ca3839cb71dd96c56f1c084fcefc26a6a328dba

SHA256
e0c75eb02dcd68484486b5467879aa59ac7d9b2584ac016ba9872e3040aa9c33

SHA512
0e0ab51a4a89306590aaedf06b334d4b8c56d1da48e80f391d4c4a8c9c5388191c59d69a02e342d7e40c2c00bb62805c046e8e448dffa1dd141fe593101c850b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a338cb1ecbc8767e180cb736233124e1

SHA1
0e533b70e333eec054b73a136a8517393a30c0d5

SHA256
00a10b96a16ae03743698ff2ff59ecb5acecb04f78ab00fd350dbb0864521803

SHA512
571ad862f180843ee67b3b464944fcd11bb85fbc8a32e8757e64c70cb8a0fb33a46b9a781cf9094ae3929126b6aa2203edc7ae2406f0b51c512dd8f977502f9f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
303d62530373b3fd7a03460b7f00e0db

SHA1
7597ed8cf57cefa92409ce21fcda6147b7c8e4c4

SHA256
2ab42e26db64f5992776f562490e0f40ecdc8c25ce68537979b2fa6d7e99c26b

SHA512
9d658ab4b05f0fcd67f92b8f0a19eed709aee1da500212c2c04fc9ae9e9aea18c291b18cd8b98fd5e75b1ae2c06de37137612d4aef539cc43e75462d217da232

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
325727d3975423d242d252096a1ec2c8

SHA1
7b3e961326e46839a2e4b174ede9e9024c103853

SHA256
8e413b25ef79f186ab94f473b25c77f7d09c3724d52ca71d31e0b3ece03f10d7

SHA512
2f959cecf6282826c5625c2a485af18f0eacbad0efb2caf9728465490294a167d884f1b8fae4e163a64dd1f9ab9fddfc3365f87a931dea1702139f5cd73a458c

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
465936b0f70b60e8f7c23a620527c8d7

SHA1
92aa4bc226964c730ffa5738807336bd1db9702b

SHA256
072817e670f4878159869818587d5476cb485276f4c2441b103b36b4ed2ce530

SHA512
9c1f1887775b3df742a1781d1aed78e05e9b9d77fe3fc201715201c26a05bc22dbecefb9d9858c241c7bbe546dc3aeda436e660846548574409acdda6797ba2f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
43aab74cb60a44f4ce1587906f7ff4f7

SHA1
e13d696608eef43d67c036260142ba173f853c43

SHA256
e49cd6a26169c698cfea7fb685e1aa38e3867b901dbf9d63aaa3b415f2dcb520

SHA512
f78755d2f30438a4c7b40dd16936bad59195391c09dc5b451febf9bb0abdcb3885c06a94d6591afca0bb523d70526104ea7a7685f1c7dfccf40a04f70ec57fee

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
832c0b3ab41ce5ab68cd67e7d762769f

SHA1
bfba5664942afaedc48739a3aca447f836a66600

SHA256
df5214c07c3944454e621bd962c9c79d71559afa875e85718de1686cf5f8ecb2

SHA512
a6f6e35bb50618110f7fb9319a0402b5f07263d562e5290c0f190f2564762c47f134d398820be9a495c52d9df370b748acc6cda828242aba3de301eac1c9f0e9

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
ba59ad18ac47c3d302d27a4b19cf1779

SHA1
76b33a81b47f20a3b48ff83402c9893c0b844187

SHA256
d0afeab583c521dbf64dacaf8ad9f02e91cd80814fdde85fc19a67f4578686cc

SHA512
981de6582b75b3922e8ae00f6242ff1a1259871f187a7954bb34c30645ab87ef459f7e00b424f214fcc9254d0fc8aebce007467e60951cf41ea8b4498367c02b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6db3b806adf4aee2cd8b723d88b0ba40

SHA1
31dec26e6a3bbf09606aeb536674838f2c2f82f8

SHA256
89e0f4ed9140115ddfd82ef1a873c9831ef5b45477e13feb2092f7d8fdd70121

SHA512
7636ec97fd466348875a68c18990462f65aae8e5577e538fbe918f74f14ea325efc9d7db9f3d2796b1727058a599d941729052bea36d377b8f4c489413d47aa1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
35049fc427631a54457177856ad4d633

SHA1
936c091568daaa80e731cf6825328292f6224da7

SHA256
3432cd66c70235c862dc070f8bcb6b4765c9c3efebde9defba6abf5028afadb2

SHA512
6a6ae0a2a2d323a895c15c9bca62ba7a3262297c897d0c416047f17f2300bcd57aa674c4d1b9e1857890ed43f778a5c5e73dd549bf66b775dd0f256ee8d87629

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
4b0c87359c5c114c048dda45468719be

SHA1
5ac33e1952d812ac66428869eedd8e97b6602258

SHA256
c7d9bd49e8840b67e2577ff0b980e58c3781ee88da169dbfdca38f3e7af9f077

SHA512
a8699ea9ecf0471bee716ad7dbd25a725dd9b26461ad152f8f86f11c0b3ee0916c12ae586b193e84cfbea4f41cc1f4b82fca2ff98c0959d02483a1888c4ca55e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
a5b4193b1fa252a006fbf63272751cd9

SHA1
fddf20258fff1d85340a4df254b47265831d11c6

SHA256
766777343cc2b9514f06f83f64102acb61c4ec11cd70e46a4f7d83db0ecf39cc

SHA512
0e0bd7d41e2721d97d05b894ca6bcce30f21118f2c1da6ac88f31915bd4302f027e9cc49fe75958cc3fa619f3e3fc7fc3a0eecb686b675279e38a1cc2a60cc2d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
ce618362686c2c461323875cc65fb1ae

SHA1
916935883ac499f5267e7a9f4aada045f83129f9

SHA256
5273ee6d7441eb33c6d06d2c559e843fe5a7aa06082b047d567249d75c6e9028

SHA512
1239e7d59b246cc3ae18535ce87b76a51a90c1c3935762bac8e335cf0f0c258fb5fe33dd88dd3adcf0165e63cccae100219624ea3d1b0ec8f253b44e8bbef24d

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
7224639fc46c764d5455438b0a317477

SHA1
b5b2107d263038f8e2781d5b7bd99b5f9c4613af

SHA256
0d326485d7537811921fa5e878b7d795dee5074dfa3e154936b0198c0e5f36e0

SHA512
1c055ee27d260cf018fd4c1a0320e3c43e9decf5d30ce55b2b4c968f3d0187820b3a3dffbdfc92739a0fd4ca2961bc64bb33152df114cc6782a6d9a43e56323d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
9e4df1245c4f210675de0e196b334d87

SHA1
fe02c7697dc182e957c28fd2f62f44e2a609abdf

SHA256
ecb5465868c594a23096b53940b7e68704c6df836e8d6c8f9ddc84fd111dbd52

SHA512
a2d054c8ddf061ab0ff92807ced1cc23290175bafabbc3f62a71d66cc4fe0bb03a31e9bc6093e2d52caaa41cb08b7108f5f0d7288f820ac07174bca80d655601

Download Submit
memory/380-584-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/380-254-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/884-253-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/884-132-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/1224-155-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1224-336-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1232-199-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1232-408-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/1240-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1240-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1240-178-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1280-103-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1280-217-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1520-90-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1520-17-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1520-11-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1520-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/1604-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1604-583-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1996-202-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1996-91-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/1996-92-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/2820-362-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2820-1-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2820-0-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2820-74-0x0000000010000000-0x000000001017F000-memory.dmp

Filesize
1.5MB

Download
memory/2820-6-0x0000000000A00000-0x0000000000A67000-memory.dmp

Filesize
412KB

Download
memory/2828-241-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2828-129-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/2836-49-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2836-56-0x0000000000CC0000-0x0000000000D20000-memory.dmp

Filesize
384KB

Download
memory/2836-51-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2836-166-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/2840-143-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-512-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2840-266-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2936-376-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2936-167-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3400-61-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3400-38-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3400-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3400-60-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3400-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3468-209-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3468-216-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3600-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3600-33-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3600-34-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/3600-125-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3636-126-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3636-229-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3980-179-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3980-403-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/4636-275-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4636-586-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4652-500-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4652-224-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4784-75-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4784-76-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-82-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4784-87-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/4868-547-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4868-230-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download