a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
Size

1.3MB
MD5

bc0adacec00aa5ad53e5e5daaed46bfc
SHA1

de566032e18c5d5f658a495e343b684607d29a48
SHA256

a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d
SHA512

7f794bd7eb232118e5b71a01c5d3c64f1428e8914027a02aadc9e08e4f2e227ed6515207aa59d1a14dc6d197cf333100b6c8c5df6390b123442d7a397b7e498d
SSDEEP

12288:D+u3hUpp9MTmkJR4Do07Y86gw5CtCjX+NLuFhNpBeZT3Xt:DThUppeSkQ/7Gb8NLEbeZ5

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2076	alg.exe
964	DiagnosticsHub.StandardCollector.Service.exe
5116	fxssvc.exe
3408	elevation_service.exe
2500	elevation_service.exe
4584	maintenanceservice.exe
4828	msdtc.exe
3008	OSE.EXE
396	PerceptionSimulationService.exe
1056	perfhost.exe
4344	locator.exe
2492	SensorDataService.exe
2532	snmptrap.exe
4800	spectrum.exe
4952	ssh-agent.exe
3312	TieringEngineService.exe
3504	AgentService.exe
844	vds.exe
2432	vssvc.exe
1076	wbengine.exe
4596	WmiApSrv.exe
2080	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\System32\vds.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\locator.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7907d06adb05c3ba.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_79171\java.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ac05b774196bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000623e7776196bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000242f2676196bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000008b35f73196bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000327e3476196bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a52c6476196bdb01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b635aa75196bdb01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000076902876196bdb01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe
964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4028	a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
Token: SeAuditPrivilege	5116	fxssvc.exe
Token: SeRestorePrivilege	3312	TieringEngineService.exe
Token: SeManageVolumePrivilege	3312	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3504	AgentService.exe
Token: SeBackupPrivilege	2432	vssvc.exe
Token: SeRestorePrivilege	2432	vssvc.exe
Token: SeAuditPrivilege	2432	vssvc.exe
Token: SeBackupPrivilege	1076	wbengine.exe
Token: SeRestorePrivilege	1076	wbengine.exe
Token: SeSecurityPrivilege	1076	wbengine.exe
Token: 33	2080	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2080	SearchIndexer.exe
Token: SeDebugPrivilege	2076	alg.exe
Token: SeDebugPrivilege	2076	alg.exe
Token: SeDebugPrivilege	2076	alg.exe
Token: SeDebugPrivilege	964	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 876	2080	SearchIndexer.exe	109
PID 2080 wrote to memory of 876	2080	SearchIndexer.exe	109
PID 2080 wrote to memory of 1492	2080	SearchIndexer.exe	110
PID 2080 wrote to memory of 1492	2080	SearchIndexer.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe
"C:\Users\Admin\AppData\Local\Temp\a61139749a9293c13232cbd5bdd588f0869310a3808134ade5e95430d868647d.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4028

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2468

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2500

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4828

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3008

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1056

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4344

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2492

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4612

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3312

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3504

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:876
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
63393442ec1b498ab6ec3a20e43ea113

SHA1
3ebb1c0d008cd5b24fadafc0c642f05adbf16858

SHA256
89495a40a45f0a7344fac129ebbedd22c2f8ff57dcc8a1c9bcca07fb24dc546f

SHA512
1aeb4cf3b769dc8777caed0adca9c7a52286be234a4db1ee7785a1a783511c74ceeb0f136ec6e832b5fe6995bedfe0830e3146d63da3bcab4f5ff6c454e4c572

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3e8649a7eb451cd580ee7838375c523e

SHA1
5f7590db976a6caef07926a5d791668a3899f360

SHA256
1c150860ab209988feac0a081b6c0a7777116b32c532f1e2fde5d73438397daf

SHA512
710c99fdc7356d16ac6f34f768cd4c7d8fa0fc358540b12e6f6c798ae408deb8342c9a64f7c853c3af3ce4bbbb28b07108099f0230577d18b17c072f58cfc53c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
a77dfd2628eeab702cda11d2122df2ce

SHA1
024f446f37b2b4a360f9f5d1679d8a895aefa555

SHA256
0451301863dda48e1e58ffa3bf2a3e88abf52383992af2b758c93e705df89ca6

SHA512
59afca6bee18fc110cd91ca555d0854c21aba8e8f4eaea83f703fffa37a0dc27c884be307212ffb54d77568f34ee6de3d5505689829820386f45c6e9a1dc5ac6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
0f33a984540268e26d6d93c5cdca55b7

SHA1
9eb468cc655badd7da6d4e1306e66e7c2b719d9b

SHA256
75d0bb95d1ca82d3a0ac81c6223753ae1a88f35d75eb5cc0d2ead963870c766f

SHA512
46c1c040fec904d821d2c4022889382516887b1b2df3016a5bbc4039ea68e75df77ddf96fc454c27b97a1c547c0af39649878f22b464d5be2a072a103e76b3da

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
b614034d87c3b99174878327f46a7307

SHA1
698284cfdcd74c5cbe7ae2c6cfeb55e24e136712

SHA256
81e35b8bf4daa4e4e31ce7cf07096c64bf061bbb4d64925e17e40c324c5d13d9

SHA512
373980256f21bee6f93ad8fad13a388c97379b8011896bfd84f97951890e6ca3f4dfdf458af3cb570024baef137888d5e35045cebd38e8f5230a0f65174f0e21

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
e0962db7562f2e5f3ff12f719b2b2bbe

SHA1
2d64b6dc8267515688da0fc537eb9e839338ff01

SHA256
da59143cde48b9ecce6777e5bf8b027533fa1915c65f8b8f171acc83d63d5867

SHA512
1f29594df613053021862cf69ffbcb0dc2ece493672fe054cb9fab120b4c31ff88b663f17985e091a87aa670b93bb0b5d7a2fe294f79cd43a4d207a3c16b7571

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
1dbc64bc9f61ade9b0e351eb5782c7d6

SHA1
27ed3805a98c0162ac7b5cdb1ed66ffde36a3c89

SHA256
f5e03e35285c54ba29b947aee285e8c285a88f29233054548cee025c4b72021d

SHA512
7a4d287e2cd35226231656d1b12d36774f3107792824f2bde93e77a9a72137d22f2902145ab2ff1220000ac51bd375ac223ab688085367952054269e278da173

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c3b8133e187fd5d0f22155698e050849

SHA1
ec0633ed19b643d3b00c4cabe7178ed47a7ba319

SHA256
6a617624015b03f2e5bcfe1f993f7012e44c84e5d86753226f083ea833922478

SHA512
e08195ac052107c39f19a243fde817044a9a33a3f99b1912492c907134d7e131e33ba1aee2ce6012bcda108d611a7cbcc3ba9347a384e8560dd6c5c6125b7467

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f4a50fc24e5042a373f1383cb77a17c0

SHA1
66aeb8dcfe237e49d92dc7ca460c85ccb23aba31

SHA256
f72715d3aaba9b9d9f569a76a04f425154e57d378416837f74703605725ce4ca

SHA512
3456d4e16675d95f8547ab1a8867e05ca2ba356e83c093aaf023ba1d40e431dbeae42c8c3d8ad5a61e2e17902ba33e0577eaeba51fa1c8d801befea8c6759832

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
cef5b431db0547c4a683461789d89c07

SHA1
9bedaafcd5b54d558275b70def49be3ec137b341

SHA256
c5a3c0310a0987427dd3c592d6e2f646defee29f3be92767f9b15f738794e95e

SHA512
6b4ebf265302eb92a0f1ff64f8251189346ddc0f51009da6d92582facb0a419be32c3c843a24f45af9fbc1304838c0adc93da100c21c16fcf94993aae1bb0769

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3002d9a3c95fd62b0525dfa8e60bedc0

SHA1
fbae42e856ec0a056d7d4250218fe08099959aff

SHA256
070e279858e0c4ea56f9f227fa6e63fd5272d377130db4f1b6ef383ca2978d0f

SHA512
024e53e2f769888fe4be0623417a4ef6f881a78f65a6ac876984ca7a5e9071e52f41d70e28a276ab07452d8a25dfe6fae052ce72412f12bdfb5d8551340ccf6c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
fedcf25ff36daf4789f75f3582cf7ba2

SHA1
aa1a8d29b742ba3dad57ca93537c98c00c691518

SHA256
e2aa4de37df891ed16e0417d081aab02012e52c818d975b960bbf42fe2e1031f

SHA512
e0a65ac20a8ed98402d276771f256a6d2b3c1d61a9ca6b31741f6e641a575f126906394eb1aaf5f4251bfe860a9f3487f2eff39a4d674add7c9f4bd36277b681

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
58945ac65db581f092b0130c7a76ad2a

SHA1
d22f76fe590940b907b8818fff3af4ef17c880fd

SHA256
24881706a375c8de23f42ccac472eda741deebf7f8c1f1b95cdcdc2aaa93a93a

SHA512
8d604abdfbd263779b7ebb08161276a013aca2ea5831a3dc8a2701b97718955fa5577df609e57536a16d7cfc84697e71f31cf5642b75e2391036ea5ff9d9ac28

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
7dabdfe8c4c2f433ebd29051b132b0cc

SHA1
88b391bed25c07de38c1dbb11f03ca640d699df8

SHA256
040d5d1aa3907faa69da66f947c3202a2d4d7180a18ba8d5a1ff65d63b30bf7b

SHA512
b00d0a2750d3c76b4a81255db53bf04331ba1f4e7680e18d5b104c256f601f3112ff2690a482760210ae00a76487f54010a88da112c895f82ac61aedc350202f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
090cced4d04080803d10a5a96eb6b1a7

SHA1
eff20883601f3e8626101fa92648fb6f21c69b21

SHA256
6d8a801b04a576e5e2387aa4b6db3074d23ee96b72e9086b820a93a851836238

SHA512
3caf072b91b6da2bbaf81e4c3ad6c7188921cb92cc62a20cce56db92f28bbf020fdc2d5456de472e0c1e038382c88ac721953a574f6859dc4dfdc6033f838abb

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
47c3c90def26639792191b276bbdee14

SHA1
3d3084b56ed14e6c8fe259b39deb69c601127a03

SHA256
569a088eaea6e46c263e52b8eebb426158002db2169cc2f90b84e67b45cc09c7

SHA512
2139e67bf4ed29b76d34f566e83bc254714984153f9dd0d7f306a45ac8466bcc17971a797db485303a6d26be151b5df023dc0ab71ab20127cf04c085fa1ceb84

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
24f4fa3d2f8c67fdf684b9e620dfc86c

SHA1
4812e8f47ef32c63230001e93f3df8aa1de69d7b

SHA256
5ad2c95a5a36f245d09a97bcf4bf97e85de0883fb1679af54afc1e27a3e2a1b1

SHA512
434cdc5cb64a35532469e74b010f2dd76a3de1f0b44b5c2013b56d434163a437f7ac0d28b8bdac5d48f8087ee1b166c5f225c709f66483982e0b91fe8343208d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
c54a2893e782f0fd9a8db4641be21b53

SHA1
4d7193575613b2235d6867b9b16b2300a488fd9e

SHA256
e6c1c344c9846c604203607f4dc7512c3f1eb5e62401d75c1693e6277343be31

SHA512
fb2df6dc6f5dde6a93fbf067950d2bc0b611b56805c792b76eac06fff195764e13f1543d76be2b4502618aa641d1be2f83dd63661238020a29f4e91e6f9049e0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
125f42dec3057a096173e78607fe89c6

SHA1
9b4fc7531005dd25fffcf15d5728b5b8054f5a45

SHA256
c7c3b6bae0fb9776cde451e59cce19522f0cae45fb658a35126624114220f385

SHA512
f4814396fb97b63d82d196ea025ddbefd4d7ca044d978fec27056eaff33ec1a49be5551b1959bba5465cb809a4eb16b3723f33da2b92077ad4a11ff9531f5de7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
e2cd8cd391c4a47b727e568d178481cf

SHA1
fb99fe045a92c8021b7992fb60f8305457f0465e

SHA256
c89bd366d5017bf59b57e0f32c3427cdaf842a43b6b15179d8b0394cc0392e36

SHA512
5e5ec086ab791cab0a0df0b7513f6126cfe4a802844f09b87f642c02db54637ec1eb9c917d0654419126ac1f11eff80056835b50c7fe43a0797ddd08ac7dc4cd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
e2df616128992e97570995f7d63866f9

SHA1
5a4714f2d7d9633fcac7b42356714468664eaf96

SHA256
2bb4be7998352404f2d13502bf90c54602ab01c90a56c9be619bd91db442722b

SHA512
44a0c9903ce8d36b9f73b70aa37b457fec28f35516f21ac3fa4fd0be0fc7203241320c2d6fa511e0befdc66fdeefc983e37e6765997c0b196a091b1644e45c50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
0ce60f5d37500486419f22748ad85eda

SHA1
b4afb32341d74e24399a0fc59578d4548f8043f8

SHA256
546f0ad020155b2bc60bd136d3724d3d801b0ed163b9ac9547de3839b4a4aea8

SHA512
d220ce7d0a9b3500d71190dd44806d0f3c6ff9a21f860ac7e0fed67518e1b25923c58c37db597c12b780d897aee01b7c8652b56db997298f0ef9bd12d0f56936

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
63b87df50a2183fa9735a8cb4299f187

SHA1
12185f65a464f22ea2f1db063d2661fe7c326014

SHA256
46e9a2035500cc84ef0726fad23c73de8efe506419a75d1a98ff83ef6d5fd531

SHA512
bf7665b391229f34b033131517967e8855b6911f948344c0a626a17f2f02e45bedc3c78ecb9d92bb5de768de306e090a4d3e1477b2b6772d3e1751ebefd4108c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3003ca546cd8f34eb83e5e09bd9fde85

SHA1
7eb7f8dd12798dcfedaa36fd0bc532f41bf3daaf

SHA256
14c788a71852d399f5ec63c2fe79c954f83f7b0af54e67a8a304482114196da8

SHA512
5fc249d0fd15a72778e5362bb807dcc11cd2fbed9c7ef4d1b354ea71c1e1464fa146cedbccc53e2a9e755447a0fb94dc964453a72056babe44356a4b62f7a64d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
5926adf949b49c513e7e70699d4c3fb1

SHA1
bfaf33e2e8f0d92db413d84401e90f3ac989dd17

SHA256
8d2aba85f78da8e80a87a50be18cee7ab6c8524716d2e7d9446d7c9f1054afb7

SHA512
01e5148f9f153f493b93dbc74bf4e669c9268e59cdf1da71596923585325856213e2625e3133bf831f29b82a2ba980da46dce58617ef2a02a190dda77096ff4b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
f60639c296a70eb64b44d2f811208117

SHA1
e31ea9b28bafe8341cec01e7cccf71b0c02b52be

SHA256
3d83ef170d85d23685f5a37eb3c102e922d91d57f5ac0bcb55d8acfe6443cbef

SHA512
6e8de6c7640b32b34ac78d4f888175fa9c86a9e5d54bc8c3c9adc6445d909ba638fa5b04d4cbc31bbde6e874d26ba2f38108ed4f3f6eaae2dfd41e488adaa6a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
8c851060954cbaeecc45a2e446786067

SHA1
286f50b379a5713d43f357c268be4fc91c66e408

SHA256
515b5c02c54970b582d47bb9c0771abc6f7f30e70679776745c8bf0ca63c9aee

SHA512
bfffbacd2520eb189a8b4ab3cded4c467d645db133519401203c0fc5f26fc5995fc0a20594e369fc832b43dd30de83113c77417ecbcd9da4588bbdd09ac842c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
86a9fca0b560d30a1ee9fcdd36c34037

SHA1
087b6cad8c045d138b86012ebead44ff6101c9a1

SHA256
883854521b464928caa22e0ad764659f6b2d903051695a5a047cbf333b8d95d8

SHA512
2dc783e73fcf66cb2e9025377e863f2f3509b95f110221f847802bfafab5663eee49069df22f43dde295f5227085d3508ae22e054eb854aa93442fa5e82defcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
7c28ee6bfda085fc1e29e4eb2d59f4a4

SHA1
438128e6515b2e4acc858f12baeea0560ebff6f8

SHA256
6b3f33e09fe0466f8ab4ffd9be7fb899e5e10e048a509a49b488320371448ce9

SHA512
7bf80a060abf4cd55af797e6e28250a6be1f1cad6503f93727225e4061d918b7d81f56178aed9fa2d339431f66b9922080ca1720ddfad49e01a5e8e65bcd5a0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
97e9ff91f709e6e3d779b2b0605ee5f1

SHA1
1874db9e4a4efb95214ed104f02af3a7902cf514

SHA256
642cc767c9c7467ec87f81caca5c112bb8ad03f80479b82239d4e138dd01467d

SHA512
7a9e83be4236e35c72e088446525da11ca10a3599e0ca240d9cf5fcbfd2abcce37324bef2ceaef2bbb81f4228de4ea74502df4dcb828ac84d1c8f2653531830f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
584d7fb8cb7c76355e38e84b393d0905

SHA1
036a6b7eb56ce6633490ba6df5fcfaa090aa1e8c

SHA256
d128a441d1e9aff31672a25fe667c527c3c424f85ca56cb57752e4f33d527809

SHA512
a56fd17aad19c28672863bd93f513f0cbc489299ee78892ea0ffe7dd75912de701a22488034969d9dfa62202fd101dbe82edf65cbadc1a27a8563df526d67ccd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
86fe015e3b21532f2836db32a8cc39f0

SHA1
4bd221901f7cd4529f85e76e82d8f7304f4e2175

SHA256
ba273d32a0c24e3b6cfeb90e5f11b71e1ebbd7fc6d7700bd79eb9d012313b4f4

SHA512
0e187d358cb63277eb06d0ac07b7f9e8361d06b5c884b748b347a23e0f721705158f6ea07b8e1353e07d810a6f3146f252c72c8fa057e8e0f3c5a062974f09d7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
a584f0c7cdccb521402da38b268fcdd6

SHA1
cf1842336276754f48fce9a21c82b7794e036777

SHA256
c4eac26448c989d5606e487d28653c9909cf2675f309577159dc8a410b8ce6ca

SHA512
73970f4cf3dba00c3d2b4ec0b19114168eaa45825534c7333779d7db1da424209437ae8f8c64a1b0120fa3e9a4dc9c73b62b68ae63d7f87dfce870cfd61135a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
6b4cc91489f4c9e3002614c6164769b1

SHA1
6adaeb14325f657378357ee32ab456c0b9e1a524

SHA256
aebc7b6d497978882ebe42da258805468032c5f9b8c363fee413e1b1da2de03e

SHA512
af253802a1f6bb439fcfb8a17782694fa3af2a327148f1403e5001caa7a3a144f51e2615ce3dcf1e54c1f0b5332876ef3a39b39ea172f63c2dc8a2bc2256a3e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
f16648a0ca7cf71c258fc4c276aaf337

SHA1
5542f438ca870a3de8c8ccc239c3c077721fe867

SHA256
76ff68dcc16fbc48764e382e288d8d77dbb38e76db7365d12281cc9f1e5735f1

SHA512
1ce702c674e3d1ad453715a428b3d9f343f4bf127b760997b351738cade129d7bfcaeaaf0e0786db49cc53dc021c2564476cf953489f84ed7db75e588f957be3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
217db2f95f1f412099b71b5cad56fc1d

SHA1
40761a5efe3b499355bcba903dbe38f1c9e1598b

SHA256
4ddf2bdc468644cc5ddb71298c53594f7c64cc5d156251fabf09000cbae598c8

SHA512
839d2c8091cd114d687bae0c0811977582977e8ac3816265a243e905f7b216656e3fa21285fa527dcbda8e69bc482ba45dcd454a0ce3acf4a18acdab230e1e7c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
f95d373b91a5c58ef03aa3d95736c7de

SHA1
3bce10fe0257c43b4ea16ebeb9d76bb40ec76b4f

SHA256
72544f79bbc4640209cc935e32d40f512cba54d8cd78bfdf7bded92652a722a9

SHA512
3999e44f87e3c3403d474de247dfa8c6710117cbfbc8df8b053fba5ba4d5dea98c6a629f89efeb1cc788a346f2da60191d3fb35cd28019cd0f2e569eaacb196c

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
200f062221eb35d3f243b3b7b350714a

SHA1
af955224cb57a49b2ad8fbd16273c39a2d556f21

SHA256
dc1f7497b6734a7394eddfb23b7280df2bab1ee520dfa97bd11253433d9e23c3

SHA512
96431be48d56454cf4ad2ae537d56f6fa7fd06498c6749c9fba17603fad4442f049e39cc216ecb77afbafaee4f3a84033e9666da61123b398405859762a8fe76

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
f3630955da3165bc8ab4eba082f177f3

SHA1
ef49bd03c42b050aec5dc539f955b459c9280d4f

SHA256
caeef8e1022ad2beab07015a6939f9e4fe82230d8f7b1e53423a3249e2afe3e6

SHA512
b60b8ccfaca151f529ebdd0e25c644c208ab06b99a7b59fb1913776320fd41e1888d7a418f001f70a639acd521b7375605f218a984225dcc4917f64315381574

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
caf7ab033fc84f634a9e525f74b28eb5

SHA1
e6c3b76f3e246918b7f5913e8b4b323d97ab130c

SHA256
708d82aeceaf3ed0eb1227e6d5be503a526dced537ef80bf7d2b19830915046e

SHA512
3da8ec981bf76e812aeb63a7a509188fc7bbc8ed111a5fbf718b3e50d722d45f46d1f3e7a557a701fdd2741bdbe20d407738b4324d308ff7dcae8bf5d78b26aa

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5b49b6bf815816d851e7cd98af58af82

SHA1
549ea1bf5ea518a45f39c3dd576ff4d49287cc69

SHA256
de4689c7def5f74053f5bfaba2e42ee37d9a304c850d4a3304476b20cd14a02d

SHA512
d16d105d8ccffbcf6dbc042d8527afe82225b833c83b36f1ff4cf3de4ec1b88f58d5e3ff47e7c676c75c0ddc3fdb9fa10d388349fca6720293715408cf06b6aa

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
ef3ce92271fdbdafc56097b9ee3a51f7

SHA1
3b238c9c81573120e4598a181c57e557fb442e96

SHA256
f6bc1c41e9c44afe44117d192526ecb02ec8ec6c8be51b2868b6c7802deb395c

SHA512
f0d3f313f65d54fe38e34678ab824ed8c601af79ba9d2bbf866fd59de34db44f86781a1f0a1221cb8020edf45a170b56cad42c1d965de5049f547be79926748d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
3e5ddb73c95d0c98a5308002f2a4324b

SHA1
5925774c2fbc7e101859de91a829bc4c618d78cf

SHA256
8a5db92fff169a1eec7677ac74c3894f4c2e2457ce700bf26423d39fac1a1bbb

SHA512
20e156f385d598d5c6cbc7426fac3e8ed1644f4a37853887d2b3da76a2de24f7599f994ab54927a03c6d59d85231a0528a09fe06d15caa2caadc98a13466dfc5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
0cc233f1e07b6ee0272f4553c7981567

SHA1
87390d014e728ae1b0d165cc153db57a88d63272

SHA256
58ecab006d196a5b8b6c88f8492ba6bda4a2572c3fad1deb1fbe116ceb45d6ac

SHA512
af555d142017583d5156dbe02fdcfd5deb84b092d69ecacfe8a3e02cc6d64d81dc0e54c674e6b89b3c3002a55bd9bb8d13270c6e5615cde335d44032e0e31337

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
cc1542045367d2a0a93073f4b0337d5d

SHA1
78e03fb15ada4b54b4ba504e4a89e8c2d9e7346b

SHA256
bac934d5be429d9ed118e77e96105b75dd61a3b23ce950a175aec4837d410776

SHA512
9d8d4b2bb9a84637eaafcfe7ba79f34c9dc93f39212f20e88fe11d8066dbb51c78beab6fe1ce5f4a71dd3956cc764a0f9c001fb63115fd2ea8b66d225e347052

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
5207989888e9cc6547482ac70d51fc61

SHA1
a5fe154f294f64057b45b4a1d642e2417bf59a33

SHA256
f56d258b6154b1ef0dc8e4109cc44adaace6c9eb853fd14664883dc2f79a2728

SHA512
60d8e60413cc16484440b17fcff14860e79ee041bbdddbc17186a5f657bf48bdcc468366fa615147987166bfdbc557b7686f2da31e31ca38d04011189831e21f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
6bb37f3ca982455befdb043150e48bc4

SHA1
f4eea855b33b2cd2daf3c4896b80c20bf89da7b1

SHA256
7171fad5dcf496fec63566c8e135d5b9d49514fb964e9cdca618ef85688ea695

SHA512
f921666c50dd7e004d33bcacdd1d3f3c362b73fcda14e51e06314c71159f60ea21c108d96a39d4162c03e9b216a911c269756c167d960f3cdcebc9a11324e4bc

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
f15469283a1526f3701becc4ace0d6b3

SHA1
9f19f86827562f8ceeba683cb82394e154434ca1

SHA256
0140e24fb7c41442aab8bfcc13c3c16ee1ae981531d500c3ebab3b721d14a0da

SHA512
0f2c1b39430613ef0a421e143b4a2a84fa2908a47f69522349d008c31105262e2cc85701f284b2e95f0242653c5352e8269f593de4a37f3e67ef6c3805254739

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
6ebde33fbd02aac38aed036613f69522

SHA1
31d1a4e1f1075993e9a4bf1cdcb322a70b8ea651

SHA256
a53fdfbbe527e99b74f2fc676543c75973890557ab444c4975eac07457e52c98

SHA512
0f8651864fc5cdb056eb108d3b8bb8229b2c91e298acb509a0ae796cc56bead02f264d35dccd5baa122d8563092f67e3b6d3bf78651adde47c35212a58159bab

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
5a6cf006d109d2740fc59ea33c02815f

SHA1
e6ad4261812476022b3ad6508dee6e248c6367a2

SHA256
4e203268e96a2b1875d61e9d28114d7e91fc48d43b79d5539750f6a7e1c25907

SHA512
ebba7b0689c917eaf6a0daf22d33e17151714b0d74fe3ce0de0459c7fb4f7dbfd44091ed6afbb920b901f5d742db2006730acf3738cfa14acfbef41e3d30a3f9

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
b07240f83b8afefdd4925f3cb8c05928

SHA1
6d07c84a3718fa58afd3a34099f3b9f0838c148b

SHA256
41f7260bca5f8b1a71ac6df915f58125f429718cd9d81cdc58d921d3916b262a

SHA512
99e06ae5332257f1440a6fd92ac1174ed494983646c35ebc6a2ae2a57de6ab73aa00617a0483a8582c1bcac6fed5c09cee15dc63627ec8e1e21093b03b3930b6

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
bcd06452349960e4952eb29dc96c3a3e

SHA1
4bf7ea0b0b11b834b9da971cfeb98a8783296ea3

SHA256
002a6d9cb6f1d0b7b4816f9dcdef693dcbedd7d2b0678caf6ae1adddb97d210d

SHA512
d8cf55f8f9ad6d32b4c6d4aa6c0883683c40e0cd4e80bc6df10d69eef4e20b1560b93b23e4e651481dd56d50cc87447ff5abff8d05077c908b86508816d8419a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d75a0c3818056e86ece0641b39e92205

SHA1
89b7e582751bccfacd5cd0c049384e6677734814

SHA256
6e16fce81441623e606d12bc166c4af01bc930be0ae227f3a9c636de99403ef6

SHA512
ff6450ca315f40401873ff644b1f5e1ecc489444af604a94a7c853090a1cf7cd75262532bd0fd23a66712eeaac9b3b3bdda124d68f6dd40c01d8e8c851e65e8c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
adacc6ad19b88c2fd3a91bd1040ef975

SHA1
6d6cc0060623feeb5bd47f1e2df03def936f173c

SHA256
e5a9b05282da42de06e6b451f33270f02336c274ceab3af3bb40280479d79a6e

SHA512
f46ae321bac3ffb699e02195e8f3ffd493f8df96f7653e810172a8c32454b6cee43b26a1dd3b43797988da238ae55ccf7391620050076173c954448279cd28a7

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
31ce0eafa3f05e4c16e604ed2624b42a

SHA1
7c7ba93c70340e7dbdaf60fe9e450a4d2770d785

SHA256
9c7cc37305e56b899e257c8799522652a2b04ffc801a5c0e0f0b6c4fd7de2ad9

SHA512
7cf385767d6eec37323242106713335f7dc11483c587e92bfa4988eb6f516a21939365d0cb930e934c3bdc1b6dc61d2c5a7b2f9d7e9a63fcfde4530791ea3d01

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
5debc276d2f8947fcaba8e22ac826277

SHA1
3cd9872e52d609fad0e8f0f19fe5a0a3e176c277

SHA256
148db694682c668a2e6b332ee7c5cd718c1baf32b524028b9f075a25b4bde9ea

SHA512
a061729ed40569f91aa43eba954230ad8ddbd62693a9e2776fc7701dd6f974c0fe44acb40a7c31afbbff7a5ea1cd47896af45deea8aaa05ca92fdebcc934fe16

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
495e45e9c6e37287129c234c1bee07c4

SHA1
25cb7acc7e04a40953c56e3748333cf32c485fcc

SHA256
8f84f41766c7c60eafb9cdd22f01014f74385e0f11b192c3e8d92cf53d83caa5

SHA512
150f18b54726abf1e99c3fb07c0bfcda4ee32d22479c6067c4e56804f0566a597b3fe5e39ce0a86470d6b0ea789477ab469cc086a96d8d54e8dacf421e882662

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f49798996342528857c32f3b9d8a4a87

SHA1
a9d1575aabea4b59fb69f8fbb40595099bb44f73

SHA256
14618b6f4f07c87f5fcc4697c2bead0c4ec8d8f307f094f8ead60a976d22eba2

SHA512
fe9c1ba3087e54181aa345d651716f2fe9a53798036719234a7ec0edafe4e1643b74390f9eaa21c5e6036d29770741f800c52504f6a088fc5cc8839d1e085c77

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
2389b4c62715208d661ece38851ef93e

SHA1
74293efadcd4842302c854dcb2c553a598b3814b

SHA256
83f1348dd7da455873b0bcf22d7d21624067e369c7c25a53fa6d29d2dd639cc4

SHA512
25df6220b3b712c1284df645c9e96af9963f808b9e09732927dc5f91956ff174ce286476835ca4ea4f117c1855299ca6070dcba437f29de223589ef64da37a79

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
caded6bd81a24fcbce7df95f57098ac9

SHA1
c38927cfbfe6efe66a8b0e218b4366c772d78ce4

SHA256
f71e30ae3217c41b0bb421ba041171f7ab9ac6038bd0525bc6251b22d41237a9

SHA512
2535ca33e6a4f61c5979b67bc6cabfe956694ff74ea8d3d47512c64c463b694cb541d0663a3c4a62a1503e1c0329ed961a16ed41f73652b42d91ce162145a733

Download Submit
memory/396-117-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/396-238-0x0000000140000000-0x0000000140142000-memory.dmp

Filesize
1.3MB

Download
memory/844-227-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/844-540-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/964-34-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/964-114-0x0000000140000000-0x0000000140140000-memory.dmp

Filesize
1.2MB

Download
memory/964-35-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1056-131-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1056-250-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/1076-592-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1076-251-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2076-13-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2076-92-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2076-23-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2076-12-0x0000000140000000-0x0000000140141000-memory.dmp

Filesize
1.3MB

Download
memory/2080-284-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2080-627-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2432-559-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2432-239-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2492-160-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-275-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2492-504-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2500-176-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2500-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2500-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2500-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2532-374-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/2532-165-0x0000000140000000-0x000000014012D000-memory.dmp

Filesize
1.2MB

Download
memory/3008-226-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3008-115-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/3312-499-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3312-201-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3408-164-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3408-58-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3408-50-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3408-56-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3504-224-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3504-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4028-6-0x0000000000CD0000-0x0000000000D36000-memory.dmp

Filesize
408KB

Download
memory/4028-85-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4028-1-0x0000000000CD0000-0x0000000000D36000-memory.dmp

Filesize
408KB

Download
memory/4028-7-0x0000000000CD0000-0x0000000000D36000-memory.dmp

Filesize
408KB

Download
memory/4028-0-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4344-262-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4344-149-0x0000000140000000-0x000000014012C000-memory.dmp

Filesize
1.2MB

Download
memory/4584-76-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4584-82-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4584-93-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4584-90-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/4584-86-0x0000000140000000-0x0000000140166000-memory.dmp

Filesize
1.4MB

Download
memory/4596-594-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4596-269-0x0000000140000000-0x000000014015D000-memory.dmp

Filesize
1.4MB

Download
memory/4800-419-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4800-184-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4828-89-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4828-200-0x0000000140000000-0x0000000140150000-memory.dmp

Filesize
1.3MB

Download
memory/4828-94-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/4952-197-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4952-483-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5116-63-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5116-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5116-39-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5116-47-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5116-62-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download