c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24/04/2024, 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
Size

1.8MB
MD5

247e882dad10468453a6efa817732a72
SHA1

73d6db946e313a62d543a223c0249a0754c6fa0e
SHA256

c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403
SHA512

d18f20475d5486ef837f01da4712c6360693681b66eaa49fa81f2d71faf02720d3cde06a3f53ce1e6b5501c1ce1d3cf3b117227e4c2e3f34225f5d1658c380e3
SSDEEP

49152:kx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAIf9Ckt7c20+9qNxUW:kvbjVkjjCAzJzfEkKK90

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1752	alg.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
2636	fxssvc.exe
3080	elevation_service.exe
2792	elevation_service.exe
2720	maintenanceservice.exe
3128	msdtc.exe
1284	OSE.EXE
1232	PerceptionSimulationService.exe
4292	perfhost.exe
3052	locator.exe
4800	SensorDataService.exe
4796	snmptrap.exe
2884	spectrum.exe
3056	ssh-agent.exe
4428	TieringEngineService.exe
4756	AgentService.exe
2676	vds.exe
3936	vssvc.exe
1348	wbengine.exe
4980	WmiApSrv.exe
1628	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4212ec7074f8f84a.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\System32\vds.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\locator.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\psmachine_64.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdateres_is.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdateres_vi.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdateres_tr.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdateres_el.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdateres_ca.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM318F.tmp\goopdate.dll	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd42c630e595da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fe72830e595da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b95b7c30e595da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cdb8db30e595da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005892b530e595da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003e0a8d30e595da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe
3044	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1600	c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
Token: SeAuditPrivilege	2636	fxssvc.exe
Token: SeRestorePrivilege	4428	TieringEngineService.exe
Token: SeManageVolumePrivilege	4428	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4756	AgentService.exe
Token: SeBackupPrivilege	3936	vssvc.exe
Token: SeRestorePrivilege	3936	vssvc.exe
Token: SeAuditPrivilege	3936	vssvc.exe
Token: SeBackupPrivilege	1348	wbengine.exe
Token: SeRestorePrivilege	1348	wbengine.exe
Token: SeSecurityPrivilege	1348	wbengine.exe
Token: 33	1628	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1628	SearchIndexer.exe
Token: SeDebugPrivilege	1752	alg.exe
Token: SeDebugPrivilege	1752	alg.exe
Token: SeDebugPrivilege	1752	alg.exe
Token: SeDebugPrivilege	3044	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 6084	1628	SearchIndexer.exe	118
PID 1628 wrote to memory of 6084	1628	SearchIndexer.exe	118
PID 1628 wrote to memory of 6112	1628	SearchIndexer.exe	119
PID 1628 wrote to memory of 6112	1628	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe
"C:\Users\Admin\AppData\Local\Temp\c7337302e7fef6d2e309fdccb16c4cb3909a0583b9bcd2f47abed476ed8f4403.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2148

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3080

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2792

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3128

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1284

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1232

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3052

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4800

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2884

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2316

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4428

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3936

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:6084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:6112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
e9464c4e3a284265cbb19c3a34e28b2d

SHA1
f1c3dcf1756857841f9b83c04c8f2bdbeb0b0390

SHA256
9101b2d05e28c906e11e453977ca62cd24c24cef0083ef03ae38d6e648d75916

SHA512
08b5397484fc5ff37812bca10022a2c1cebcb7672dafa4fe093ba1d395b496d9a0f05635818d0b81f459609d9111b2cdbd06ca41f7e423cfa0a1d862a6b437a2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
d7192307bac8ade16ca011cf67673974

SHA1
6b5dbdc659b12fdffe61165dca6e35614665c422

SHA256
f80004c51171ebf96aecd74ddcc495f783e033eacd956b236ddfceab653610c4

SHA512
ea23d4850eace7de7f691bf40715b582c82c9dfbf06beda7b397077371e139f52d850cddfaaf3bd550c0e31550e42465925534588e21f46dba3439d98914828e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
951a486c78ae210d8702f88015477f7f

SHA1
10fb18fda34756facae443bce6328c87d7822e66

SHA256
6e47271f7a9c8dc4a9cf441cd9a1b716aa30f5c8ce5d4fa6c8fb6bacdc196cff

SHA512
3833712c83d158d394c2a2ec431ab20f4f35296d9435bd0c2cf5fe59a19d511da0452f25a1c28911b13586d983fe68d3732a46c77ae7946c7a6f037408532a7a

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
7a6f0a3074b9b293e4255c252a943480

SHA1
2e0913547054b964d31d61c049b592ae7a47a0e6

SHA256
4f810467c8e6aa04ae0c5a389babf228967068e5eda26d16179765ef569db353

SHA512
b49a24f3b1201ad8899af675538dfa4cb74e19146d32603dd075645814484419b888e7828f1aeb77e1914bba8b3f5e0bed37a4ca994563c924b77e40815d9617

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
2c2fbf67a532e45e9b1ba234bdc83c8f

SHA1
3189517946ae59c6baf88b93bd4f2fe53091bb15

SHA256
fea22ffb1e0a972231dbca4236986bfc7a67a5d55d9dd280774e4f3dad87f007

SHA512
293fa7e9b2c061b390700c48f0df876ed68dc248198e539f44815673f0975bfac5fa7f2f77829a1ca3160987b19345affe7cc07a12a488f581fa77d928d1513c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
c381b6499c7d8a37185576da358f3cc1

SHA1
8cd5766ea6e5bd4cd433a8e06041db80a89c7556

SHA256
047eac7c8f53ee805c92458dc52e24b495da720162ea488ff0326d14c6e008db

SHA512
4235a8bb7ccaf2692de4e2f02085ab1accc31024a8ed6620badd65376ebfd363ef025c6a7aa50d0499b8ba86f5f43f6b4366935ca1a65eff192ce31c37b4e85f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ded9fcc4e7d7831bf5b40e5ea5960cd5

SHA1
02b24fee70276c80c25b8c4a0ead2845fba96b03

SHA256
62f1adb3988d93baa301e0a7a596ad4b17cab3c861390314e580e9b2a76e4b99

SHA512
dcc61edfc6b891be561f6a9b6d31182274eae058c6db0bdd351d52d07eea48c4993ebe7803e0bf2b1875d0a0285b45341694b9396e1538b18bde6a2df61c7e8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
755cb351f5d0bc609ff46c4d1bf21fef

SHA1
bac35e6280e3248b4fe7e6329476008b99e336e1

SHA256
8bb27089fa9cc3cbcbb0624f51d7a72c4952d59d3a9534ebe8e9ca5538b1cb06

SHA512
caf6da5ad7ebdda6afdc5c473aae1f40b84f421b012b1e2986109dc8e896068798fedbc81ca79397f92db34a0f523d58ec5a2b9424b5ae0120f505681e0bc298

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
8ed507b11907a54cd79ffb031bc03492

SHA1
4cfd95353fc9c0eff24bf17e0fe71fb92f729293

SHA256
dd2f582f9f79b8f5ebd2031bbb179dd9c2cc6243d52b8e78d716997dbd635a3d

SHA512
ac92277116c21a09c1f9c45420c8e892cdc657775d6c8a4a7a25625ca5ab89513879b7f85975f561c94fe86a27381b3498f4ba40b0cd82a9935fb09746228553

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
7d9cda6111de10127b112a8a4888506b

SHA1
7237c6df4cead3cd84f1304e0eeabe56025f00e0

SHA256
608cd3c8781299a9a84a04f7df82affe0e73186635b2e95d22e60fff8fa40e45

SHA512
84a3c64dca4828ca5b265d116192e3d7855c54a05e44f74769c0ed5474a4a7d90e988000d4592a5cc597d30f58a7e5d604a59c20d009a2e1381bbf5d5bf0b091

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
978d1b26ea93d3e8fa83873efee30249

SHA1
1912c22afdfd4c98a36cc1eba82f4a3a265fafa2

SHA256
c6d854671a3e90a1b80a29e68b3bc60158b879a8104152b8f19a11bbd028c26c

SHA512
1e86c4f2c5a9f15517102db68f500532c8261b4ad6df873a4a8babe0acb718443181ad2dc7548805f5bb45892fdcd07384088ae02e7af485712a39379767e68c

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
45c19f4c80caf7bda850d99b48fdec7d

SHA1
729560f415a748b4e01b8a386b4e54971d7de12d

SHA256
668e4aa8c9f599e557ebb6e0ef8b56393ef91cae73ccbff908198a1ae292b7ef

SHA512
141255958dd6d8b4ce45af3ffff12db4f8ec5564f942ff3bc371a676666e8fc36606cf93ec4c106c09a80003e9b7d946fb9a69ef52d16258dd719d24bc010383

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
9158f87dc546483a2981788ce51d7e74

SHA1
d54d6dbf5907f8d70064bb5ea5e5a833073d5f84

SHA256
a8e70e748411f4e0cb0fe0237b6be6347af2d383d833d838dddedb238c1733d6

SHA512
ae18145be2c9f0fdc5751e711ef275975a20d3b76e8c826a75fad15e7348fa3cdca7a287e96824b92db7b5dd46ac1c4c1f356d1e4c047567ca90c6accd3034d8

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
97f4ca9cd34016f5b71cdd18719a1d1b

SHA1
cb4c17432789ed39c4287e44a8251d93652c90e1

SHA256
621c821b7dbe812d0455bfbe5e77418cbcba6d08ff7f7a7b8937a96d5a5b6df1

SHA512
68d2ca6a45888b3db196b4a8f08dd9f5ffd2959b74492246f37f4cf4c322ba1f5d04475ae7889372a42aa1f7551cd2663e4de7a329edb8ab0c5f113e4dc4cf95

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
3340bfd7f7c8db7a4dd98f1225b78729

SHA1
ab531e670bd7ddfe049e6d408b7c1e7eb3ef28ab

SHA256
1e6fad718f310008cc5d360cde77614bf68f95ba71dbf1697c579a99526701fb

SHA512
26e2be150cf7eeab4fb8294fa67463c4e556c04d8bebecf9e850551b49421c9df9edf4a265fffa5fe286887340a0283af760ae6c9871624eae261d6aa82f65ab

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
f493c01984daeb2d84f46faf1807d2e4

SHA1
780ea106614c2198a3285466fd0944b98550da90

SHA256
ee2e29891d55000d2ac5de992547372a5c8f1d90a310d6e59666c90575265417

SHA512
25702f2b28c432c89361bdbdd78548f0452dab1a08f01c10c91a82eb92c2aab75f4d007b51589a50c3da03b36ee27689e228bab437f8948a3ec9f3dfb801e073

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
05b11e07c9f49762620727a0887cea96

SHA1
629b4c4402dfa53b23008af5fabc835850703ef7

SHA256
02157cf5b885d3f740544948f7d59df6d6cdadb8b0e3c44112c5a57a1410f1df

SHA512
3e00b97705cf2e586dd70b4489b6592ca4b9e07d4aa6d98a75b022c07f602287efe312ce1878a79e5eb7dffb3390be98f749eb54772eb442aef692379a85e51d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
7da049779790d8296e2181fc2b228eb7

SHA1
1c16cc736e7911504775cb37d9146e56ef22d3b2

SHA256
7f93d5e0151cd467e1a4ae7bdebbb403aec727589f567c704a44ad82b7c78ae6

SHA512
41413ad6afc1ec4703cb80538256369dbef47c605f3c47c6e6ef1b3e1fe48a79c4d0c13e1ff86daf27d270571649b9963614b4571f81eea065fc41c325346b46

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
83fc46e51021f1d6caf6ee37dbf71711

SHA1
239fb7b7b4f2b3cd6e36a7bd88d0daa07a943932

SHA256
0a98aa01566a481ba80a63cd6b6d0ce795a38ac6eb9ef7adcbc8cdf2a3f57508

SHA512
a584a037ba3c96bb4737c43d3cd90c3e144d57bfddd49370a1a99e5cfef29f970c700233e2fd89866ef2250e81f6e98e7a7ce830dafc34e6a7e2f0e052e7674c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
f8f5a17121be445e8daab0723bdb1191

SHA1
c6613469d0b4a5b92d0f55f09eff086d9ee86924

SHA256
5695a205e3778036bf7f8466dc005affee262e4464fa7f095250e6e19ffa0475

SHA512
2fdad6ad5186f8be85c3735e3e41f63172b5e4a7e0cb04062b9e8f71cb266eb912dfc1d876f6dd4f5fb13930c05b89203404298c929c2bdd65b5257af5343677

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
64d9c7ae571442acd4bde409eaa514bd

SHA1
69c077cb14b26d06cbed804df99aa9b7a74dee6b

SHA256
09dd16595b957216754bcd9491dce899976c40b56066dbcefb420ad6938cd1e5

SHA512
8cdb2cb620c18c18a93774158a88a31967f3746c6773991f64e519709de1830fabe65182ea86e4b3e17a3e653efd58894194a8d238ef2180de459f2d9e7d8fad

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
13dc4ba66548aaa8de13d1f2ff8ed5c0

SHA1
443b06b3eee02e6d1cf5da862f87f08942c165f1

SHA256
9d8d1cf8fba9d0e21f051ca6095cdf244679f9df35586652c4d940c6e0571867

SHA512
fcd18ce0dc2cc1ddf4f453b76d9ee16620268d61d558dca78610b413dfae868aa2c58311fbed34994be640d32648b5aa34d37027bbfb0d0babcb90643ef1669e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
de55a3a8d619718f26c676c4064241b7

SHA1
56cb8fac37296cdcb9ceb2ca824b9088bc81299e

SHA256
601f04b839a0208d2dd0a856c3564547d558a8a8b944c27c417568c881319c07

SHA512
1b8b6042a2a42eae81f467a6cd254bd10ea1cbf7e9bd5b641abd2ed08d01126938b453f1a8c670e264eef4fa524347bd0d281deef4eaf18f497e79284a666407

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
42d8a9cc27d07b3a1eb03781b94b4b0e

SHA1
447c2bf5acb4fc506a8fd8d87c93d353d5897af9

SHA256
d04dc43e9ca684354e5e29a1e5567dffd81f216a82a76adbd2fa932cd4076788

SHA512
228847c5e2e972cdedad177fc7adfe200bcea6f7e7ae9b4d1a3ae1a5d5d43a57dd4ce6ab5054432ac91d7bb3cef050291b56c2b54457cb0023d9e172eb51dd29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
bd7efef1657e357ce3d4a152d15cab58

SHA1
250c0a9d20f351302626cda4dc226e4976488f0e

SHA256
d4c2ac30bea1100c0b553b911f81712b2d2c7c542d6e8f1870e11b5b51869126

SHA512
0b86f00a1fee5a2bca2bace68124102b24f37f4458374045c7cda7c6d7f404981d0cce9c5641d8655511ffe621d734fdd70933488f4f8b666150c5dfef8d8d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
d5487c857aa34acc570c40ba61899ba1

SHA1
9226e7b1bfc7ab4abaac3b5c39441106f094a08d

SHA256
c3de7a2f0da172bcb3bbadc1fb5124c5378b82fbe02aa91b2ad23de874e55385

SHA512
78964a6f4538ce3649ea993d0613b4b64189879b6630539d59c60689f664fc5e3376622b2b5b401a2744d5c230e27db378b87bace8340eee63cc32d9aa4674a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0ff25c9d1c72c1b9848d53ff0a4ff6e4

SHA1
7fceed07d044bfd6b16c1917a7c944211a8a7a64

SHA256
ffb393fda9283c37a388273afb3f78a89225d0497c5f07c8532ce17bc1ed9ce2

SHA512
fb043e47987d5d6e816ba56113d5d31a68f6563bcb70c52e19b34dd41c8329c2e147e0bb8ac22e9774b11aa87f9ee5da5e2c1356b5d8fb5ac291a5c5b339ed6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
a594ece3518403590bfc92a836f09274

SHA1
3d8f6c962f73ec0cea5ec60f7b2948daa565b6c9

SHA256
7c13162dfd4f118be10ec6d03c74b34583b1121a5eaa641652bc8498e7ba66dd

SHA512
f4275f7b0ac004e5802eb12aff17c321966cbfde4af66ddbebd4d7843416d4c2835e264088f35aa2655752db8b5369b61b094bf509c7c4f4c5e28ee9427a1233

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
de0120245a23925132a1f83be38e379e

SHA1
fd3b8317c8a1139dfb4e6d0895581c2357a43ef0

SHA256
67070bdb873e59c5cfe6649a48b7e2de5b845ee6f5e574283a5d213210607db5

SHA512
1732d19e1e1e564e06c53cd0be29239746db03c1065140be7919c94b07d3f966b09cab9c79b1adb0ddc1d92169635baea65f0e59f1ef320577d8bbf84462737f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
49c6910571eee3f10f8f67d93d61d33c

SHA1
1ccab4a4edb754f21ade46744d035730f69321fb

SHA256
5be9a6f64046a9445e84a610767e2ea8df5b011fea8d395fb2c5a2383ececcf8

SHA512
6c095b506fe44e84a164eaf36ab1647129e8a26efb8bfee4aebef2bc9a124b04e300bf9bec932a3f815febdf22205b158e72e8fe1da715cb1d27954530c639d2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
618b8075970b5e70630b1eb04171c27c

SHA1
04fa3292370ced58cabbc8d74344a3d76680f037

SHA256
a841000117e9dfe2626e0ea9c06eea195a962f003ed2f251433c15bae1809dc5

SHA512
aa2eaa27834db9db3c6b315840203f15115b20a61410d6756164c6a3753f8181f47cf6d81cd7a1da629ff67e2b1af1f9e55bfaaed63611e246ab019ec340ce6f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
20ae0128263f0c59fd325c31afd79e95

SHA1
cef31103cba3e200d52bfba5bca0569b5f56cba4

SHA256
365e40a93253a441e6897a58c5fc7a6ac6196377fc34a17ac97e914f152a8c51

SHA512
c8150a2696c428e354c2e1900ca60c7b6e47405f28ba09bc9dce01fb532a59ec5da4299138aedbcb3bac583284a36e7fdbd54aae9145fca5d17812e50080aa6e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
53d31af317338effd7dcd5900a7e7e51

SHA1
e3fdcb241ed8dc39d08dc8c6d4b98f86886ed731

SHA256
a382557c585062c04976828e6d0985ba7a3054acb69103950a84b3690b89b7a0

SHA512
69da3f260c5f29776e74dae0ee163462a6c13f77999cd62cdf06f64647f8c66db73fd7e072c8ca5938daf33acca816d2f963834efa8b989801fe1229cfd9d807

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f27d70a23e6557ae753ebe047b99f901

SHA1
accea0f5e1d24a97c81083d6bf8956c9919d8453

SHA256
135a480377256c371b64782d25e5bbe365af4ade7558b70a4f03e8224a971cf6

SHA512
d7943988aac434c38bb7bb334277d9df11a04ce431bc13f826b23e45e00e505a676cda4fa33d29eac8200f62b88c36fab88bab1fb4eb9b6712dedf48e57c48a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
fa3e2e3e8845f00b187499032a7a93e0

SHA1
e8a5e6796865feed2edc26d4a38c8e80442351fd

SHA256
04417c98caacc4163cc295f0bbc73951e347d342d1f3a50ecb8bbcb94bd470e4

SHA512
1ce42205ad49c7164823c03edfb077f962a6a305c7f7215f2df0c2bd14eea1f58a8449ae7aef05c1f2b328d64f66fe16c7985b3731524096422a647d59369b4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
cf739b314d390c1547f78cbad93b77a4

SHA1
00fc98ad27ac65d5126bb1feb6ec4e75c98ed895

SHA256
ba501cefdbc1a8bcd424e4e38b9c40ef6b164d0378231f9a839b65f400e4927b

SHA512
3a295400c924ad7f504dfc4f63a6d0d75e071ec28b14bfb79be8a9a16117441e248068b46630b51c856a9a3b6e74346f297eed51d910f7dc478211af12ce85bd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0c8f4bdf3bc2c7a0fdd4881fb7678328

SHA1
8b9634407b5b23a717e938001c2b1bc398651f43

SHA256
965eeb4a231a14febd469edbe43b38a235e273a291ceb4840f22d452dde4ce91

SHA512
50f26568a69ed2c6400ece82ecac2974b15a495dc0f0b57550236d50c316f973baf1339ee842806c9dfe9453fb80938c1b3ab7151bad941bd17e75acf836fb5e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
8317c9ac9836758f13d9fad14deb4b5f

SHA1
3a3897cd81d3f678de0cf3ee348aae1f65b56bc9

SHA256
ef0ad32b6d74b1b288d8b0abf64d57a40a4651709b84d272c0cad8985b3da954

SHA512
c2033048fd2c2b9d88c1c95832fd42c9ba6ecae0eead3431098264bd41831af06d8e83033de676d345fb93cff60a7a049a3c5301553caa1a6999d45ddaf2ac71

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
58218ade66c950a5bebd027ffe3102f2

SHA1
1e3b938be1141e30f1d1ff3366fb0111ffac8f6b

SHA256
0e4178936c645500557aae356e1e47e5caf6144ccc0687284c97ff981a12a487

SHA512
a9cc8c0fc5340db3d9f97433de85a955a11b4dceb7987741ad8b985ef241c9c0f3424e49466afaba4637bb5ea4dc69cd1a90ab5f01cef162febd35e649964caf

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ccb7200639c3f8ddb63497150c367b0e

SHA1
1fcab4ce248902d95437315dc0dc235aee866be1

SHA256
d6eff84548d551d664950d82bc4c0bbacef70352e1cc7bc58e2f34f18ef37c58

SHA512
58335ce81ded9480fee56c5c8f79327f836538cbe602b354a411471912f3871b89852a46197157c770c9c6fe10a0cade7c512c497db9b4d520f395bd83051a51

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
48539a95f9fd694c9baa2f31bb7f0bd1

SHA1
4badc710f1917c1e295c132703177192f6ed885c

SHA256
388a30009118565ae2028fd916e5e027b484348e64f4bb3f83b04df92aaf6920

SHA512
c1e3b0209fefefed6b63f7ebe9381f11f8c592ce0e268d43d0525239f3f9dde74fe643573e032f1434222aaf8e894026d0306c6a0a189f7463e26bd34606aabf

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
275dde26ecd4e4b31ffc84b96e98556d

SHA1
f06e8f9ec88fef33fc1d461b337d39f03685a398

SHA256
9014cfd1d0f0da0ffc4e8c26013d11e9ae10aeb167afcb84598e4e724e4c7a2e

SHA512
4d3ea0a8c0389df108bc56cdb80529b62df018debda74fe0de1468b8ceee04c4888757b6b74048baa2844fdc9a427a053c5b07d603da7ebe4208c7213aa06b71

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
90d430f83ad085cff68e99e75769e0ca

SHA1
150694b0d5b67b5482dd7a3499c79719f80beeeb

SHA256
1bb00a0c0f2146eeb1a0d65b537bb4eea7ec060a5d4d27fb5b5807e97aa9c0dc

SHA512
0213bc6220df6d378026711fa65a3cb77cb51e1f08019d59699b9e7ca18252be2c635efc81cdd4e9be9f17afd10a8726cdee1c493001cdf0eaf64bfef6917b8c

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
05ce20075d76000db379a272a68c3b20

SHA1
feb129c7ba7ca890336721eb98cd027f2afe0501

SHA256
c4c599e55719b9fea0e11fbf9b27243e56c4be9e3141cf5b36839219d1ecad26

SHA512
9d12227b327b5ca8ad7e102c66a8492003801cfddda551383987b55c7a4b2c20d0891173ea03d8f8e7bda7019370973848cb2072c2580c7bb09cf734766d8aba

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
c3d6f64c61047b131851ede1cc3fd974

SHA1
fe4ffc086f40b6b51f103b8b42107c668d3a3158

SHA256
bb2b82263c3b34f584cd3073acdb30ba0480242e99f7a60e7696de87193f438b

SHA512
ee41e4439e915e1530a249e022f527f24583db709e6c40b4047f08023ceb78506616b9bee887a55044b774f1998b14a3aa5e9f6da49318863fb9252a94f56cc2

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
40334b9ac0842711250e1cce7183001e

SHA1
5d4d180471800179500039afb81ef9580b215694

SHA256
14b8ee63c7437ed2491be077dc322cb463e960265847b32212afe1cad30602c2

SHA512
855193c9c0a7fce8de8e6a72be614cf82f47a631de9e1b998ce3b866e9ed25e6e572abe671e5d294d3c8eb2bc843dca043504d5f4ebdfe5c3ac4b3adb7d56009

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c97eed2b9a2997173195942d371598dd

SHA1
1895e4ccd12de635bc68fe98aedcedf8708eb076

SHA256
7863139dc4f8915010da69ab2a7c1ea43f1895d7293cfe305e5e92246be0f271

SHA512
eac200104708eb871a72451abd31e3139b54ee4959ddad6d884247d1c15149ceeb18592b3ad5e1c0b7794a265e58b4baf007e9cd2bbdeafda41fee0f6ac94f37

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
51973ba90c67713078e57a1ab24bf2da

SHA1
c56ae6649618f2f44b8b8f1cf996452a954545f1

SHA256
90a79a9a773118ba8183e73412b0e8c9673e72e292b4d7018140cbacda975e4b

SHA512
b7000257730dc15ddee397fa024495c7a2a04d56270b2b43a4e098228ffc64d8e0bbf62ec277622076b6bdcd316171a61bc3669c6f5ffa038fb89f7d038c72df

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
2649717bb587000cd9266c3f9265797f

SHA1
5a4a342c49e188239f6246879d476c6aa3ee04b7

SHA256
feecf4b8f89e7b3b9825d1e2343f6f3fe58001e7605d630ffe56c9d72335d89a

SHA512
a6fec547b5236e5c39e5096c2cbf4fc244403462e414c265e621b94784d9b411b301670604976c38e75c07003b9ff7d03ce4bea4b5182cc8182aa7a5b581c2b0

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
db0a741ea66a3e522117b26d59f11740

SHA1
c7602a255eccbe393126d2f1312aa59550d8cab6

SHA256
40db7c032991ce6a59e1b58b138b6f31b0fc0400dc5782b77191c4408d88fe9b

SHA512
0a938bcb57e1e62ecbfdae5c692fed27dc4201e59252823eb9d1ab49342ea4b4cd1965df12304b83c512bda913652800959a2daf1534c7f81b588f905d49ec0b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
85bb4bb9acb73a12e27520ea4d1ae355

SHA1
af8ae1a8559dfcad37a775e2c8c2fabc96a784a8

SHA256
0b9104e7ee292ddcf7c16d281af498bc679204c8fb87e5762eaabb0dd6ad4deb

SHA512
d375d2907ded80aa52b38da4d6fdffa0e903a4b0122d6bf774d4d8bd93e890c0de39503172e87163b26e35a6c4b3ba241809f75c1059cdd3caf88a509ebe488c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
a6382d67b342c14851dde54a67734a97

SHA1
2febe6aa1cd082790735ab4737b8bf3fdf59c371

SHA256
7c8ea025072bb076a50dfcc1b305bb225ad23c6403f135456cfa48be05c73d5d

SHA512
3e8c9a5fb015bcb28fa857131cf538a2df99098560efd0b8488830e811734dc441c99c2da98702370dfca3e3c2559b9d4d38475d85d861b34be390f62bc3afa6

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
fe9f20aad62a18b554a12534b8e77e03

SHA1
2353a11be4567741067098fed5d7b3b6907a9712

SHA256
65c262a9fa841b1763e6ea9557909ad9814101696f32f516bbc0c7155c8b97d5

SHA512
e415db168e1068a6e7d360595ee6fed88e9b02fa711933c3541c4aedebf667f1b545ff9465ad1979ca577dd6a75a4d6feefd357014a1ae63249065cb89474c4f

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
b024600aa8db3404522a5d98029981b2

SHA1
96336731ef69c4c94ae2417a34570f576667c611

SHA256
3994a8f499ca313df40ec5d28e5e201f29c10bc7b003c021960172f5e735e564

SHA512
ba581f5787d01ca04eec33873eb302c51eb33af7e943d61568bf9f91921b95d3595fe1897e46a8101f61abd4a9c29dd5056f554b2ca3d1332d281804b88e579e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
1c35803a2dce03fae305d7d98bd5cd31

SHA1
da33c91be651ac69efa80ac8420dcc4c8bf3dda2

SHA256
ce21632d2cda54f1acf09f72ad764036b89855cb2ac4e794b8cf69f068d59af9

SHA512
ac58be03c342e518f8728ce66b9722445a38989a7fa5d31bd50eccddaec75e9ee57a577313e6ccfd0d3e55b9fb26cfa5c445f6a549cfe8ea2c2ea52424536c68

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
7830ef80114ce5a6e3d3144f16c6f1a7

SHA1
ed6a542869a3812f9dc2d8ee41fb1822046b2fba

SHA256
7c8ef8355d734d9bcd1bbe4cff42c0f68be7d061e1dbb790efbf98c2f2d20715

SHA512
f1c18d8cff6efee2ad4f958ca5ece2e90cb5f5c8caf6378f4da972a981baa8192b3fef1dd02d90e6e182baf3c2bc0021d12b015748ffa7b9a11eb67eb304bb7d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f4aebdd20b7706d571658c50c49d6030

SHA1
55a6c6a2689427a940c79006e27b4788de5dac6d

SHA256
0489c7cb70441f6acddb84157bd9dc452aabffc43cc2175d0ce65dcbfe8f9162

SHA512
c8ed430f7ca4aca2452c2f274daaaa8a536f0705c491c0d182299ea818436288f927716982358e29ba8ca9abb18c4c15381d0005b655f8255606656e99eb3873

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
6a74c9925d5b1491296224c9a5c23868

SHA1
2b590abb0d49f54dba9ccc94333de451f1c5eb9d

SHA256
5c3d0618d9ef8f6148ccce48c7acb37e0ab6fc03b7809661d904ce13d7f45700

SHA512
fdff78f451dc4950be074633538d9c14e0f6a6f9c939ad720f58d9ea51cf5c5c454ece2bea53f5a3d2a9a2017d28d3ffc4d8fac8561fc6e461a2d86fc65cc22d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
824db35be878b84749121b4e630f774f

SHA1
4cbe99a372d8804e1cdcab5433c826fb901a4e3b

SHA256
52bd5e2d8185052ecfa5603805f90f2096a118aea651397f3dc832dbbc90e18d

SHA512
8c065e1d5b5c37fe9acf47797653cb1bcf4b807f7aba1e92602b3c2370813c96565720cd50900d3e510fc82eacaef50699ae940de02894120b309db1fd95cc8a

Download Submit
memory/1232-199-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/1232-253-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1232-192-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1284-177-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1284-241-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/1284-186-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/1348-330-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1348-336-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1600-131-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1600-6-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/1600-7-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/1600-1-0x0000000002480000-0x00000000024E7000-memory.dmp

Filesize
412KB

Download
memory/1600-443-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1600-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1628-356-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1628-364-0x00000000005F0000-0x0000000000650000-memory.dmp

Filesize
384KB

Download
memory/1752-13-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/1752-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1752-87-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1752-144-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/2636-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2636-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2636-106-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2636-112-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2636-115-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2676-303-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2676-311-0x0000000000C50000-0x0000000000CB0000-memory.dmp

Filesize
384KB

Download
memory/2676-632-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2720-155-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2720-145-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2720-158-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2720-152-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/2720-147-0x0000000140000000-0x00000001401AF000-memory.dmp

Filesize
1.7MB

Download
memory/2792-202-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2792-132-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2792-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2792-140-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2884-254-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2884-245-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2884-314-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3044-94-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3044-100-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3044-101-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3044-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3044-160-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/3052-215-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3052-271-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3052-206-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/3056-267-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3056-259-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3056-327-0x0000000140000000-0x00000001401E2000-memory.dmp

Filesize
1.9MB

Download
memory/3080-120-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3080-190-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3080-127-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/3080-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3128-170-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3128-226-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3128-162-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/3128-161-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3936-315-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3936-324-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4292-203-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4428-350-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4428-340-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4428-279-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4428-273-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/4756-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-293-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4756-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4756-299-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/4796-233-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4796-242-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4796-301-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/4800-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-228-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4800-640-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4800-284-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4980-351-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/4980-342-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download