d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
Size

1.8MB
MD5

d833c9b6f2dd62a43f9ef164be127d61
SHA1

3f40d670f3585f3f461093a90f182b2f0af38eca
SHA256

d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513
SHA512

3e7298c98737141acacec68d7263b4e76b2cfa85e4e0483ba39569a729edb56b50279682d428a4dc08b6585225319c010f410b97a0623c9f393439a371d0011d
SSDEEP

49152:JKJ0WR7AFPyyiSruXKpk3WFDL9zxnS4kQ/qoLEw:JKlBAFPydSS6W6X9ln9qo4w

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1920	alg.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
4412	fxssvc.exe
5092	elevation_service.exe
2720	elevation_service.exe
3584	maintenanceservice.exe
4520	msdtc.exe
2500	OSE.EXE
4596	PerceptionSimulationService.exe
3772	perfhost.exe
4340	locator.exe
1544	SensorDataService.exe
1988	snmptrap.exe
4360	spectrum.exe
1916	ssh-agent.exe
4964	TieringEngineService.exe
2084	AgentService.exe
4632	vds.exe
1744	vssvc.exe
3032	wbengine.exe
4268	WmiApSrv.exe
2580	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\f16f03f1e703f493.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\System32\msdtc.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\System32\alg.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\msiexec.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\vssvc.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\wbengine.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\system32\AgentService.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_ko.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\ExitAdd.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_sl.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\ExitAdd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_hu.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_sr.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_110750\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_is.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File created	C:\Program Files (x86)\Google\Temp\GUM48A2.tmp\goopdateres_ms.dll	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007abd8da113b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000050c6f2a013b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b1eafa113b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000049eef9a813b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c2171a113b3da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000084e575a113b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004fa1eba813b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d3d08a913b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea79e4a813b3da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a35e8ba913b3da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe
2716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3860	d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
Token: SeAuditPrivilege	4412	fxssvc.exe
Token: SeRestorePrivilege	4964	TieringEngineService.exe
Token: SeManageVolumePrivilege	4964	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2084	AgentService.exe
Token: SeBackupPrivilege	1744	vssvc.exe
Token: SeRestorePrivilege	1744	vssvc.exe
Token: SeAuditPrivilege	1744	vssvc.exe
Token: SeBackupPrivilege	3032	wbengine.exe
Token: SeRestorePrivilege	3032	wbengine.exe
Token: SeSecurityPrivilege	3032	wbengine.exe
Token: 33	2580	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2580	SearchIndexer.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	1920	alg.exe
Token: SeDebugPrivilege	2716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2580 wrote to memory of 1236	2580	SearchIndexer.exe	111
PID 2580 wrote to memory of 1236	2580	SearchIndexer.exe	111
PID 2580 wrote to memory of 2688	2580	SearchIndexer.exe	112
PID 2580 wrote to memory of 2688	2580	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe
"C:\Users\Admin\AppData\Local\Temp\d69c05be440c178fc8a25bdd17772a0e310e90fb26dd5528ef591774c2f46513.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4484

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4412

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2720

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4520

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2500

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3772

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1544

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1988

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4360

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1916

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4624

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4632

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4268

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1236
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
a7b3cbd8259b50f2b249ee7937a41980

SHA1
2f2ea381334e06d1ba1785087f404204f685cb05

SHA256
8a9e21af4ac897d94925bd24091c2859f395aa5f6277bb0dbeca661d86aed8e4

SHA512
d7bbadb113b36ee907fd1b37db210fc831d90c3754f785fde5aaf7f403e9706ec445bfb925d486eef8bebd8493fd3acb085b3b0bcc7ae6674c0a492c842587f8

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
59458a3166680f49b6aedab4487ff7ae

SHA1
36418f0b146408974adada004e29911dc0f4d733

SHA256
32968173190b6e12610f8e02e7f845a6095336bcfa236abcfa555afb3972dccd

SHA512
aef94121c013eb0e544abfd06155fbe892745603cf3287dbbd1f452457d1f3a3a3a4a34bf26a1bfa9f965f188b5c1d3002ab5019fca4084c356b09853a52d149

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
b7ce4d4c7ee0f4821e0e9a3d5c4989a7

SHA1
55ae3aae68c6a619a8df2e9df4b1e08897697ed9

SHA256
e8d51b67185932da523d19f43e62347a18d6bb96b6d336131ec36829fe5bd68b

SHA512
2e7a301bc76fe28a26ca42d92eb5a77262aff1705a4c6315c8845d0b5bbc0293f7a72be4959fc3938472c0fb05e8f333ea444604547568c9afd7d9448055b733

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a55b133848f27793f21543f33affcb4b

SHA1
833ebddcf7c9f3ecfb4dd7c3b4f61232654751b7

SHA256
8969c262e011b84ac6a4eb82b4ea8a68c79ed87ab61f9c85a9e2c0741cd2ddf6

SHA512
2cee691ea1c66122a2639ceda4e298fd6abc376cadd34ec18d2eb0c2279a036de933196225049f1cd2bcb4bca872791fa76aa14c6b57628abad27be08e8bc497

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3fde18ea4163a5e05fd2ed3b7ee9d9ae

SHA1
9ff961a9e6138d0e840c469b07993e77448eb1d5

SHA256
ad227e3c97a542f2f35bac265f3689e5d824c34bd1338184079f209a4e16b120

SHA512
0ca41a53189c77c2d645c56896108049a6b71baebc42a133f05b05ff668281744be08cc880ffa15361ac501dad769a1fdeef4197a75d33e83bb7352eaa519715

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7f06861842a681817a28a54a1aa79032

SHA1
ec5734f403efaf2224907fe96d4a2e99056e7822

SHA256
7fd10facd72e37218b68f19f7dfabb0cc32dd43de6fea4387adda7b8e5be0481

SHA512
d5dc510f8cae4b58ff916ce4e3d2f7ef74228f7a6022533fe2376f74c52601188f7df37e7bf974df66d25267344fc536fe4c103ae0941f8350837a0f2d40acf0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6e3f4c03ec622c4e123b33490f49b7d7

SHA1
df43c0143acdb9b287f9903866d067019aa53059

SHA256
952d3857864e97cc2ab486d09f83879a6682f27223847e4948ad677514dff3ba

SHA512
d64488ade2c11eea5ed569fb772549683c90a24f785510c1bfa25bde23a614febc027fe5fcb24c598faa6c2074e462152003f400ccdfed1a9e1b86fbfd85b127

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
78b693533a11ebdc7e65069b77a5de3d

SHA1
1da784882c742b9d994665aa3f65c93ff6f1303d

SHA256
66a2f4255434a583509ac4809fcdc74dd7a1d654e7bd8ad23a1b4c0b95e67c60

SHA512
19dd86b8d003eb1c1d66d4443f1f76c796254cdf04b7528605f4561408a97197c1ee29944d1553ee3b0bb6b21bbd7bf12a74ab7b02010268db60947fbbcbefa3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c655c1b7e7e6663aedee1aaf91b7f886

SHA1
7c0306a6e4c55d3c4746f1c9bb6251456c20db44

SHA256
e36c1ff8f6d154953217221483bf9c44610a5a40369331de5384835b12438fd1

SHA512
6a94d9d5953335dd7dbbb7f6daa0b3ea6d528c0251c3977727afa44e7300e46ffb825c0827f8901059230e4f3c5d6ebb09c28cf0f5b0955d3257d0f953af232a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
03204035945eee942655da43b59323f8

SHA1
a4665175cd842d3cb42f4456e74e10ef03f4349b

SHA256
64b56ec6db0de1a0fd2a1164c25886e6ac895341ec28c97ab2a56228fc6ab7c9

SHA512
eef4f073207e7878bf7156e91ce0f32e62c86758cabc89e8b54c92be550ecf7b20eb5ab706d419aced8a4fc2f2b8a3b773e3d4d2388fdb92617bcb4b68a37bf2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c2949a60d5fa21e781cb43675e66cdf2

SHA1
3095e4c2cb1c5a124e44ae805f50c077dac81658

SHA256
1b1b03a310a95a3ad4b7bfff2f28f6836466fdbaf1a83f568179980fc88e326a

SHA512
644b786980b8d05477a2a3debca76eb3a52c16b0c333e8b58aac5dedfb918d584273eac612a093416296c22f254425514a633149c017953920f049d33c9ebcb0

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
32d9d22e925303a51a69c3261d39c4fd

SHA1
42a802a615c0036f123473ac2b30cf98a21c60f4

SHA256
745ccdd2f5b1df7f0dda54071ba1ef9d169970937c515e694f63746dd5e85bc9

SHA512
b754f57256b160733ae60f196ca3308fa75c6633ea1d6f9f8233520a5b28ed37f50326ce3c238a9790d84154c62cd991b9cf568725966527108ff788294d351d

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
9d4e5f0c9e960d2077d1fcf1a81557f4

SHA1
63cf8fcfb6e7a29e937ac898c1cc12f6142a0319

SHA256
88e4832dbd1e9b20d985b25d6edc493b586d87b421b98232209da863213fa2d9

SHA512
97c93e7a9a129f797df8659d3181a3ad0d55406f425fd4cfaf472d4dfec0c699a0ea0f46749cff202fe8954bcf5577f29d3f2945e28d6451d51696849bd8bb0c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
c18f5f39b036f0841382135fedd3c088

SHA1
9ffb43a0ecb4cc0e84aafce359db925c42e02725

SHA256
e2a5c08da8f13fa4ebdebc7ca14b7af3c7bacb4903d232ef1e7da2170b396525

SHA512
ed839d4c05395b25acdc53f506abbe746ab1cade4e8287899dd4ed7121cde4a5c44c1fee9872c9d3055ba2d98832d093420bee656f19ca1ec7ae30ceac8651ea

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
88f9692c1d49abd68e1614de92b97a3e

SHA1
49db62b5015e261e552c5c2246f79ce81bab414a

SHA256
8e4ffa0d01e18cef6bf7e64799d721113c92fa0fb2d02cace1d7084c761eff51

SHA512
ae245a96c4257de80aff2413bd94054a6e5ade146a47f6e646fd0e2ca3f56b6304a03e723cd806f2f2f60885cb837356da064af929d39e453441b74340b452b0

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
516cd9d44c2de55d2e692e7e67f39019

SHA1
6151c167ea323c2d37e4a2faf0b1e8a09b6b07cb

SHA256
abde117cef64df234c72be908545f2ded9c044d482fc4904b0771f60f8c8a0b1

SHA512
bef4ced35c665935bb1105832cf5c099056e65c30ea01aa8c58f97a099e2aaa746faefcb125a31c4787248ec645ac786abcf106693184d0fd5726999783d12bb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
827d1b8193f0224cee85d9f1955244a1

SHA1
c94e5576efca4af3bd710db838ff15ac7b4a37ff

SHA256
45b3fec4b53539c3e5324e56ae4a54a96e6ba67e36d8c11c28d7898c410f741f

SHA512
e79fc478fa6a32e6f15dd1b7d5993a461095c0bf550b47f6ee687f5408639ff0589ff93fdd5273437f667f97b31268cc8699f5e585aeabeb7aeaeb882996d01b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f5569a25cb8aa7448adb102ae73b63d8

SHA1
9f071146936875ac2658ae98732c35c692d987f0

SHA256
0a426c261ad9a4224fc9f186f278d63574626c175777d15bdaf710b84c95de12

SHA512
97fc3fe3ac9aecafad698310ea861e5b31e21fc0447e3c350216a2fa923a79c625d0dc2fe1e29193198d46c79bf22bef283fd1a97d1810128232a23efb7d0ead

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
83945ab6bad7ef411b78510f641d5fbe

SHA1
1df6632386f2bebd562481a247747fc947376047

SHA256
2079f50001ec13d019d724baca894e8a1a97f1f5a5007fffd80e00f40e01a336

SHA512
9a88101e827756e9153f5551b74a4e62245902b674ebec0f47b05a6ecf6fa7c1030da9d9f8a5156da92da1127937bb740fb359914a77daa30515fd4baee6570d

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
a8ee8e6f03f24117b9abfe83a7cf82c6

SHA1
adf7a9264249ca00a9cb481d0cca4f1c86b8dc52

SHA256
659c1e9eb68723efc1f2cb477891843f2bd9c8f51ba5ceebb15299dc8b7752e8

SHA512
8b668e5c5485f0e0528bf343d1157329c475aeda0a840b8b8f0358f19b8a90b10f3ba6ef47fcf8e1da8baf8be4909f6526781bb9aa7bb5edb831be34439486a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
f15f39c2c3d0a107b90c1ce057f5d1e0

SHA1
912a4c20781b9830948d57a3b648c1a44667637a

SHA256
6f01b3a8db161209dea8051c5ec45316d4307fc6856621958f0ea434eb51c358

SHA512
a15c6b4d7686aaacbd9b1c87097e08f8d90f9e38664599a6bcbc61ac4f4bca610883b885df6c8a97ca45da54fa6dc82b3cca9fc7ddeeb24513f8ff1337d22344

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
35db1fc3be98f362d1cfb541855826f1

SHA1
1ee816893c438a3bce051d61d6e1431c48e97bf6

SHA256
f5dbbf02fc86f324cbe8c21167b23643d4aa48df1fdfb6ff913141a2dca37291

SHA512
fdbf5aa354835b8326feaba94f0d9a24331011c9f88e1ffcff9f914434fd9cf9b407ef207f228a71640a98629847d1fee4fc11ec8cad2f294f54223d3b42c094

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
54ecc14c89be7e9714ff438214a1d0dc

SHA1
5e9d69902b93962b5450f4a33ce5c2c61e50a0ae

SHA256
4817d2118b68d9ade40204d4bac38d449cf874f9f4e7fda47ac07bc8397cfff3

SHA512
3f3098f31611ccaf47f5c40f57ccf5ff25ed44b009ccdde9593ed28739f284178403de9cdc7ca0b88774bb22884b3fc51df6a2ff89f5e7bc168ea8fef9b08e09

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
25e971491e1b9a8336a2ee5e271fd32b

SHA1
37340d223c18058aa4b471b1c3f18c6cda0a6502

SHA256
f6f6a02195940a9cb3ed49ae0cfa83d98347d704198adba890a6600e629f23a9

SHA512
16a2ac6c2a7fe4f5581dbee85e86cc242c396f1ad587763578d9ad172b52702bf65c0c4a22bb0203dd9a883037adb5e988de61a7280075ab9b2efc969443d7b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
56667645651c0ac81053d4e292326cd1

SHA1
2f0d71d2bd65ff9dbda7e8bd7e67d15928a898ef

SHA256
4822acaed25dedc018e5649d8ae64377843b32cc0b6e3967c1ae010108dd278e

SHA512
cfe101a096b2b93b720c8255964fbf215aa5413d9cde57c968beecc6807e808b70387922f3194b10b5d93848069b28d2dde206d55e00a3d8655d592c25d98bbc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
c03d7c6c8adf24fc6f43b6669f7cd613

SHA1
01b70d20e275eed43c8b2cb7f9132bec407554d1

SHA256
d2a6f2a5fa289f6ff23257e9580a8fe67ce6df06d17d8f7bd26e9cc0a6fc486d

SHA512
bd355498dcd6c37805a9224b5c7723ab2b8232847a01a50cfca222a7b12a32f51dcf714f5fec57548405c97c16364d2545dcc0053f5d6fbf305613cd82310cf8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
5f5b4a47fa440d1a41c880522f263cb3

SHA1
71fbccc402caf105a666cda7c489b9e2e0cd8ddc

SHA256
f0447a49e304e846268f1a40d4459f8d346eaf13230fd52acdb024a2183a715c

SHA512
4786a6b39cbafacca750642c1b9d84f7fe3a36dfd19a3ab6c0fa889a8d95b938976edd4dadb0914271d0696549316659f1240914481adeae48ddee274b7d5644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
3449e814246380848b5cb591f749bc37

SHA1
832ac0a3ba9eade4cf87add6078c038078e27fe7

SHA256
e7aabc373f4ca29be15bc40a6a50e25adfd94b44473e5bb44c5ab65c6a543eee

SHA512
ae554656a450d77bbb486f7a6ef6423b8824c5f9a0024d34c86bf5f04a4819ee2467ea1df23c5388273c25a74b5c1a0d9b9b4e4c46a9362545bb6faff9a64251

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
0af3fc452191c86e3583fc31ed08f014

SHA1
f2f37c4314f4aaf8d144c365f4df8673a4513b79

SHA256
d92653ed9e1e49a9f0b60c6eb8b253a8bbd7a2d7b209b0e7b221ce85aae6cce6

SHA512
4fe87b9f949578582e6d8661240621de5584ceb0cc7ba489b35d7f455e7e49d29e4791d51a33a72f1b916bff13c8799e074159011fccbe172034f51527a12abd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
b757ddc0fea7fb9f41e6a78d8d552c49

SHA1
91c117bd899ec50d6e08c5da687b64256729d810

SHA256
b0c47266190eb7d4362444633cdde9be135c5801254522aa376fb96604c3d123

SHA512
bb33d460dea0062b84d8b659fa1f67ee9ec52f65fa301b2bda13b4e3aef070a57598a6d8452631fc4981cb7014fd89973242b42b96bc8a3319049d54ec9da3ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
aff29f383055476796359073f8bad4df

SHA1
1e71885e2be7b15b2dac59ca3e24da6f688e53fe

SHA256
cac39b46aa20bb67c4e51dbd07f08c1abed10d9bf4748a1d26b283192ae89006

SHA512
54aa2426cad076026f2d1f12d26a3ad67c38bdb221221dbdda8b1e0f3fc42d1c778c4b29478b2f9beb02324d4864703aa2a841c056ef895742c7d99488218f6d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
5af7ba158d843ebc343405e8b033c60f

SHA1
8e84f5312afee35c1f1a67fbf912a829156d35bf

SHA256
2998830b1f6b19b2fa881257421145534f4c883d7ebd6110c33d6372886b0dbc

SHA512
2e0580a8a60719de5fdd51398e310c3e232fb67ba6335d3f302ce5aedd3dba96865e18a75fe8474ef9373d911cd48623251a17aaa2ba0710428af419a0c69086

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
678b6e3aed6c3b77ccff841b6644765a

SHA1
2f52f357c6fe072107a7ea48a66381d144ddc9fa

SHA256
4e66f645c753cac339fa232913d2a55d0500bb2d2ea89ccafc363b407c0084b5

SHA512
2409326d8bf713c5ac3ea0de97212bb0506223c937d1649b4ad1dcaeabb34ac3a950ac347908fecdbc9fcc67cc46e87618617954ab64dd778698a1ca3054f36b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
8fd0970ff9c161e4b9e40d37913ec46c

SHA1
701a518a49142f9d285b1b07fb513b237185ee11

SHA256
458c65eeba6b9d507923a81babfd7c4bbbacdbf9e59a50780db91ec44f551375

SHA512
d94792dffe19b2c8c7dfad16b22d574e6b644a8fe52ed3adebb9732f5702ac37c5efd35b4d2ef46a426edb49407cddbbf2d725146897d5acedcf8bed96c8fb99

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
94a54c1adfa50c50ea961dc9f4c43680

SHA1
f508dc5621eb5861085b5efade466603d7615831

SHA256
10a54902e74a076afb2a21a4d246353c3390b7c9361d8d79f30edb8f39c0dac3

SHA512
150a2e0f2d911088c820b55b34dcb0f0c8d048132be89041a74fdeb7b8a27019ba562a745a07e6f912b9c71b60fa4e57a6c852af5cdcf3388f4f0aa11399491a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
e3763ccece1faecb82e9e48b9e164d85

SHA1
6616f5053c8f6fba4743e61f105b9cadda741957

SHA256
839294b334f437772b98a241d4e1bd16ba1b07daf15a66e2b85a4478adc27f6f

SHA512
dd6a4b7afbfa0b771d2937f8200bbb89e488c5815168956767498c27d1aa85aa455e95e910df2c2018134f20f3707b5a39ef673e8c39b8c72319d557f4bce96b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
f2063ea035a963e65f9243d8dfc6c50e

SHA1
77b60678e27258490f05430a343f0816bbdfc828

SHA256
2145ebeb4213608958d03c6c1dfb0b8d6d10e4aecc218a7499ff9e2ab1bfed2e

SHA512
4db96d4573c4a7d12a02eb4d3a5b3543337fedbc7ca265a27c79e52f1581003f6ac9a24dfafddc17cb97c8a1d6434bcaedd95e486961b30ebb94887e37c7ede3

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9a58c25297dccdb57cbc6898c88a064f

SHA1
dc6f82ad6c96afd77fa2b7381a6ca051b7cade9e

SHA256
710a09dec94f98640fddb1b4e1b5c1cc64657a33416318e0fb058ebe1b63d011

SHA512
881ef6bc2b33aa665460c56f2659c03a2656aa2ef6f44ef601edaae793f48ddd7fce3029b487f148cabbc5ca9f32a0f3ad43e131be530fe2e31617df34eb67cb

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
d63c21426c3e42a4e42d5a2ee211b4f0

SHA1
b8e76bde96b8daf976f7e6d75076bad866f05f93

SHA256
b88e01a86a817064f224b698395a0475c5790cb9173c4bf2aa45f2eda367d102

SHA512
59d35b8249013532bd93d5ad4313ff6f663aa0a22a2478468a5cfc603b999cf8e1b7d3dfd1d6b9448310b354a99d2505c0a684f61681006ac7fbb89f74b5a5cc

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
6152a10969a7990c9e1e3435ad3bf078

SHA1
74ce237f7460f68f85260aa75e21fdb96f65c37a

SHA256
47910b96b9b5b6b8550885c75fe07a8787d8115f8d07da1cfcbdf799238a6599

SHA512
a93c2df531aae5f9b3fa6fb41515716deb1794ff5302a43285ed247c1c9eae78ad833c8899bcf68cf4395456a7d85ae097856bfaf685566afebb83019cbde3dd

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
f3479aa15b28ebaea3fad82453740cc9

SHA1
5c0eda57ac1d91968d134b09f5fc4b5bf04c9d9b

SHA256
039407d1738b0ef36bc942b0172838beaaa7b12eb09ad0e996b9daf610a23923

SHA512
df904100433f448dba0bf7271431906feca378728d9331263fbc7b187e00ee42f9c060ab401a2cc8ddb32337b0ea34b7115637f171c9961a82299cf34759afd4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f62b1569858207bf78b5ea1ccac14394

SHA1
4524186d2e35596ec23c18db0f99d85fe7df9cd8

SHA256
0a325e501cec2454d01b856bca9fa1181d4865976b7fc95c9b8e39fdabe32c83

SHA512
72b84edaf6bd44d2ed807d16f8feabf63acfab1ea81c2e1d4eb56de9593c70c2cebca3c94afbe5c4fe3ff2690fe4d7e3131ff9d877e69909cced92f4ea62cf72

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
568e813562549c65c0c2e069e5da43ba

SHA1
da28919c834b81f8568658c78d9d33ceb1c7cf0c

SHA256
5adf2445a36e2700e4b5cf8d3ff9f379fcc3101e7140762c3c602c70b4b4d5e6

SHA512
a697071a380f9953f72a36cb136515cde7ff938224c2f35d5efab9fd5afe8240e4e5010f520363959f199b10874147306906dc2d6727f7c55137acb139276608

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
d92e0278424c09a8357e064842e0c71a

SHA1
6758259fb0c2fa7ec1183125c4c9bf1d0dc7c1e1

SHA256
656fce95829fde72366eb051bb0e3ffa9a26d5ad68bf55dfa424a52f238eb6de

SHA512
74a343d5b9e4187db7eee7c3fbec583e0f39c1f2fdbb08994a69d1b6e5f73e62e237e05db523bad5aa1c0d262b4430d9a648f0e1e271aaa6c97a770560bcb234

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
c3f2b37b5b780127bb662d4cb1c0fcb7

SHA1
492075f54f476e0865430c4d6546c28814bfaf2c

SHA256
a4bb097953b09a44f239ad5881ab093b22d895d012beb306367e39da3162f1fa

SHA512
e599034e940a037853ba1f3ef386302131d2a26e402aba3e68a8e314b011e71afef03cc3f37648900e0380ee782ef816cef29dd80a979e721df4c9665a4c6e05

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c89eb9d00555ffbe84d2428fe3862d68

SHA1
3bfe1f11795c5d08ae5f73b30a883c56c1fd931e

SHA256
fc1709f3d9f4dd9248acbb73bcd2b583686285c23ac72f5951876e698ff46905

SHA512
8d3a039ebce9e4d08f4bdd8565286d7364ee295b0797c38842e6e709be17be86f712ba1c7f9b5e4fb41f7bf2ca78ce74aec8e2462ea47190a1979094e93e464d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
1da65c547b7fedcc03bcba4abc1708ad

SHA1
2696fcc0696dd999ee65d2339a8a7864aaaaa717

SHA256
bbf37efa76f7f7cd95c7833e3f0b7035cc7858a3f91b6958523de4e4192a6739

SHA512
f0a77a5736583e357b07b90147e453d16ba543cddda98e74cb42f64fa8a8fd9bfb7de132fe4a752da73969088db09f404b80b166fb68115a80493aff53f6861b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
0d90e1772ef874c66ffd0c075bd4e58d

SHA1
2e768f06e5ac41256bc1b836c011436f514a1429

SHA256
8724f51d2ac246f0569cb5f6dc67bfac9756de405b054d767f370902befbcc40

SHA512
b86313d9c69144e437074a6ec096bdca132fe6a93237c5b1824c8b663b625b2175a0944b6dcb4dfe1897b93bef37ab48f4c22abe157dc596bf738e51d89ac538

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7910ee924e66c422306524fcfefa1165

SHA1
5085ac5a51e7c7ac6e48cc4edf3c565746da3762

SHA256
3d4f92f4ad77b0b2121c1a437447c82b37e95fdcb2e5ae59c7c9eaad9eee365d

SHA512
93d7a859c914b1a656ec2edb2848e3ef1b946f340a8453b7e2e8b69c2036bc4f6d73ee093b08d8a4b4b43de65d2fdac3c4e6ff1b9686f7a3474081a31a965a46

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
664fbb5ed1f6abd5b503de09495d2f13

SHA1
99cd324bb942a9e5fa4be721ffa1d457fb7014c7

SHA256
6d9730af66cd1eecbce620f3c9785564adf329e9df000b5b4fe329a6bc89e435

SHA512
cca1014528d2395e6bea4c7755b2f1aec819cb58fd948e8bd2da3f4a667819f2fb4f0d175b7a783692eb55d8a9d438a9559a32d825f08a863006ae4d57c0e914

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
919dda12bd4ddfa029d9a7823662cb90

SHA1
ae51b93890081d5af35cd4d1a58df9fee2b79b42

SHA256
f3b2c1dd05a20c78625c3a95a51cdbfea4a837acb96b4155b40a35d74098898b

SHA512
ca2921799e838620981522035c9e3a9921ed52382ee4c2501b488381843d27f5a5670d1fd16cdb226221a89db295989e2ba7b4d1a62675830416ee5eeb5799de

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
eded2f0129bc46cf5ea215795d2b23eb

SHA1
cd5991cabd63b2524193de0ebee17d9d55130f6e

SHA256
0fdb4efd12661cb4442f24cb5d35746c29affaf14bb9d96d266f8bcd5302854c

SHA512
b6bddde25d63df018199d6de6bbe89c5b9ea03f959c53f302bb42d362ee6450e13112a74aa5b1618bb72e9d0dc9ebdc773eb8ad27b0ce872113f87b658483193

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
549740aa69301703ad619dbb3e57afee

SHA1
1e1b61234dcc7e394f4ffdab312d9a39fc26a934

SHA256
02c51e3123e708df2155f07bcff8cb414faf77aee26dd5d41f65f0aa15e866ca

SHA512
6718127e565fbfca1299bbe348cb94bf11cd19c69a92b2ea5899050151fa0dfed49d454de2f41450c7b2d6399ff7653372317f2ac5141d769b1596c0247a0e83

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
459429d4bc8aa38d03bec4e48c3442ff

SHA1
7f99bae66165c0c05b7e190a14dc22e77d3c2da0

SHA256
04cfaff77bf37356fcebde4c38a4e693f0d3c808715799f2f2775fb471c24359

SHA512
35fcd9be35620cd4eccf5d6b96902287f4ace0c29b67784872eb8840aa4cd5412cff3ef66d111f0f84dc98deb1b4b1088b098f55f9825a07e0876910387c4d37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1e04bbfb633e3c2e6957c8762cf2652c

SHA1
982ccec0f53562f45d35bfd2b8adee5bb7c00bbb

SHA256
aee83a9a74561ab1e20af9895a753fab22437b665f04f7c341e99b3e6d265525

SHA512
649073a8a4e8b7950692dd19decf357fcf2c78c154599c29c184f1c0963afeaf95d1894b807f4fe1c2149800b915fd63a2872484dcf883c67d3fd0834530614f

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
26db2c3a0cb2489de875068fed9991e4

SHA1
b793ac680e16216ecb0598e7fd85dcc39cb84ac4

SHA256
decf03f8ec6a1644192db306823122ade0e518dc6a6565b6f7a90b1e8cd69f99

SHA512
46e08a56cf876882d91e68229c6c400cf442232ef268e166168e4e681139cdf59f9daa13d8391f1720c891db4f2b6bbd91179b4bc7d5a0585c9eab66ccd709df

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
abfb99a99e07a435027fa8f5936217f3

SHA1
7051481f459257360aaf016024cc1aeeecc65bd8

SHA256
43883da35f641128de4bbcd789fdb97b47595a29d74234a2c438e28d9fd4f85b

SHA512
9cd66a5fc3cd8976cf8b70fa55a289ca76fff6f51415a803aeba16bdbe390bc412b2b454931c858c747c85b55f99d584a2adea453c05705ff896807a72547bba

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a89b324c179b7c8ae3a7b220d3c40c1b

SHA1
cae554bf976fa47aa44eaaf730e457d4afdc494a

SHA256
77f2e00cc539afb186fbd5c3310beff8eed8bae34e875621a613a4349c4f436f

SHA512
62eaadb46cd29e40827133147d1f9b68c346a0d7c171586037b18f5ca750cb31647b78c9adc9f7041790d10a5ba179eac966f4090333098448bb0a420e1e59b9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
ca0998aba127660dfbd77e14c8af9e6c

SHA1
44286b3e0316a5b64b322c3e48c26b3eda811dfd

SHA256
812a2c57df98ba8eff7c9ae280ad4092bc2a3575a8a06f4a6483ef61c1dfb524

SHA512
7602102df53c20b285193b007de5a99b0b763686e6435ba4a4d6f9b833a61f283e63a46e990136f9575667a99ef09f6fddf95ee9b43b4b144b506eb1be85b41d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
7f6e94162ed1329184f636acea604754

SHA1
c95b0ce6d6c071f42ae08aed2c1c9061615ab815

SHA256
e22433c183b17481638deff24c9e5ad6164cebff6db796f1027c4171d0fb88da

SHA512
134137c8d0445653845ff29a32c6b91e8ab597fd5a998cd202ede9fc572455d819b245a0c5a91c60e9c6afcbfec33d28a1a1a9346ebcab74b7810d8545239b09

Download Submit
memory/1544-290-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1544-647-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1744-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1744-739-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1916-293-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1920-340-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1920-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/1920-13-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1920-19-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/1988-291-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2084-274-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2500-286-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2580-344-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2580-741-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2716-82-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2716-651-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2716-92-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2716-79-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/2720-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-671-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2720-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2720-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3032-342-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3584-143-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3584-150-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3584-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3584-154-0x0000000000D10000-0x0000000000D70000-memory.dmp

Filesize
384KB

Download
memory/3584-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3772-288-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3860-0-0x0000000000980000-0x00000000009E6000-memory.dmp

Filesize
408KB

Download
memory/3860-139-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3860-5-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3860-525-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/3860-8-0x0000000000980000-0x00000000009E6000-memory.dmp

Filesize
408KB

Download
memory/4268-740-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4268-343-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4340-289-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4360-292-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4412-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-105-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4412-128-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4412-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4412-113-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/4520-285-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4520-158-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/4596-287-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4632-738-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4632-295-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4964-294-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/5092-117-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5092-668-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5092-123-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/5092-116-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download