a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
Size

625KB
MD5

c93af59f97b96387a6b2947a54eab863
SHA1

582f15d11a8059f60d000ad427f03e2183d87e31
SHA256

a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219
SHA512

59b1e8161665fbbba6eecbc5a0910264e599dc1b0ef1626d5d5c39fc66ebd5ef18589b286575982d232c6e2fe64fc7f6e1e8584820c640c6bfc1b4ca5d78f9f6
SSDEEP

12288:n2V3F4SOpFjn04R4gq4HSUQH4WT65RShG605414IQanx8/6:2VV49pFT0SLTQYWkK2u4dax8C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3608	alg.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
224	fxssvc.exe
4728	elevation_service.exe
2372	elevation_service.exe
4824	maintenanceservice.exe
4004	msdtc.exe
456	OSE.EXE
900	PerceptionSimulationService.exe
2936	perfhost.exe
2532	locator.exe
568	SensorDataService.exe
3944	snmptrap.exe
3016	spectrum.exe
4332	ssh-agent.exe
1952	TieringEngineService.exe
1140	AgentService.exe
1716	vds.exe
740	vssvc.exe
3516	wbengine.exe
3576	WmiApSrv.exe
860	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\127467bf7dd2f4b9.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\System32\vds.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\locator.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\System32\alg.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000067c6ab94b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000021301394b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000057a5ce95b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000560aed93b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003a81e393b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004f0c1a97b0c2da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000051f87f95b0c2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000093bd8495b0c2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-105 = "Windows PowerShell XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe
3040	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	752	a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
Token: SeAuditPrivilege	224	fxssvc.exe
Token: SeRestorePrivilege	1952	TieringEngineService.exe
Token: SeManageVolumePrivilege	1952	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1140	AgentService.exe
Token: SeBackupPrivilege	740	vssvc.exe
Token: SeRestorePrivilege	740	vssvc.exe
Token: SeAuditPrivilege	740	vssvc.exe
Token: SeBackupPrivilege	3516	wbengine.exe
Token: SeRestorePrivilege	3516	wbengine.exe
Token: SeSecurityPrivilege	3516	wbengine.exe
Token: 33	860	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	860	SearchIndexer.exe
Token: SeDebugPrivilege	3608	alg.exe
Token: SeDebugPrivilege	3608	alg.exe
Token: SeDebugPrivilege	3608	alg.exe
Token: SeDebugPrivilege	3040	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 860 wrote to memory of 4684	860	SearchIndexer.exe	111
PID 860 wrote to memory of 4684	860	SearchIndexer.exe	111
PID 860 wrote to memory of 1692	860	SearchIndexer.exe	112
PID 860 wrote to memory of 1692	860	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe
"C:\Users\Admin\AppData\Local\Temp\a3c69e9001d1ec0f633ca626ec5a1bc389434cbeb299a420a43c1adb8e47b219.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3608

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1584

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4004

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:456

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:900

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2936

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2532

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:568

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3944

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3016

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2224

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1140

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3576

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:860
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4684
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
fa3a50197fa87e743ca221166fe36b52

SHA1
f9845bbe801f3c72c4fd93e422856b0a1f35885e

SHA256
8863aceb4ac6c3caba8dadb385cec96cae3a0b96dd372163dc8f7966b272db65

SHA512
c948b41210ea180247d018baef432eeb036e16ef900660b15dfb08423e653b196afb1690e096e5e7cc9cd5ba77fea577c8885b63f785fbea53efb01b6fddb18d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
01c7380f79d973b266a551f30a4af176

SHA1
7682abac6477e30522ecad391568e97c9655553d

SHA256
dc537ec7ad9e77cd96d60b4b240895970bc5503782248e2809269eaf6ccb8cde

SHA512
ed3ba71b78601002b5127be4d93de190edebcef920a94d8146619e5f08c597999885263c2056e9b6d1ffbb903547090ca61f4147c47cf03e881e3d29a589b068

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
e0dfa179d529f4ea6afe3d05d91e4bec

SHA1
d78cf734c5bcd50f030123884e750b6c4aa933f0

SHA256
6fef1e56a1b59eaa25b21ccab25cd2583b355793f832c30ab618ab1b392c2369

SHA512
8e2fc68ca2babce272543b0ae811f24bfc4530ce99db07a77f71d9232bc219cb833343b0c185087c6369f2952ef1b5f601e2e2f7ef4b1e4dad9324ffba0feff7

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
f31e8d30d48efc4b4ae6600f103dfa38

SHA1
eab7a3f2908b7797ae94dbf3fa020e56e7f8a860

SHA256
1bf14b544779b788eaed781d427a57b95da50022e024ca710567d860849337b8

SHA512
1e6711444ad2779e2b55cd568ca6f0757fda4eba31abad3256345d0b381819588a54bdaaefd15ceba6e1817e898185b97d6655b704c092a187314173b9caf3c2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1e3a1bafa105fcf9e23f7c60181dbbcc

SHA1
f2a377628e8580ec86c6212569d653edbf8f438e

SHA256
d1b5e724dface5112a488f6ad3cf194e8cd78b320196e603f642314dcaea37e8

SHA512
61c188f2ef95f9e227b6f2f1a595256603275a0e28c536a2a4541895faa095c34b950a39ce0ed75c068b22b678b38e243cd3132d0ed4b0c66cdcbca71fc249fb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
0d3065a0b954e7ea702cb3d131813057

SHA1
75b43e59f8af032a797a8a6cbbfed9a279d722ed

SHA256
558d9d1463ded77fb5d21e6225107205a0a8c75718309ee6833784a030dd2fa6

SHA512
5fa8f0167075cebca7625988fe2f2e8687d457f64269c450923a3292bc18f59e10d4bdf81abea3e948a3a100b826c01281179a26bc5464ae92c2d9c31df15512

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
bd37a1413ebff0316e8f78885bb06016

SHA1
802c5de98e155c5ab58c86f8f74b329a71c29f47

SHA256
e40d1142eea4766c03dcaf71382a69d3f84aea45e1b28694fe07cd122e4407f1

SHA512
32551c83990176be5c61388d8a0dd135859f7f7d82b5d7ed1e985197edcf967337f1a33ec56ec404c76d34efd63d20d631dec710a0d878700c232367efb717ac

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a3610a4e764ac57b8dc15c6248896378

SHA1
13df6c400a8fc2b646a1bc06f8c37b4475a0475e

SHA256
5cc35c5de7a23a22fab94fe4d067ab4016506a66d9c18870081159dc43d425e4

SHA512
39a159e87aa5c432dc745bd524032f6c0be6baf5adc43d1334bbbd624962ee3a864d3155f01bba9de5ed0ff110d701c7e28a0b30703a7000295f6677dd5bf65c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
4ab747f0970217c2780710a4ab5d2cba

SHA1
84961a15a9f94ef25d4facd8adabe9bd2a7def0c

SHA256
ddf6fbb72aaa412bcb6c38b081a35049bd859638b41439952930b6d6d62031bb

SHA512
766b007eb72f3fbf856050a31a871f3cd0ffd4d8104cc936fd9d8848f43ce1395f6aa3de20557b350a36c1c7a78566f0880dfd1e688922dc071444d51cf49d38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
efffb69ede716b0e7c33ec76c2ffd394

SHA1
6f2cad1223f32d987296a5a714f8fd61332ff56e

SHA256
ca0718913b478c92e6503b65f55de40cbf88fc5235642bd2f1364ba5aefeb7d5

SHA512
99cf83bfda6d0a1555f3c23b6a074846bf611e2b60418956d37642c4a47f306c600a125d740fa6bc60cdf9a9c4f069edb7f3ca626a4d5020f35378568f46ba62

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
6f2c9206a72b875618156e63ba3de893

SHA1
1216dabdb003b99b64e21764501f6f293f0ecfca

SHA256
7b86b1676f647cc509d07e6f45498339ffae2788be22333db918fcfe642d91b2

SHA512
4020aaa61dac0e420e7ce4b157a80d943937c800f489bd64c63ea652bb35de7ce365ecacb9bb104853a2c581c4c0970d25aceed4653d26a3bc5944b3888e1857

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9609e162c33407c4a0e894d8f13d36c6

SHA1
8542f0b5b16098888c9ef6112fde6b39c11872a2

SHA256
0718bcd848e9cf1bbe448fc1b3911aa4bfcfa437c69e748f1abd0bd74f3f172c

SHA512
0cca2743e38f811c5356d4b84b9943965ab0fa03a13a7cfbc58b8dca6bb7a8dd369cae9079aa2d95fdf5e7bd1f60f45253657b4f7f311601b791491e3cb93040

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
bc637379a7415a4071d99fda0c15fc9d

SHA1
a40feedb9acb9ee6ce0465a9c11c6126dadb40f5

SHA256
55972fadb5d54e50ac9004f8e4b66bf92d40aaefd393fadef58e757a981108ca

SHA512
f0a943ffde25614efd5ec5fcef35ec999bbee0c1423148effa3235931bb5a441bd116b5d733ba3a0cc479beccd561195b49ac3b454fc1d38c1edb8b3470b9261

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
33e1af1eb5c25c0dca2496b7b2c7de86

SHA1
2120de3a55dbb022f41a637485bde9b096da98f7

SHA256
15c69f7946202e27e3243abbe085871902aa54bb2216ebf921ed7f0caaa3ccae

SHA512
e288fde6027d69d5557a4d300c324e6f6d52253652181b497c402c45a5cb57fd48a339f73743dbf2bffce293dab204a152bc91dfdac7370e8315992437dca1dc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
38a394d091879e215a38f06b12acfe97

SHA1
5832a477f6b55ef96416acf6ad900acde6682ea1

SHA256
14d5321a62eee841fc75a83e1c0e785fde75a20c07a05c31e1cd0e4ec408f755

SHA512
193230e9db601f7c7c05ccc1f0ac19bc4bec15bd2b26fa282a35d5f3425803c7d2ee4eabe86638ac4aed51ddd89dfcbfeda92ad5a831b08b3e1dd8dfed50f537

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
4411d92b2735c5dc3971d7f7fd742c36

SHA1
f0ed88864abb299a38a1f214825c8f6024580368

SHA256
82cc0c5655d76abcc0f27b3169d3ae4c056897e6104a5d449c21cd68e93f07f5

SHA512
114fa5cdbd3ec9496876197db586f490896d467bd6e98f9c8cc310d5c156d0bc773ed605201390fdaa1152756e866e41ac3c1eb03874d34f149b6a0e489bfc0f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
d85641f4e28d7454a1d3e8dbf10e139b

SHA1
b74aa1399c43d96a32c784bbe35431beced0d9db

SHA256
95e200e42f8af6a4bb11268ea0907c0e22e07f6eb418545fa3591ee321855d09

SHA512
e69449cbc77e80e87a244f8f1eed73a7cf472c6162d6bb3c8aa1a25013a00a75207e231ab5fb18dc2922d7a390097503f381f7dbcd05709641dca77f2a6310b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
f16bc124572d89e4cf7cc79c8d630c2f

SHA1
cb1dcd5c18985b3550b62886d833ffde5822f0d3

SHA256
743390a6dccdd563c7011400b19bb01724e0e21bd137d2778cea6fd9e765a81d

SHA512
b6f380f06973646a6a1bdd1bec563ce011b5010da67f0070b7f571e5b9bc1878f03b5a642aa880ee130ee3aafcadf634d841175e0acd47753d7ed10a1fa8a960

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
29aa816b5369fa03fec39eeb706ef18a

SHA1
8eaa333d6dd9d0430948a1afaf171341d957c406

SHA256
77c5a61ecd224d9cc957e1ea095ebc02fb1a80ca24788c3cff9ddc71a2cc8bc3

SHA512
111a856e42e12244ac771dbb850dc4d4d150cfe809ab88487f35f7780b8458a467329e8eb19a89bbb99e2a096f7a1506573b7ebb7d3581c80380bd8c5ce344ce

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e185b13bba6e1b8cb263eadd09a4c78e

SHA1
2d640b4eac9349e71b15a922403075a86d1fa139

SHA256
7433f4e66ac40d8bb6258b1dc35c52f18852bdd3a42697ef0005413945a11fa8

SHA512
8aec7302f65e8046d10604c5b255fd6b339f78979df6d991cb446389bd97bb985b6df134cfccca41e93c8530e48d2b65b60e4f72243da2096968de714ebec5cb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
557b76923b2554cb5134538d3c0241c5

SHA1
294c2c2b661cc2fc0bbe942e3188f397ddf93ce1

SHA256
41602b4653df6f293fa98536d6adfb73173b303fb460729e0e12a9c9e566b592

SHA512
70321b4c881957f72928720bac817cf3523e92c1058ef0eddc53e047033b4750d84754b6168c7a71ad7736020af478d82c74c23078d19242419e114f8b54ffc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
3901ccdd8280d666e412623405b4cefa

SHA1
cf1cc258374d45016841b0b10858ccb7db4bb716

SHA256
c57ccf1a51756120e039e3a20da507219ec43417244b8597c8da9033e6cc69be

SHA512
d1f8e77bf061834f61cac150b8c8d83dad23321a624cd6e5e8702aab99cad18fcad0435f577c0a1b57a6ea2a41c3bcd4836ba4403621f4be551cfaa05bc9dcc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
b18ffc08fce6fee311f65236fc6816e9

SHA1
ed9605cf1ce7092644bbf90fe7af788de94956d9

SHA256
87ca75d5e755f0938739816f599a0b4f47fc28acc5eabf3ab6cc7121fc1e11d2

SHA512
0a97664e2928aa6b12b46bc4711e3db0642f350fb436b400e6437ec5a1d6031f9b12bfc70e5475255be5d299940b59d652427d55a465b1358ee10f229f949b48

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
19d32d1d0706912de095ca4222e12f96

SHA1
945022d4e2a9d1d3f36e28c6eb008622155775c4

SHA256
7a1f0efd7b3b99d9c46e83229b2b4de2dc89e689683c9f2b494154788be5b6c7

SHA512
90266f4818012f32ab383c89605dac14246a1d48bf48f7503bdc838d8cf2ff04cd4f1b1a9287128af5615b84802ca34b16b65c008a0920e37ece02ef49580e96

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
62a6c050e743a1178f7abaea7f4dcefd

SHA1
5c51888eebf1885eed3dde7e0503fc22c6cde791

SHA256
84ba1cce2d9513585f606aa016dee95e27b1f5a6387ddf952869e273e54189f5

SHA512
57d43588f78834c89b71e4302820a01d0f271204015aaed5f3e4995ec39098a35654de2f589bf57c990e17b7899ce01c03c26b46c9e7d7665e24053a27d50cd0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
1543942d3a64f54cbae7c3a9ed16f2d6

SHA1
1c0833b9f15f0b4e0cf487b3b517e89786ff3156

SHA256
bb329f2627273148ef9c66cb6b89b5eceb8f2e9ae23b81d1bd3b22a4beada218

SHA512
79e15b4bd48c1d7d45d48101d12f4e948312afbc6d9da41aadcf164d7f262ad66bb685df5ee3eba012b009114087f57b110dd3280a721a1e59bf05f899d69220

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
8466597896f328c8b9cef62c35f52fe6

SHA1
b2f6461eb3bc195d52653c471f5f66a34e51ed8d

SHA256
f03f05e870f88ccba6fe73515664f3d57c58fff0e8e00aa88e6eb511d9b9e1f1

SHA512
3738f20783b6b39e266c800eb147b5f5c41d39f8069c485d52d8f7c2b8e9c487ba4841c5eaa38e31924b8f01dae63f3b95ec1733b188141b9438660d657bf785

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
5291c57bc9dbc5c020533fb9b0b9b9ec

SHA1
7465c1ec4557606b2cc3866802f7616e1818a799

SHA256
07910634397899fcb24dddb48e44508ffa67fbb222078013bff9c10883a4a3f2

SHA512
2b2a3367fde427eeec42a29e54fd6b53653a102630392fa9225ded8dbfa5ae9b092b59abbec05ebc33f3e47010e4fc06a8999ad5d775d8caae56bcbf9d5331bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
fa7ef65545f3de3e980a4ab9fc4da49c

SHA1
a0fdf0e154c1fee05ab63c9a222207a9709ad14e

SHA256
f6c73a8bf01e5372dfc0b09f8b582982ff3bf1755b76c02cb79bbb65865b9f47

SHA512
fd9ce228d4bacf3073ee564c8bab12354284f058fbef548cf942955a11c92d27d8d8d9b2d91d1c69de345631a9a49c6da814c7bfbd0c2be2db82efd4c285806b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
63387d01200782b32c7eef2cdad77072

SHA1
57ea44f25d9a2f3a951b3dfe4e76064eb1defc6d

SHA256
9544baa9109a7c35549d34064b096663ab787c3de8dd64d40e6cd3601ffc3234

SHA512
2ee96b105b23a4f9966a06e414f0f5cc7ac4c691de3ede6e94e69d369ef13a6ba9221d751e305031b871a8fa1fa8e0908a7d5238c9df4f1296d6f4739e8b252d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
0c2b2df54d4b90b3c0b0fee03cac0153

SHA1
c34108aba13614a07bd38986a094e66891909724

SHA256
05c5af053cdebdb2d87921de5d051d5ac6ac9f0103f87f4ffa380c3cbba20376

SHA512
c2e65f76a00536672f9e582912554e1519466124625923eaa19aeca7242fa7950d6a00649a8c5c6d43ce13ea4ae9cfab920800a3e6f2d69663c25f7ad9fc9d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
97ab3470cc287d13b9a39393232d5061

SHA1
bb2b6bdfd6ec71ff423865c84ab73d2308a91a0b

SHA256
c0da374bafec7b0d966c65b0350fbaf2604b225e199fc0bda1a75d9f5968f2ae

SHA512
436da8e73854fb4661ffbf6525d1e7637d9452145ae1d27a82f083317e411be2f774b4f4c58e69fa6a7af0f8a102ebf8497e73a9212c392faad24f5997959f78

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a9fcb28ae8da7c9a283e25f23a4c3ba9

SHA1
ba09ba4c2176315eb3539d018aadfd28486fadbc

SHA256
d861d720e87cc0a70094ec5ea389ad6dfab031d3c8165dc75337fc9c975a9c5a

SHA512
5f615668658d0e4bf9605d6cbd909885f58ff43a964bcbf96dc183ee852b19d70bfe5ba78ab1d29606378e0c75d1eecde3b3b4153743063651bf5f2d20823682

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b9dfbeb5b5f69b228e30bc95bab4db05

SHA1
0d51a6a23657107c5d86f5e734b627ed166b868a

SHA256
da070c74b4aa6b8911ba921a877cf9cdf28e6d6072692cd13146336184f505c5

SHA512
5c7d74dc4b41a9ea0a7dbb9b1f62d46c50048674a420d8cb4543e864d056e1755aae02c89ad99aa758af880cae0c5e58412a78e52510b125128be3e92c35cec9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
06cfbdd0439c8200e1fba89949b0eb69

SHA1
310b4c0b01aa6080565d52ec8e5af14446ed3565

SHA256
6ee068fd92cd70a0ed452c410be8b930cc4e37dcba5052b3dbe9c9412b662ad4

SHA512
a5e59d4629f17c651d48696e24416aa52329d5d9cc6e87372cd4d54efdf9d57ef82a836045ce7350194d6b7d04162005402b73d71e8146e8a421d65fee9784f8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
21f1d18e3f5e4f7b66a10371089f9ff0

SHA1
73dc17e4060a3517a2409186d549e3c7933fc24d

SHA256
509bfe67477f589baa3f8e3d97d65310d7dffaca603b886c64cca77d267190ed

SHA512
592f3f4568908864fd5830e48dfc7e86371db2045c6db785e330519c2539c81d150859fdce1654c51d39aa0600e2e93f2f13342561f1f76c43e364078db03a5a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
02258f29f9d2bd3d8dcd65e188253690

SHA1
7d6bbe66dba37bb08968982d88af63cdc90a21d3

SHA256
63af2fc7a6eec8852f13d139488f26d44c94114174fdb8d073df168b43e6a362

SHA512
faa439a3ba735626bb00fefb1a284404da471ca0a0f7b628d4db1d83193c23f3db553ad1e78f607d7f9e37086f4970e3c03f2183bbe55760ff8bb25ef775bd1d

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
d6803711d01b11a3d63de0f90f82f32d

SHA1
cf886be34888733ab8407fc92c6fac1ec61370b0

SHA256
b31db45e55c1baaecae4f96b2dc6581e9ea2571064cc68e49682e13a413949e8

SHA512
08efdd0a58f8bb4799b48abbacf38e7178fe6896e8e2192df136b781b5d7b8e929dd5bd111d46b211b96f30d68790b7bdeaf0e40cc831b0bba93dedf951870f2

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6211f5e3d28b2fc9e43c8cec50e37cac

SHA1
80ecb0a34649d6269c4374affdcfbdf44723fb15

SHA256
a1942aca009bee58bad145c35885a4b3208f089648a07be1f1b1576f3980a5b1

SHA512
50586ef8c0dd78d5509fb6153860dbf434f2019fb782a9a0e8703de2166bc92c5b066f7260e99a64869f4f296b29f4c6ea71592a5f773aecbe6bd40499ee5525

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
50eb9487bd72d6fb72564a70372e3543

SHA1
9f64a012790fe992f17ef8ddff1a40f828eeaf50

SHA256
08112d67a82088a15122b185ce8e23ff5296930ac2a805aad01e6c268362e032

SHA512
c851fed8000bf744b02b25d4864adf49b57022ab234f1d986474d26fa6d62cd4c149d512525990c1cc2ba5ef14ba25d474448b1af1f5fc3f4a34faa24f326408

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
71ff301ce61c5629274cf3d94976fb05

SHA1
93202de91013e7761cb2d7643738ec10326e23f6

SHA256
37d86ea7059075f5b8f32c850e25fc511cdf907de5d02fc3cd7bccb5f502e183

SHA512
93262c79ea4a19094f2b11502f3bf01e017ee0c7f3d4242b27fd067d73313aa4d5c6792ff81ce48b2e54b635c0629b475a60c7b511547a609d2ba2776b8b3f34

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
5da99c489d7abf52645e48ac5bb6fa40

SHA1
dadb178b8db56ce97c7cf5eed19bba173c60a60d

SHA256
3e9462acf49da597ef575e254f65610cb6e345e372a031d8719ccf1ab9604aa9

SHA512
841eba5fcbe101c9ad63825cace2341c942f7c2ce5555dce83e7a96b30f35256e6480fcee1b1a0978a741a6fcc9f702afba35d3f529f307b540aff16f94e260e

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
e3828115c72ae1986da9765c5d1bb5b0

SHA1
dff6c85e63e35246bc45109f488f0636f84076b5

SHA256
1c15a500d5e85c7032efc698efd516c10163e8516aae6442ce46c320a4d635c5

SHA512
8de5c2fe83509d1a2479e0c24018d9d325bf982398f22601758e1f369e3900643e492d7cb8e1f0708423d3ebd9806370f8147479c0c50dd5ffab9a0345fc489a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
b8f439dbc435b87d846a62d8e02e2a40

SHA1
8d3aafc680e6c8fff36c02b419d58a9c768a1621

SHA256
1a04728b3d941704c66e4d2990b50f4b0389174fc8f8d4d12567d7b340ac1f64

SHA512
2eaf53bb7ec0f71cd2fe1450a42cfe4827b5c09ae1e6900589462503ad769f222104dc9495b8e9efe088e3488c887e5cc0a4f0945e2f03225c620385cfb61004

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
16a5e311e0bcac97ba771856673a18b7

SHA1
41f52f04b21c4891c16e76ac17b822a83aae7212

SHA256
448fcab926bf9535fda300b5e369394393ef5a2a4d6896bb2cc12ec49084c7c9

SHA512
bd60fa2d8b4fc838f7768803b32fbaf68186dccb3a9b1a92cfc65239f4a8babe2986a5f5e4e2476698454371243282748ae8974a75206eee7974206044eac3f2

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
c64645fc62cd18d3c873d1f693657f27

SHA1
4d6dea501542c0d2f6030da1244266dd7b2252cf

SHA256
d4254330e90a9b1e09b2c7728f7bf4d32412768bc30127a159f607b08e181ab4

SHA512
56b45fe659ff71746cf2ad45bfaac9d074d2dadc3717012f7bdeccbdef0bc0463cfdaedf8d37373c13c99bbdb09bb74321d11f361ca4d9220d855967ff100e84

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dd7cd107a5e5d914611f61767ec53e83

SHA1
08da83fe18584267094482905db8b6c2bba35855

SHA256
19eb306a242dbdeb293c400eb45937165760d388a2e226b67b2f6d2f6d34516b

SHA512
6bce2a29075eded854c8dd2e798f8df8aadddc50b420faa9b273d17d75420c7185d1db3ce756feb872d63b99e29c37a4f8eab3d9e9b82d31b5e58f869bd0cc7f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
51e42e86c113723d70a5086481a9c900

SHA1
b714e364f57b468077f276ecc735ade7798156e7

SHA256
9e5c3075c283cfa9a87b5fb58b2787bf45595631b45fa7a172c9eadae6eaa145

SHA512
61d0b8e7dda8abc7233e8137fb63e773e9353d130cc761ecbabc0934688257c461a2c2989f3f083231337be9166b100677d46ebb7dc8b1aa0cac3b2aedc3103c

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
7cae0847a22918f8df645ff845248c77

SHA1
f0014949a4fc09b7b93dfb00ea187bedb8b16b2a

SHA256
5f48a66fb282bb9012e29d0c743e323f3d5c79c2485660d84c89e030e393162b

SHA512
b73acc74dd2f573c9efd67353d622650b0e0fda40faeee6d3d87800280525e9fa4b405306b3d239f6811f412d5ee4e4c3f5e519186dc23245d3d7a7d09bce7e2

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
7e855143702c08c5d1f2a7c5155e6c1d

SHA1
6f9c32ef637aaae58512d72b9ce3aa3a6d835913

SHA256
f04448c606f38a344af162133f48613a32a29071a062dd146fb062cf067be518

SHA512
1ffaf27c28ad9db103fa2484e4d944eba092126195c5012f00bbb1c81fb78c3637261f054472b837c82ba1bf4171e71e33d6e55badda4f9544df0bf5c279b8ed

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
db2bccd27a83b623f0cd58b21350c082

SHA1
43b70f2cb984d2f0ba8d46f185935c1378badec0

SHA256
662310b8fe9f8a1fbd3f4227cf98fcfe4ab5d4e8846e5a8d8478fa216cdb95d7

SHA512
8af83a56bf2bf7e713477fe72afa5edd90bbf50c089ca04be9c01dd8cabb9ef250923015d94e41a2942d46e3e585dab1549a12ba0c93203d37eed85c8c594745

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
5af65e0c00c3c41cea6acbc81e6bbbe3

SHA1
aa1654e2bf0cd961d9b31a854b3e07876c600b6c

SHA256
f38ab69a75464539df3d1136b72fc0cde02b4981cfd1493fbf7dbb0a9df70cae

SHA512
319178a121e9658898241541526f49a3b9deefe2dab295e3f84d00c9711d4855ea19d7d4991bb514a5d791ed963d68bf0c7a58b01160ade64ac3d07f379315a3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
e9fe8f0515a85381aca6c2c489c3c9f0

SHA1
9ac11459e0363d9b827c1ee24f76173b73e8694f

SHA256
f80af0308c1f1be50911f473fc3364a92cf0031199c36489891c5adf050bc056

SHA512
d285c5f6a080cb5ccccb92d24f0567553c0a65ae8a3e2170850646907efed0a119569cad50023729d03042772052134e2b14a421a3921c3cf469954a87373e94

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
12651c1ff598f1f8eb8aa03b42031ea4

SHA1
8019cf6226c8b6c59428cd56d66297479b41787b

SHA256
2df6bd41bbe4473da80bbdec0e9126c0f91a229dd367f2d35d0315a42ba2364a

SHA512
683c3e0a658c2cf45cc6dd672245b497e292936c7a4d79495b36667cf5f67b6a21c183e7f529a3b811c6355d38fa6cd301bce5c8d2abbec96e94c88e43090639

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ccad58ee13c9947774c3acf4e403794b

SHA1
1e552924aa7bf77bcc3541fe0f5d8508a202be86

SHA256
c714a0c7c7ffde1341240251faa8dd1acb3a85da555e7a1e342d61c79b07d2ba

SHA512
9def1e5f8e3813bea006470bbb0eff0c6b5eb70fae7ecb234a93a1289c444d55783d2e58663e457b3ac8ab663fbe0eb04366698635b603bd946a22640beb3722

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
79f04976f2c444b7dd4afc32cd8cf96b

SHA1
b07f79adfe35b88a1a33bb2fd641aadb55c550cf

SHA256
9c166c4bd6fe67d22c8feba874c1a2f1ce841d2f2342f8cb6fa48f9d6a9fffc0

SHA512
7aad47923e837c863094b141c09a6325565941157ce94c7daeab989b0e49895c309550e08813da93a5aa9aec8295e3b20d3d2c579f1c17311a80f6506bcd9b3b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
55caa87117b0cc7eee687479e8f37101

SHA1
8075babf355c30d0a8589b83b03d842ce9fb808a

SHA256
a87209d725fe9f799b45b5b33252c0528fa874cca4ee1cc858b50216a9056d32

SHA512
bdb7532c4a421753a7b21973bb7836ec1eaa32d5df91a5f86c100c151efadceb416f3fa898dc35d92d988470966407b5bd4763a778c1d595648affb501608b74

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
423248560e9b2541380b30b01ea36434

SHA1
ba0732118e8f9691ee263baa86f2a490cb70af8a

SHA256
a75de02cfe199d199f371bbd4e34fe134650171818fe58b7238491a2c14f469e

SHA512
1e703d1d3b790000ac8bcb20c2b57f144ee45235797ab9760295a08141f120788e114ad7b48970c0f0ca1c5ce4158f846f7bd1220783f3091de2ec3758f650d1

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
2e73be57b2b1a71e3a336e2402f2c170

SHA1
e57b2eb90864094332df0ea8b65920842fae4db9

SHA256
94d9bccb9666837f266554bcb8a298be84f29cebc46b93443c7be50239c27ae1

SHA512
067cd1e59c8590f6a9e6a6bb546c9609b043f2ee54d9dc6fa9731636ecd60142e53c3525c325c9788aee7400863347368b116c65e0b6edd27cc3cd479b8db873

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
ee3fddbdcb3701daa18cb647d1bcda7c

SHA1
38b67581762a38f2e4aa3dde4d3412c8a174f0b6

SHA256
06f6b52803368f1114d03d272181ed7d1309feb66f2947c3f982f5359453f806

SHA512
0b114528ad0c3f7ae11414c5677ad9f5f7aa302d09af25107da86590d14695952324b8e81257161fdcf3ecf33a7e4c164084185191c13b2f086ae68cae9ba099

Download Submit
memory/224-43-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/224-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/224-48-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/224-37-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/224-45-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/456-222-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/456-112-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/568-156-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/568-271-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/568-604-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/740-235-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/740-609-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/752-496-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/752-88-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/752-6-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/752-2-0x00000000004C0000-0x0000000000527000-memory.dmp

Filesize
412KB

Download
memory/752-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/860-272-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/860-615-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/900-234-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/900-116-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/1140-208-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1140-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1716-223-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1716-608-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/1952-607-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/1952-204-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2372-184-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2372-70-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2372-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2532-137-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2532-258-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2936-127-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2936-246-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3016-180-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3016-549-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3040-35-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3040-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3040-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/3516-613-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3516-247-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3576-259-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3576-614-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3608-107-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3608-20-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3608-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3608-12-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/3944-442-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3944-168-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4004-89-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4004-207-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4004-90-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4332-185-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4332-605-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4728-51-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4728-179-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4728-52-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4728-58-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/4824-75-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/4824-86-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-83-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download
memory/4824-73-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4824-80-0x00000000022B0000-0x0000000002310000-memory.dmp

Filesize
384KB

Download