ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
Size

1.8MB
MD5

d7ebaea469ae8ee29bae2b7f27673989
SHA1

c52bb58ec5118e6b198f6beebe53745c12f7b518
SHA256

ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928
SHA512

3254748628759c58e681b0ccb0d1f0f2fef82c0e30002a4664bb6f903f5e51665b627c1f77518feaa3146ebd7155143008092189c2f7975ace5948c145b9e48c
SSDEEP

49152:9x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WADEysEVAFeVyd:9vbjVkjjCAzJdNM0d

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1416	alg.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
4928	fxssvc.exe
1780	elevation_service.exe
1524	elevation_service.exe
3160	maintenanceservice.exe
912	msdtc.exe
4272	OSE.EXE
392	PerceptionSimulationService.exe
3880	perfhost.exe
4964	locator.exe
4344	SensorDataService.exe
5076	snmptrap.exe
2168	spectrum.exe
2604	ssh-agent.exe
3740	TieringEngineService.exe
3220	AgentService.exe
4676	vds.exe
5020	vssvc.exe
696	wbengine.exe
1768	WmiApSrv.exe
4616	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\System32\vds.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\dllhost.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\System32\msdtc.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\locator.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\wbengine.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\AgentService.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e81873d389a4da0b.bin	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\spectrum.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_ru.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_hi.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_hr.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_en.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_ca.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_is.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_cs.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_zh-CN.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\goopdateres_ml.dll	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM77A1.tmp\GoogleUpdateSetup.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016be528af0d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000391e748af0d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c32688af0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000424c5c8af0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000086f94d8af0d1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000065625b8bf0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000043e4598af0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f4dcb98cf0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000048b32b8bf0d1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe
1100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
636	Process not Found
636	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	552	ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
Token: SeAuditPrivilege	4928	fxssvc.exe
Token: SeRestorePrivilege	3740	TieringEngineService.exe
Token: SeManageVolumePrivilege	3740	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3220	AgentService.exe
Token: SeBackupPrivilege	5020	vssvc.exe
Token: SeRestorePrivilege	5020	vssvc.exe
Token: SeAuditPrivilege	5020	vssvc.exe
Token: SeBackupPrivilege	696	wbengine.exe
Token: SeRestorePrivilege	696	wbengine.exe
Token: SeSecurityPrivilege	696	wbengine.exe
Token: 33	4616	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4616	SearchIndexer.exe
Token: SeDebugPrivilege	1416	alg.exe
Token: SeDebugPrivilege	1416	alg.exe
Token: SeDebugPrivilege	1416	alg.exe
Token: SeDebugPrivilege	1100	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 456	4616	SearchIndexer.exe	111
PID 4616 wrote to memory of 456	4616	SearchIndexer.exe	111
PID 4616 wrote to memory of 4084	4616	SearchIndexer.exe	112
PID 4616 wrote to memory of 4084	4616	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe
"C:\Users\Admin\AppData\Local\Temp\ed88e0237501c3d1dc2e50fd04a5d7f97bc48704a8e4c3cfb83acf837b21a928.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4876

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1524

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:912

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4272

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:392

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3880

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4344

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5076

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1896

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3740

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:456
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b0ddeb475b11f35b2b5341f9fae46251

SHA1
619864709d961a630b37052d1881a2dd70c8124f

SHA256
0b1814ec4e46675713375b187b2e0ae00fd53b026db55a1e1325760f2a4a718f

SHA512
f2e5ac4526503f30933b257b3a8c6c6e9180687caad3550e5185640e695101baddedc25d3cd3b20e43bab73acd7d6f11a0199972315787380fd7cfb522ac027c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
6161b72bd0685f9aaa788fc0394070f8

SHA1
e8cef0635350e14f30ee124fa0f0235262eb95c6

SHA256
e41230cae8373e5160aadc8646fd269d033cba6c40bac0b9f5d00ab2faea5a1e

SHA512
af1842cd96cd7f3d5a66caf403aa68a76e7e221957681f25b547b7d279e0b72812e910544d4dbf2725cd3c63fa96fb5ab1ba7806e6e9feae5814312f9f9e1d1d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
c5385efb1c4057cad8c1842d8feee15c

SHA1
6e9ba477d7a8129b5ef32e19db24f00893ee3211

SHA256
fc7a64f629780258f64189967bd9703f9744827679257e892de2e72e79648cd7

SHA512
d72ff199b5f4a478fe022d79989fd570e9453952e8512434472d7d85cbb006d03b7efa0bdb17576820d51c3fb6fec0ebcc651846a21a790347d4e6bdb6a6070b

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4c6c4c101e016b4be1db07a0b73ba3cf

SHA1
f9f1a45a4598de4082bbef7223ec8940e7662bc9

SHA256
83d364eb8fbfaf2996eaa20544696b944d5b1bffcfff3f1bad2f698bc92d7b4f

SHA512
2f4e3e25dc6d2b71d165e406426a22cea46a3081cc89c8bb51bd358c2f1a0c49db217e27ad1ae1aa50805301bfa5f13913e8c52fe48ed7a28b5650d18dfec6d9

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
c30a40bbfb1ba9590e9a644b36cfef29

SHA1
439fc4d24be2ab7507482e809704dc5684c13808

SHA256
ec8dd432b5c764b93f66c8207c94b6bc54f83f39b9bf483bbcc96f84760a69f7

SHA512
4a0070a8ca66905b0e4f8408ecdc6a63d8b5d7628b1cda68ab17803cf7bb8dba26d424d78e9ff8b918d20cf277504344c24b11ba30a7a927359376551cd960ca

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
29892bb9dab5921dabd1565bdf3e5ed2

SHA1
4f8bfac19b3d5eb138e286496ad53efce12c49b3

SHA256
a70b1ee92c439d0a4b4af5b3e490e77699ad83ff9ef8079f4b279d0748ccb5bc

SHA512
1ca03edb7dcf9d95a721ebb149ae0f680f15001984c876aa105086e9b898f7c39010ba6216aad9a1efddb5fb0574bebfbf533038d8f573d4c4446c411fc73ce7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.8MB

MD5
eff292cac9356cfb19087db9a60a1e05

SHA1
20b40f4366d953733e9b656413df92d14edada36

SHA256
7bc92e1574179f17c60b5f22ad07c6f8163eca669bd58626a60dd795450e2fb0

SHA512
4bc2a06748d7856b95f899a75f98ab3c2a4f747cb83561ab109e6de50a1d6949298da9860b1cece7c0c1a2416c22007b9a78baa40ffe21a6e24682ac41e0b28f

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
ee3834e13c2f18c3c71e6f321e94e1a3

SHA1
a7d2cef47fb7263b9babb059382decf9a3c2ee5e

SHA256
eec8673830b86f5893217ead327fbb676a636ba887000797e4dc09f82aae9c24

SHA512
b5c4c84e34885a22415c8a87dbd6501b8381935363fe8eb84a8e4a4aa5a55bd5e05fa3e0657dff698d458d996df5c8e39d116a0421d2bca18778b29f21d55dde

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
b91ab12a37741339d26e80e7a6a4218a

SHA1
94c85d2275854535b3889d7d4bb7c9e343fe0900

SHA256
88d13fc28a2c7efa433aa93a8969efbde64ce493401b4f2b62b49bbb8091e9fb

SHA512
3bc9a97626b24eea6801d539b3ac3f0dd36f0940f1a935511d738009457c914fa70aaf8eba417ce39c6c2d3be1e969581cc7fac1ca0bf3f0eff1251086dfb5bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
df170c8ed1fdaa169b8ddb61f3d3aea4

SHA1
2d1e8a02feec8b8d3df81ce5ec71f9125961a5c3

SHA256
5cdfa9d6f85ef59bb5bfe37c179035ff6ec6b7a898353437f570e060fa601474

SHA512
1c6fd63dc23eeb9348f7b268837a934d380f6e1a3a25ab2df542cb27547a46331ef9fc9267c17033255107535c2bcf49beb0f6bec4d2461b46cec8263d912889

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
671f294266683b53a85eaa748b0d9e06

SHA1
cde9ad5fbebbfb4b01be50fb7bcc2fd23aeef9f0

SHA256
fa8b089a1f7f4c5e74998da17fcd120c22ddbbd0fc42394455cdf3eae4262178

SHA512
ade0c8acaba7c2b156732fa50a8b4f2854dcf531b2e0f68984301dbee1a0157e53ce0b46e6e99cd3dee3a459cc76588cdcc2931f17fce3a07f68a947627c7321

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
9084af6b562782abe94af0028768acf2

SHA1
338b60ae3224c9568b1076a2c38340d0383928ac

SHA256
c5e90a3eae565fc447b980ee082cce5771d8eeacdb4b5278eb5e8839beef0ad9

SHA512
0eaa1f0cdb7a7d2b1d5422ac4b01fec7ea53f6bc44d4a46bc97a1674889d711eb353561c27ab6c7b5ce70649a1a3a97ae39cc5a03f32b522653a5433fdb33c7c

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
24897c0628a96c060d91584ce4327895

SHA1
09f9fd3db2442e591f91b36c0a054bb4c9f14464

SHA256
67f38d9e931da4be7bcfbc90887383d0ccf25416bf72cc29a57fb33bd6d45711

SHA512
90bfc4a36edae5a7186150686c28233e15b784d752fe90ed397e53d58cd9a043418834265eadaa3e33cb8fd24dc65385c66d524d97e56dacd54fecb4ea5000ce

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.6MB

MD5
771e99753ef9002a71a1f03d6d50511b

SHA1
177801815fdc2f978841277f824a72209068e68c

SHA256
f6a80031dfdeadcbd4d535acdb60599f973c9c053c036b7dfc8437bc100fb116

SHA512
8c3ae26b5df9c1735a5a3f947f018f0369f74b5a8c077ffe73a7387fef66fbb7c48d75423ae07500a2a2ea99b621c440c0b7b52273489d9e5622660b566bd56e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
5d39b28ec5178d372709d322e2e125a1

SHA1
0c3468dc113aacab858b87c779ed9dd650ec4892

SHA256
00479774b60c8e2f97cec653bb19ceb6b04eb4531e3aa004e74bd6f445df1660

SHA512
5f8dcb6522488f80f86fc57b98dadbde77dec3730707982714eba353ff815def8b1f2d48714394fac7b204fe69d67b11a734fa0e87fca51c9ba658ba6010da40

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
a11f608a25a0d3964ecada2993963caa

SHA1
9b930538915a27aed604d71280c1e3e9761f532d

SHA256
cf1c904180c9b9984c853d5b30890d2ad7093693d2371a407062b9b04da685ea

SHA512
6eb9c2c8c51544a83b245ac902ce5eeb8ca053638b5c01325f07b2fc517badb449e8f6a6bd544f3e74762dde45c8d31126d32fdff55fe90443f0af0d4586db0e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
89bf1c861f0ba2d14a5c6b19fc013d3e

SHA1
10e0163647715c9c4004c1f630e9e535efdc7cca

SHA256
393d32b2dfec7ccdd35b31290acb6d6e0e7ce8840ee4508a342bc6068bd38ad6

SHA512
e3c04bf0ad251e79e8fd6e1ffe3c043f7344ee1abd023f65505a77a947cb627ec1d430d6adfbd810e3a968e94146f2dc17121cb6960d6a98c31c6be4a2bee972

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
ed372b8b45e77440b7d37ec43f7b8fde

SHA1
b70e886e63d5e6ab30082cee1fc484829e4f0879

SHA256
3beadccc6c5bcaa72d94e4140227427c5caa7fb58c087c61bf1ccf16c13fceda

SHA512
e468c62340e5dbd1cb950e2bf1fd2a01cf5a47149f7f773d45b4183f94357a85e56cb8699c7d39b29656df98582843501f61ae21254f2dd67961ae5f68f3b908

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ac7d22a7147f6a088305418c93be3dd2

SHA1
7c91f15f60794a90632713bace641570202cc6b0

SHA256
15d4e7c57312d5df27e1c6c9e117bb4d62237c1273ad66768e23f6b5e45b53d7

SHA512
cf6bcee697631e8ad4d73a9a1a78da4edb9d401063362977fbf100dd482ba833342c9146caeea565fadde968b650ee7b3c16d6db65bf66d0b7627e25b4d1d37a

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
94592dd3b1d598fe56dece3bec887db1

SHA1
afa0346f4d3f7610f937dd265d863bbf04813fa7

SHA256
7b8275a9f64445070c2ff8817161c492750c4e7cc3d6c9c4efa24ceff0df84a0

SHA512
a9fff86dee73eaa88c0ee8634d057c836cb32307491c1f71e4fb3efed53b325a11a9af0d7097d4aa7f53ae347b00d62376d8e18932c9a5408e47e01fec6cf486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
5b718b175a1db0fec5f560622861dc28

SHA1
18975c9729a2744c6386fac05af8ca6aa6a012cf

SHA256
5605240825fdabad7fd09662f6a67c66bba526219cd28290739536a593e031a5

SHA512
02ed45ba3914853312f8957567be435e84cebb9dcd3c1b869e55eb7bdb985296d96d00e77492f2f9ca7bb67f29398e013a80a6e4df96565ddeb44e2350972faf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
a0aabaa5af400252f65df3305274cd99

SHA1
1237e87b18070cfb1978cd86e929944b7857cec8

SHA256
25f6ac3495e633a5922c92f549616b340c5beed23530ed61910aa03e2352dfa0

SHA512
f13395774f0af1e9cf1ae670b2705d56cb0b8d71530d14f99b57dd577f4297a96c16d55b8267cf26d0f302bdf45c5ec71c2809bbb122c16b2079adc5a33f57e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
9d92b7c8d16b55bb82c356f51288ce38

SHA1
4f22d32546bca7d05b6f133914630e748b52417b

SHA256
f85190019aa43fd046e3c151a4e84d08b5080081feaa667aa291a3a4b3c092b7

SHA512
a9d9d553463dbc8fd5e6044cbff944e45ac3843adf6ead0a94a76b502f815fc80ba5970514ffd4411fc80af4ce82815132533585ed2e6ca219b7dfeaa64813de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
464a7caa564c5ebaf4fedc78f1bcc6d1

SHA1
5af633b524445549114972684622a474e3b893e2

SHA256
e4f9ee7607cf75027b428fb83e71a9228627766ec6b687c8cbc59057336f7869

SHA512
71804d20224b9e0c174556f59fd853039305a37e27f50190bc72c8baa6892c2b5be1fd5592ef8150b6a4b33a117f989f26b1eedc5687f8ee0a69c17c6fda4b46

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
e2a6f2cc1d846810ce36ef4ec02958a7

SHA1
c35f0242ddfa201000bb235622cc6bb86cbe0e10

SHA256
77e2c3ad5a9eba3d5a84752226825431f543b389a3c7b4e98b76044aa798df36

SHA512
e5b1de628e2a2013c590b050ea791b7837af6c2775f565591cce56523d3b776ae8984d7bbba6b1953cb5370cc257c7e46bbbfbcce85d1cd8883c3242b44a483f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
1fb0c6a142cd52035cc6022ef63d0240

SHA1
128e21ee5e0b5d96e3be0c6524a58cf08640aab3

SHA256
e0f5186ce59dafab9b65d935e28badfe4dd7a8d9ecc4c3fad3b8f407824fab45

SHA512
120276d3b8d99c5292a43a14686dc4401556a3844f73a4870e125cb3867f781e806a9ee28cd88dc8c638f9ac538e49c50d9ad98b83b125f506d1ee927984367a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
3fbc7e980adc250517289e24aab89509

SHA1
87984c25c6371154d7cf3dfe8439241571326326

SHA256
d12d98bcb40399d02e7cf376925bdae9e46212b169f6bf03b3a856f6ac03282f

SHA512
509700e257f8dff0b3c3284331e37a6d63b1b6eb8288b437ac4fdef336a550cef0ae5839d59fb5ee5c4b154d9703b316614b8098cecdd0c6b8338e802edd134d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.8MB

MD5
56251db2e697efc3f7d55a177e578dee

SHA1
a07084501ca58797a2f5238c6526ef9df9fe51ce

SHA256
a681c97316c2a4ab7215a7cfd38b1142461e76a3572b4baa2bad8858cf92947b

SHA512
f0f8019c8a2770e82fe28c6d268bb0a430b62cf3de1b9d8339bf576b8d43b64b7a8144f910270cfefd5e94a9027bcf2afb4d3c095d25b50664c0356e2875a87e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
ec55d4f4e8247d203cb68a16a171fd8c

SHA1
50af3512df42bfc72c076acb934c616741d1253c

SHA256
50c057cf0a934c84b3088b545a79883af0512e6b8939a6d7da08a3de45bddbe3

SHA512
ea900659078577cf53f545f5bd3071c03f14c7f057547e414f4882d43b596bcb12138f33c8e087c8c8863e10e90cb9cf146d7691542da5f282fcf7e5b0c5bb41

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
398ca34051b6e8d76b5c7310e32e3031

SHA1
5c1cf8c9e031b731e54afb1fe14d3e9fc389d202

SHA256
3180fb8757295af404716f28948d6bd3aa1a07da7df5698fd33c46eb29ba21fe

SHA512
d7937210eeda91960ca13ad93400ff30250e252105eafe9f822a87e9abe253f8d12da9466e49fda7f801addf47cf9376c2713dbb813971fc6fe030d2b9703526

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
0cfd46469ec4e7f626316a3f98d92e82

SHA1
2f9a175444be5c9b397fddab62949daff14f8972

SHA256
543842344b1e622cc008aa090aa359ae4fff6e35399fef265f10274cc3e9ebf3

SHA512
b5aae5085e3bafde9b26ecf41cd0db5477677ef00cdf27355b871fcda20d81845d0b920cf3cb61bd6ffeb580f553fd7d5df72d5e55c6eb67b2575dfba236d980

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
6616f4e8c329ee9b10289b5c6dd8c981

SHA1
50af1d57a94bdec7ba0b4bf66359771a7efb01f9

SHA256
4f1762bc1d7b7ec75887f15ebb213f984d761044f7b32f339019251c1d1fd12e

SHA512
a1f4de332136ec975ae52da0e022a3a664472263636f03160cda34be278bd26c7bb5b613af2106496bcf2d15f25e15e65b07fdbee504bbebe4d73b2385a7f31c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
25fefceadf487393aaff0928ddbb0d4a

SHA1
9fc3f919d441dc368389e19659c7a71df3c11290

SHA256
2fee9a75cdcedfc9dbbcc8a931d184f91e9d01ca926bad5e0befdfc7fd7c7f71

SHA512
9be463904491a6a57dbc81dd4cdcd09dc975f565c7f9867ea78b7ecd110dae9b8694ba6c2d26619219b1383048d59edefec8eb1b1d1a51987c0cac7311b7719c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
b2d07116e2da316ecee243aa2b101242

SHA1
55696237e6d4105a5956b862153bb48a7050e1a6

SHA256
bdd422340ccf24ab6abefe1304843902f3cd56c0e5f6495143b1fb316098b2a8

SHA512
b3fbbf908b04319af7576a017210fad5adb71c6394d847daaedecbd106471cc5f4ded31aa5eaf94152cbed76d2da29c4e7b36ad09808804576603c72f701cf4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.8MB

MD5
c17fd2b44e7d671aa5218f8bdc7421e4

SHA1
b659394a56a682cbb42d335ec85d1064325dfaa0

SHA256
70e1d15f8f03fa785da59ca8f07e18f07ea13b4cd91dd0035401a508a9e2f1f6

SHA512
f9530b4402d6a731dcc64e2032ed8663f89401272f2457dcc20e27a309da7bf326717151d6aad7bab5a679e8aa30f0cb0dfc40ebe068012e85f75782ccf062f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
d742f3c2ea15c169ecc4463c4c495cf1

SHA1
3ec04219bca39496177a9d72ec198da687af5d16

SHA256
4478a5847a1e77fb8482d49a4b0125842395f2f5041227eaadbac9779a79f7c9

SHA512
147b4573fe9fde2c307be225206c1cd4afb3f3f40a091aa4790878a2fb9b1494f7a36528ded3ff9d6f430c89c33246939aee17b55ea47c686a67647634d186e2

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
f8f10f9a8a93148cbb8d36a189d5a676

SHA1
392d4147385ee590bb2695f717ab488eb0f731e6

SHA256
188362ce4608967b222c8d0756647dc93e14b0629d6082d4020d71843be6525f

SHA512
8230621ee41bb40c6eef35e3d98f5a710b50f637b14b69ace1dde23ae8bc2505ca06bfdce778382ff0a9771267185c15760aceb9685f775dcbe78fb23d4b34f5

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
93cd04bf55d1c166f3530a7658e8d70f

SHA1
55b043c15e3f334bcfda61dd6997bbb28e2e24da

SHA256
afdd502ee564b695347c76b7bbbcc068c5634dd0d86b8ef80839eb771edb45cd

SHA512
3bf50a274c0b774a9338c34974af45be8dd087674a5ee7c1cdf6ef49161d3203fbf8848139c1b594db03f81c4114c22141755868ca6a7d98b7a2031549e22d67

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
ce71242793dfd98a08bb77d63cfb5540

SHA1
bde9f055e8becb1935fe9543d7ab2bc68b38912b

SHA256
04fb92e8104a834b773dca4af6d5c402cc9be74df20ec7e20df9cffcb5b38dac

SHA512
9031eab3a6b12f74d1d12f69cf1fcbcdedfa478eea92996e686bb6cc5bd432ca226369b917a1999771612006b4eaa59dc39c9c0dfcffee166847c95f2673cbad

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
95b815bd52c959ffc8be868af634f633

SHA1
2c50e81e6c6ed236707201e494bcff4c063a0304

SHA256
83fd78b12cb05343a0d695fb7663f14b598fb60dceb5b1d4cbddc9299be13a17

SHA512
8b52b01b57961f76f17a24fbaaf30afcdd64f08123a5c17d000763f4d5d987578e3013c3b05d0252b4a47774160c6c5e4ddb3dda542715856e6406cd2323a95a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.6MB

MD5
402fbc78803a4dc26529c9262d7573e0

SHA1
8db8a4d5f80d7b88e557fb0dc6a7ff0391dadec8

SHA256
42906145a45e1b9b5bb4a575dfcbe41e9ffaffa33d259540f8c69d76a2cc93b1

SHA512
0ff25252c85b521dc77432e80aaa20265e9ca460b42c48d9fa73182eb29e2d8952d54c43a075876cfc106cac6c327eb6fd97d832228d765ff484fd321e75dfcc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2fc54e48eb3c0d3409abf24bb68ee7a3

SHA1
18559bb2ff3a7eb0585a922c13f653fd9ba79d45

SHA256
5a720795908482c02d238f7e7122620636891569b6958cffb7f8b1bccbbc5f68

SHA512
de11ab569c0dd66a0c7a055fca4275475899bd360c062362093eb80717af995ad8a4c9ddbbc73781ffa96d0506c8f9b7510b80ef1a5f7c3ea17beb0dc992d77c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
fadb218dbf54973533d04f5e4b7acc8f

SHA1
4ecf79e4667dadada55698f48d0644ebf9d82167

SHA256
2e754553b75c116850bcbad202753fee318dea60abea9df1b546f2fa7086ce22

SHA512
4befb19ddcb40f2500a953c78fc759665a8dc2d9e457481cf0f211a8fa2d8e998f7caaaa3d41e0beac5ba16d0ed1a128c84244ec2d8d5bc4e0c368865d1bd5a0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.9MB

MD5
77ad87cfa25bf86d1283c5961b7834ea

SHA1
858a93a3c13d7c12543877424711eb397b976750

SHA256
cb545c3d0fca4efc23efc38830714b3cc935dc4ee8881a636dad0e3026983d3a

SHA512
9887138aeaf773e50900bfd8c80cc94757e32e03af86eee2d05d1ba22fa9e41557f2fccd2e4a10ee43ba64e1a4efdda9a39a4c1c6c6454d7048c2562c3914af5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
4a374193ffcf691e35c82318cce31570

SHA1
a6fabbaf9a4806bc29903eb75a3d5c5356baf2ea

SHA256
26f9680967b61c8a38ddc49cce2fcad98759245ca01a962070dfd5a6ce7a43a4

SHA512
b6f7da023fce9739290f4fb0b0703e0ec2770276da6665b42b11a5eb6165e23c7d101c2edd31297786d1171c7cdc11ad384b8fe46743f0e580b1b1b91c2da2ed

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dbf2d5931685c59695a54ce803960d1d

SHA1
3277bd77dec2d5ca62b76e9ae331777c2e6ba079

SHA256
16e8418358481efcc88b55de5daacec1323e7a5f890727495db23755e6485ce3

SHA512
1fe1bae562c8cc8893fbf50db3eacb4fc12c044634f080ace67a5d42a7ad261489f31b52fe6734155918cd43409f19de7097267b772794903f3ddbdf6b07f9d2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6fd831d6bcc0783dac0ef51f7ad60eb4

SHA1
4cb54b798b8c44cdbe2a4f14e160acdfbf97a940

SHA256
52ded2d3e7496af79463ae6c2b754340c37e6bf4a65104288c7cacace31bd80b

SHA512
ee17df7ec1613b5c1abd43edcf46a5711bf74d4d4dabebc05254d108be37d064e7e44289ce432faea1da55535ad28080bc4be3bc32d563190855e871cb954504

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
418d277b4458857ef5405267835372b9

SHA1
c568ffffb18d28c7ff786c69e6480a5c42fc6ec5

SHA256
78004d4ae303d410b3359c0fdd30075c739ace0821b7f90f8bb27abd6c87439d

SHA512
331a150aac81cea14fde1c22998bb7b482b541504a9c6f60e6c99d4563e3e6decdec6da6b0202ab352de5b67203c4bb2d3969005f50b75c7163ab5270b4d9a62

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
ac983080a46e8ed57fe12a8649feb3b3

SHA1
efb121c9cfe277d06bd7764607665aee44487e9b

SHA256
b95df1c976e30969c4a43787d79fee9ea8a0c058908038d1aeff8b240b12beae

SHA512
24bf5335aff9499565034ced54cd07771b601b08131e657457b7eddeefe07944e70a3b9ab1a06b6abbecc966e1b8ccfa67aa6af8f4f259a62eddd9a55ce783f5

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e4e2af8409e5818eff7d93c90b9948b

SHA1
6d1f72c63cc9d539c3232ce892eb8ecc36d1f413

SHA256
422fa7ccd2a0366bda468c946262ba652f934ece6a9d13be958808d849c4d195

SHA512
fb7bbd18410a89b95608304fc6714cbdbc08d4100d702b18646854f6ad7d7c73dee6bce931c9d61deb58ca1b15a4c876eb861a87d023b9b6c3c16e4933752ce3

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.6MB

MD5
cf4a8fbbb7d586aae5e5430097c380bf

SHA1
63b27bf8201feae4359fd36701f2b6675df48c0a

SHA256
238af7795c34995ef59948fd2cb773c5fef253627b2c40f901863787051a45e3

SHA512
48cb270c6e5322b7e346ce39d1e14aba1f2e4e4f64672e8b3ee031771b434e0863386c3986eae7f935633f87d8dab1ee6c813e5f441290c391851556aaefda4d

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
0b5505cec5cc232dddb1ed65f1af707a

SHA1
1bec440b2e9a54ff6c4963abb48818e2db5fe00b

SHA256
5b309fe25ddfe0d2a59ec5bef34f5d2e9600e084b728787e803e3fdc500dc9b6

SHA512
e4c9fc98e9b1c2253e4797e028a000065d111e3cf440f68ed10ceafffe039abb1d70027e766ed1491ba97ddd244bfd406e2c01271f6c8a83ce95f758ad9f5899

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
50e8b22df6d5469a56e106358461fcb0

SHA1
a9f2f3de964198d71548094abc58df077a1894ca

SHA256
0ce0f350e9e5631c3656bef4a27929afcabfd7ca39c046c59bb9a9334d062a31

SHA512
fed2451ef6a1057fa12e3fcf5c71302fa211d60daa936b71089d54183a411e0bf5a2bc688eef555982fcea517e53e18948dd2099999c0be1f286932556b3a8fe

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
cea17103a8eff7022c6470f35366d081

SHA1
5007daee1f8aa48be3debe939a6dc2e7e86ccef3

SHA256
8c8f362c0bd41d7bb5c218b78f14b27598c207281b40b4e38e51ddbef0b3cd1f

SHA512
a8f153f7782b003f3a760705c847662c41376fec3b4fbee6e7e8409e96e0cead58612d9c3ce54e16a35af17d46dbf94c30139de78a28e403ab38a7f2a3d90470

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
e83d66c7f467166ca130fde3aaaaf577

SHA1
14973be73c0150909eb4befcee886ba9f723d3bb

SHA256
7e20f71814c772ea481807b1f51e82d44a8b222a0ad3477d704ec92957128c31

SHA512
d0b522eaec4f5e208e33d3a5be12ffb4f861f3ff03fbea0a2b13e1ace4ce470022d762461ab2345c1cad5c9ebeefd45ac63bf66f5128a7c3fa7d7abfda3fc7af

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
223a3e79a92e06ec33881018a864434d

SHA1
82ee76e73f2fb8b7074e866a8c701ae91fa2e2f8

SHA256
2eb14b5b955a060a18ac263b43d5764baebd437862ca708fbf1e410705b6d791

SHA512
c93bb248111605c3c8971d6235c7dbdc36e8cb7efa52787391304528cc465e4325aea0a953db08cd4fd9bcf56aaadaf1e4f8967597558a41fc54fa59ee512a40

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
a13a7ba72a3fd48875782f7e70653301

SHA1
811f98f76a096ce5abb1fc8435dd75577ee58422

SHA256
58e46ec70dd3756633691b2e5467442bb776b3d257786287c4c20c1b969cda77

SHA512
af82552c2a5e6e41bab191ab242f528fca7bcc705be4bfee6f497e071bd214f9082de6aa0b60f87cc5c4a6e19a9acbf93b2caae0ed8664edf08d5cce20f58ea8

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
2df9a041bfbda6c367b1a397bc38c528

SHA1
1bfe3820d6f2ed7cfc12136089108f75b03ae978

SHA256
3eaf83041da5ad1e25d17e1de163aa762858ed3f5b9c3a4b65ea36ca3db48ed8

SHA512
fb319afe08819b0b688b087a0cd9e8d16f1189952dfb197891396cbf1f14399488d2e609e48ce26cd28f1f4623025ed0c154d526353f8a7951505bfeb40f4423

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.6MB

MD5
02c4f1ed658c954716d557bc5cabee75

SHA1
01e23d702febe70561c999cb1421a1f30786f4be

SHA256
c5494d20a976ad9ab0f61bc2cd7f72f479d8cd8892f0569332cbe720aa1e4e6f

SHA512
04a1f2008ef888eb693073657dbd446fd5017735467272ef3032cf70af48164b2315d6e78550edf2d9a1543e89e9fe0ff64291ac251c687187b6ad51c934a2e0

Download Submit
memory/392-301-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/392-186-0x0000000140000000-0x000000014019C000-memory.dmp

Filesize
1.6MB

Download
memory/552-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/552-1-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/552-6-0x0000000002450000-0x00000000024B6000-memory.dmp

Filesize
408KB

Download
memory/552-475-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/552-155-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/696-314-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/696-762-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/912-274-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/912-157-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/912-156-0x0000000140000000-0x00000001401AA000-memory.dmp

Filesize
1.7MB

Download
memory/1100-31-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1100-33-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1100-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/1416-168-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1416-19-0x0000000140000000-0x000000014019B000-memory.dmp

Filesize
1.6MB

Download
memory/1416-20-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1416-11-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1524-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1524-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1524-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1524-250-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1768-763-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1768-334-0x0000000140000000-0x00000001401B7000-memory.dmp

Filesize
1.7MB

Download
memory/1780-121-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1780-114-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1780-238-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1780-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2168-751-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2168-239-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2604-251-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/2604-756-0x0000000140000000-0x00000001401F3000-memory.dmp

Filesize
1.9MB

Download
memory/3160-151-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3160-140-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3160-148-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3160-146-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3160-153-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3220-275-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3220-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3740-757-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/3740-263-0x0000000140000000-0x00000001401D3000-memory.dmp

Filesize
1.8MB

Download
memory/3880-313-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/3880-194-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/4272-289-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4272-177-0x0000000140000000-0x00000001401C1000-memory.dmp

Filesize
1.8MB

Download
memory/4344-215-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4344-697-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4344-344-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4616-764-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4616-347-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4676-758-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4676-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4928-38-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4928-126-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4928-138-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4928-91-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4928-44-0x0000000000E90000-0x0000000000EF0000-memory.dmp

Filesize
384KB

Download
memory/4964-204-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/4964-325-0x0000000140000000-0x0000000140186000-memory.dmp

Filesize
1.5MB

Download
memory/5020-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5020-759-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5076-683-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download
memory/5076-227-0x0000000140000000-0x0000000140187000-memory.dmp

Filesize
1.5MB

Download