9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
25/02/2024, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
Size

1.8MB
MD5

683556597e89f3d7d682cc6adb6b3407
SHA1

5293755affd042afec7efc193699bd26168aad26
SHA256

9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6
SHA512

b3882501e020a33ae40d921380e9954b99fb621c9b0fbda4af583dfda67209d14510166fd8d0f7e1f6fdfaf20587a681dfbc57ecd3f77bac8b1ed13547f9252e
SSDEEP

49152:qx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAFCks7R9L58UqFJjskU:qvbjVkjjCAzJQC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3856	alg.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
3800	fxssvc.exe
2056	elevation_service.exe
4844	elevation_service.exe
1464	maintenanceservice.exe
4248	msdtc.exe
4856	OSE.EXE
3884	PerceptionSimulationService.exe
4484	perfhost.exe
408	locator.exe
5048	SensorDataService.exe
1160	snmptrap.exe
2268	spectrum.exe
4080	ssh-agent.exe
2904	TieringEngineService.exe
4800	AgentService.exe
4780	vds.exe
1492	vssvc.exe
1964	wbengine.exe
748	WmiApSrv.exe
2712	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\System32\msdtc.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\650ef2b07f13a950.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_es-419.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_te.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{D58AA4A1-F081-4C12-97AF-BAEDE74E70FB}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_hr.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_zh-CN.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\GoogleCrashHandler.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_bg.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_ta.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\GoogleUpdate.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_th.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_zh-TW.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM595B.tmp\goopdateres_ar.dll	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	elevation_service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000211eb3d1ac67da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000db562ad2ac67da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000015673dd2ac67da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000006a4bfd3ac67da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000022053bd2ac67da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a4941d3ac67da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000075baed1ac67da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f6a1ed2ac67da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ba89a1d2ac67da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2096	DiagnosticsHub.StandardCollector.Service.exe
2056	elevation_service.exe
2056	elevation_service.exe
2056	elevation_service.exe
2056	elevation_service.exe
2056	elevation_service.exe
2056	elevation_service.exe
2056	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2080	9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
Token: SeAuditPrivilege	3800	fxssvc.exe
Token: SeDebugPrivilege	2096	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	2056	elevation_service.exe
Token: SeRestorePrivilege	2904	TieringEngineService.exe
Token: SeManageVolumePrivilege	2904	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4800	AgentService.exe
Token: SeBackupPrivilege	1492	vssvc.exe
Token: SeRestorePrivilege	1492	vssvc.exe
Token: SeAuditPrivilege	1492	vssvc.exe
Token: SeBackupPrivilege	1964	wbengine.exe
Token: SeRestorePrivilege	1964	wbengine.exe
Token: SeSecurityPrivilege	1964	wbengine.exe
Token: 33	2712	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2712	SearchIndexer.exe
Token: SeDebugPrivilege	2056	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 1300	2712	SearchIndexer.exe	120
PID 2712 wrote to memory of 1300	2712	SearchIndexer.exe	120
PID 2712 wrote to memory of 444	2712	SearchIndexer.exe	121
PID 2712 wrote to memory of 444	2712	SearchIndexer.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe
"C:\Users\Admin\AppData\Local\Temp\9767331ea1f758ce0e5c6af9f4f5d126626dd4e229afb52ebe8b03463c313fd6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3856

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2096

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2136

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4844

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1464

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4248

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4856

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4484

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:5048

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2612

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4080

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4780

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
960KB

MD5
4a2a722cdcf4719014b99c406a3e7952

SHA1
7a698df717f67f0fdf40106cb7cfce22b39b5f6b

SHA256
d7a3097d3468642e4e14de92aec9a5eb8e4facc2e15e1a3e49ffe2f696ca3050

SHA512
313e5b38d2ef0fdc216d866a2ec2ef3c19fb5f52b0c0f5396b7aafc7ba5580b67616bf97c786ba292e96a26a661a84b32b151a0398145f1f70978cde6bf42c55

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
476939e82059860ca0696cbbb80771be

SHA1
7538d5639c2ef0a8cb68f8b59e718ae8f6209739

SHA256
31143ac8f95d88a7f95ea0a953dbe5a7b12e1b76551ab2dccc7e7f0b73c2c24e

SHA512
e5dddbca505356a14473cffa6044dde90ff6819629eaaeb23eb933774f3bcab8975096fb491085d92f85d4fb4ff8ecc1f2badfdac1d76459cb4cf5f3049f11f0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
6d1223e3ab3d7780ac80808e03e78368

SHA1
7d232b58914dd31b619c1525e60ed4caf40b8398

SHA256
6f04673d45253c2abffefe0b67b54e286bdcc41d89b78b1046b674839c08c47c

SHA512
f2b3a8727f445b070c27b447c4eb541d6262a51127cb5660cab7dfc23a0c8365cc8f616ce59fcdfdce91664c7691803c1ebc691ece2ec66701ad49033086b97e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
960KB

MD5
7cae000b20fc655a0d71b34743b1f7fb

SHA1
636aab204d7af1dc59a7adfee9ac1b1690f5bd6c

SHA256
092ee5416aad2870ff298864042fa8152baaef198839744ecaa6958467a899f1

SHA512
b13c9f9372e0c76e8fdf1b1b2b15b5a056c1bdd8c6503ec36e864aa431d85d84676b04b0f2fd74c83b664b7823d7b6af265b3d6a4e55536930013b74b03a0717

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
896KB

MD5
3eae65b430cb9e23adbee8be2a5a9199

SHA1
47b012ced94b91711f5f42b4ef19e247aa9ca6d0

SHA256
0c7ae48a2f81748b9e39b8f31d2a2ed036f670926ea2dd61ed577852e9e73af0

SHA512
f4d74f01a4fd981d420c6398de56c227e27a6567866ddd9b68c3fdcf4d585ac75ce1bf8223002bd725bf46b0bb7fe47e1804401475730bbd1011b797f0e8fe5d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
1c7dbb188696909cb7c1dafd4095da8d

SHA1
961c4265de1568f1df84d63ff11bfd6dd6ceabb9

SHA256
266b93e99f2d199f588d15ceaa6d8adb5eeb8322d49c17cf0fe9ec8bbfdd3e4c

SHA512
e2d5c119205b1b10e9c32c562e9690304eec59994a6ed62c249c6b0c207046d0ccfa4521609081d9c966561e42e4f121a49852fb1cb1ffdb72fec0620b28a94e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
7c016573a6807b3dd0b104fd626584b8

SHA1
e3cd931f6c3f5ae4f238fe787b5b04ee0567489e

SHA256
51714e3ba73181e45c5f20b88abd4f7289ac4881e6bccb040b298060daabe756

SHA512
c5657d7e170be6e75b84a6d3b285b0360473280c89cf026ebe7ce1502468ef624e341460ffd0f801b5b00824bf858f8ca3e5f36564a42a57ce42c7593f645060

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8d70148b5e3233c7fa5170f13b2f4412

SHA1
50117bca57d33caa06410c4ae7ea723757e7be15

SHA256
003e31d24755806ebdb6003a2ca31254b6086352fe7cd2ed95329f54f8b21b64

SHA512
20c01b35bbe45424473c4538d000457ab31d086ef12d2dfc740912970717fba267c4f0e732a40d02b863ce57687b0d85331f6c39f2f62b1ba3bf49f100c372bd

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
063f4c1fc7c81b5c958fb08b0d55e5e9

SHA1
d26fe5dda52bfa02bb9fddc40508fb4764b83396

SHA256
e35e22aa1cc2fefb4c4ec1144526fa98c6d72282fd8a6542b0af9c237780e05e

SHA512
1818b96bbf2cdcb1e7ed48dd70c7ba107ff92e0fb5a0b98106a90a1b1db682d4f5aff1b60ca1ec8f72062d55ba1203eab2367e1a5cd3ef7ba628d36bb8292555

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
768KB

MD5
6feb9ac29d88b6da3ce3135842b1ecfa

SHA1
ec896f39a709b949c851340e81c9c42a0d174bf7

SHA256
9e43270d3e4fd4bfd85aa1393c39e9a73ea96716fcb99c5c5759b2ffccd51f62

SHA512
8371e4fa0d8865b5db6e3e2486d82268abe2d44ebc17ceeb9d91eaba3a398f15d5871c0be1e51133b551c1c6b7ce621be2d3c3afffd11bd2f2aaa7be0e67103b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
457fe3c830deb722dcff09a69769c1ea

SHA1
ed6f85a122706bd983fccc130012f8d345ad50b2

SHA256
b3a41b9680c255a978d2aea3d216ea0140e818be3603997436adfea8e4b84c41

SHA512
a8fc533415a3430c9c3744b1f9559015b51977fecd1af3e9e187b60199b48f8bf305733ff01e8a1ca38c2a304d6414b49f2fab452316636d1f167a1c16402500

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
ae86ac735ce2a3cb8d4aa7e4cb09a9ee

SHA1
626aa8d79ecca1b1e7b48701a491e45dcf967809

SHA256
93afbeef92c7a8e6442b85b62df87ab3e7e5ca5e2349d530500059c5cd27c81d

SHA512
1b10a7c0c098f686d856a8c54d3b1e5600a210c2a46449e29ace46e0f93fb86a421150c4babd378ce88bf98adb09970759a852694bd5f70dc7a92eb74e93b535

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
741be8ca25ceedf93191717d7e9e4ab1

SHA1
f3b26c9407adf870c523a2fc6878690a602b9775

SHA256
14e34ea444d0d69927bf95b822e88fca71149502ea59719b528591e1f97e2554

SHA512
3fb8fbb10354aedfb4cb39138799b0867cea9e43cd258e353b0e871c5e16f9b21cd3ec9427298a42fdb083919c30d47ea0f2b81d1d808015f2afdfa7d6194ef3

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
6269bf1a1e3c5a9acc61a67a8ea66079

SHA1
94fd0b7645f3fe89b94e182443742d63ea6d2886

SHA256
f7d4ec8cc39cc5ff1263075616c124cf02ba91170a5d847b81eef4e2495d302c

SHA512
af06f2b1f448d0a4c814fffee9d6aadeb3231533a71777974b6a555c9e5d98b23ee6e04980d3b81dc07809791874a762e5c73b84e77a1a83dd6bc41f0b359760

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
3.7MB

MD5
879a8dd798f3911ab1ee0fd86fdad75b

SHA1
ee74a110271466bdb8ee46570bf0e865b271de7a

SHA256
afba59dcab5e0c2f466a3ccde319d7de45de39296aeba036a2970140ee250df4

SHA512
941528e7fafac32287e7616617ae0178c7bc46218edfbc1693260639690fca15d098dfb698bc37fecfc7ee274a3999b87a1a5bc68f4f2b4126129926b73a3709

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
3.4MB

MD5
13d37c852e9f7acbd58c9899c71e6f28

SHA1
9d57a419eafea4f683b1410f0c0731e6aa6ee2ce

SHA256
2161bcadde12af23ec791690a291cc6a2799f29ad4040d4f19e62f963c975f97

SHA512
3874fbe29157609c47fc75b0ec2c84cce274d82a1af0225172f6783818041c2937346d1113c08581d7a535b09900b59a9529a286bf2f9cf943064e5725b17f2e

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
d803056e77f0394da7a1698e97c7339e

SHA1
e56b60508450c833d758282570d456f60384776a

SHA256
0ec59fa20883e7a9bad426501d165ce756779f4204a51bedb31b859b1809022f

SHA512
67cf0419c8de96443ff811af978e31e018132f724ce049bfc7329e00796d9f7f8bdf5e89955aecc3200b17551af8b8a624643dc7a392cf6549a7482175d94b84

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ec4ff3a4eb52e9be8a6309dc5f35fd5d

SHA1
bd7d030c6220912dbf22c232677cdbf7fd57845d

SHA256
9f5a25e6a580bbc63724211280e70c3e053772aa222960dd114b31bc4675fec8

SHA512
3a052d26dac41500f217f5a18e74a48fffee5827e81d7bd7f7fbf4042c3cdac83808537742b5d15056b1ed4a9c3b0ec1754a35d9bacf6e843c2f51d474a37b4b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
960a069f260285640b20550aefa52d0e

SHA1
664a43977d077b01f64ec0309f19426a65999ee3

SHA256
5b47ab8ab794abdb114f78425e880bd67207a56af82a8c9b09213639090cd9ab

SHA512
0ddb88c407f7b0fed4a61c7be278928b7fcc9bc140c9d9cc02dc2f58592971fdb2a4cab92ce5436932743c0d4660b3a646242b2a4d043afb2dc74e9978f13c15

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
768KB

MD5
f526d05925e5cc1a1c4215324cefeed6

SHA1
fe084b8b6e1703631a97022bdb2616f2b2c12cd8

SHA256
8aed0f4ff4a833301bdb853de32d935b818b907a6891d69af1ccabf848adca0b

SHA512
03fe522dcbbc5fa0ca2fa61a53e20f2314169c8e901bce3c79b36f55d65c09daafd69bd3a31fb20b7718ab86b11f81306887334b96cb5f4442f28349b0df698a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
6fa49e5db613c7df03e06249d6fc556e

SHA1
fba8bc8e6ca64949c1881f20404f126270d71509

SHA256
a22593fe8e845d84b049f34eba793a1ebb478c469cffd7834e80884b0e50a4d7

SHA512
fc6f8326004a5ffbcabc11cbbb0cbb295a8b58a28dad4a86f2c2091acf912219493c61369b251ffbc663ef216f6fec31c81f04c6f02f15072eeb7d3affcd0e8f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
3169887583d1d847f2d555f674725311

SHA1
3117f218ac6d38113464a88ad73f683f9d0f9a9b

SHA256
f752a4ccfac66556fe02653bc0b3d92e7962bc57ea2ef89af1b7bc9af919b433

SHA512
dafce44dfd8642170882d64b35a2d24ade4be516e450808a813f30bb2d9966078826a7a52af004a0377126dfb6803b91395609e4f684742a8ab505b9c6d6705e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
d14e31aab85e8ec19218fb38a5849f49

SHA1
43fb41127bee429c8978ee3debbd6938393bd647

SHA256
2d62e4bba21301abd09aa6171a3aec78af3f364b4aee578af02e505ef8348a5b

SHA512
17b386774420db9517003b65f0eabecec603fbf47bb9fb7a1cdc06c56b9bd73d0e5f622ead9bd084f7bc2c651d19fad66916f08fd785313c695290476c6e136c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
768KB

MD5
cfef0a7f14e689d863768434b162557c

SHA1
483d7e930bb6db3bda6307b657c772bde2ade8ad

SHA256
3fb632ab86d4af7b218757a60c95aff78adb2139f1103a4c02c19f2191889ac0

SHA512
6c8ea644ccb6de710ad1662efa6bd4012a5e874e26631d6e3c210607f1e3bf6ea140826b3216fa53fb1ec81af2b762bcd7551896859ac756c9668577d784d5ae

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
768KB

MD5
7cb54b6645349a3f3be61376116c85eb

SHA1
fe4d1949f37f8e4ca54b28e972597ed65d7b1f7d

SHA256
bafe46fc1259d21cd4cd4ceab98a7756445abbc66cf26a4290d53a1b334ea0ba

SHA512
bf48fecb1476f429a99c826eefd885d5299c53ec67b0125903a93d0054b66c6e81db668cedb4bc7020a5fc36d51ad83f24be2441a3d55797b69f899ca5aec27c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
768KB

MD5
67189f8532c07a446f5100b966cfdbeb

SHA1
baa03a874cd39e81f787c08206f972e77fcb3518

SHA256
5ce67ba3afebeb32b6c104e0578f43ad24701ce296aecd6d3c9d909f1e2f7a65

SHA512
5a1112397221ef6d71c1218725a69afef62cf0afc689fe370ebd3a89e3857ea92183fd20a31e68808dc670750ba3ab8dc33c4fd9c417fb80e70738cdf326f506

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
768KB

MD5
2b15b537e6caba58d5e8a7f4bfbc917f

SHA1
bc64084ae2017263d34c8f9e1febae823a9f8b61

SHA256
2c9914a2f5ea49897d5561fce6d7accfdad57e685a2c1460a9598e2e66dad285

SHA512
96803b2de309e9bf355e61ab4d2d7c267bcd61dac2bc027155b8ad06c409fc2090b94631bd34b98b8db0fc96405eb52c46589fea68dd3d6b3878abd278fe9bee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
768KB

MD5
9542a5a502eedcb7b928724d01499d17

SHA1
9ee07db4a6ed11f4b75c8aad09f94aa3123c685a

SHA256
036c18ff02e7433482ee02b650c4476e3f76d242fcb3df79015f64552a562f60

SHA512
54b76e01e6cec1109a08cf76f6052e83f54f99c6ad1d68a67e83adfee78d62564607b13fafb2c207a3d5db923dffc2b21ab6276ff8d16aa185e39635c937cc1f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
704KB

MD5
c015df1e93595db89041c83b85a9f2e0

SHA1
27a225da5b2d31324d8ec783cdf0218cf2066d1d

SHA256
065de2e3298ddf398c6bc35e2df9ccec5ec375cfe13fea00f9cd0714d4cdd009

SHA512
fc553eff2e45ecad181c7a66c36906cf84dbc9b19b8c69350e8550f8fca27cfc78a449a13fc727baaf6222e8561d42c8ddf74f75219e60a668535c0db9f6f260

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
704KB

MD5
46ac8a5d8d701a02c4a7c21f0ada6a44

SHA1
77c83c0722ceec5dcb7a72cca13efd733a9e9b8f

SHA256
c043e90505b685ff03892dda88446221a3b5376faed13d39245923f032005424

SHA512
f5a1bc26805337fc1107664576cf254b58c1cb5914d5fe7aadb70b82ebfd10be345a330ca20027323ee46652a833edd07653ddc5d03036d05053fa21daac2416

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
704KB

MD5
5ed673e8f033e70a8a6f4ead13bc580d

SHA1
3de715e99918c6f18fb8cc8ec009a675281f1434

SHA256
dea57039426d81b1b35f3ca5a35409e4f5aba88c004be4f6d34003521b731d7a

SHA512
f33679bda44b083ab656c6710c492106ce9ba52b00cfb94e57ef549fea5f86da4bb3d8f44495ec575b239c9676bf1aa2c28bf5ed023f86e367feecabe2742620

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
704KB

MD5
993fe4c6d8ebf0cc4bcf9353128fab2d

SHA1
f293041d56977d3932d322caee96ce6708519c9b

SHA256
2273bbca140c4b8caacfd0bc70f3c140c109080b2dac868fbf5d09e88ee7320a

SHA512
12dd3597246c999bb17d14d8d2e1ef7c9a1b07602ba9f3ccbda15d342a1053612eabc18564674f120281f569403e943661da5c8c8bbf26ea7923e0b94cdab8bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
704KB

MD5
4193f678aeea54c35371eede2b512317

SHA1
5fb58bbc4d604a6ca0eb59ddf38e4cf08bd3add3

SHA256
6d2481943975ace6268fcfdbbecad417b81c0df82b7dba287383785d46437664

SHA512
d9f0008d4254071208b8a1de739ec30ca852a10e87599fe837eabbf0116a9c0de580cdcd2860a5c8977546c0e9fa89fa4ea9111c9aa4e609133dba584ba0e76f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
704KB

MD5
7be43c58cc7d487a12296e54442332c2

SHA1
1656a8f6ee455182e2dc2f27635291209f0fbfeb

SHA256
eb64e020e187739ca8dff0c6f1641ca69e69d0bce3190e1e7cc430608c1f8933

SHA512
bc3087d6491b4cd826b418e2185f8004fba40cfbf024ffe8d8ad312dbe6b11a5ae0664087fb9d441e8ccf25c5a7eff9d3f694038c464a215c0b18887f7e54fce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
704KB

MD5
1566207a0bcace3a71b41d865d0e5dfd

SHA1
4aed366e64abc3fcd076b41d1350ecff7d739d1e

SHA256
9435837b2e8ec8708c637dd6678cfe9f3016c631e77e1dcfd10841dd144504d4

SHA512
f98e581f4eb26fa4a12479ac2f702472c870a5d70b3bb81bd5745341406243cf90a56976a568c82ebb575295c591d71541c39cceeaaca3b384fd4fa7d5504d2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
704KB

MD5
0c0e6f4d3c192d7ce35869d923643ece

SHA1
5a032cd536866e96c19bb4a9e3bbd60bbd7a12d0

SHA256
ad4c162f7bd08014bd5d282f9e5e2d95ac140c173f4ef190f3673612ccaeb557

SHA512
298ebeff1fd59357fc209ae67f87b0825529bc41c5fa22eecb5d276556fe0dbe1d87d2430c9aeeb9067c7674988dc81b936118fb672d3b6f97563257251978ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
704KB

MD5
5731a7ad686b2a29260576a660cf1d99

SHA1
47bc425f00c191a3097553b71254524bd1afaae8

SHA256
f505c0f7e4b2334bbe24002b8003800efd79a81041e7efb2c5545d94c8e4c092

SHA512
965f2382fe7b4858fc35082f3ea15c80440c79a5ed89fefca0bf910e25980a8aa5ef2906a8f196ca73ec4c1e01eb324880749d72b9e4a7cf2dcc0a0d31e8e264

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
9b098941e99293d40bd747135d9f4d10

SHA1
89c26187f0e275e59a839b120956395e19611aaf

SHA256
8e0e0414b163070e53514c2893f3fd1623dbefaab9e1a53a5ec4037b2fc51f9d

SHA512
c0e531bec3c0c356c88328d0316c06cf39f12a0c1e99581770b768d12da78c3f7af98fe083b509de92dd549315d9a4164107aa0bc63b3a4ae876eafd9f866c9e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1330797d96d23873993b5757f1563ada

SHA1
8a94d1a81d84f3788c6daf1f7feabca9356acd23

SHA256
f3aaa3186d4648b55947680f1a958c8083df53b200feab89189a50732541e2f1

SHA512
9a6387ad7249fab3c9e1effa83e7d2f8a8e007d7794c05194c8ed8092cacec8602d027af04907de0523c31a358db1de6a2f5c84166f5d23aae1f854ab05b43fe

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
813710b9a7fe066d4dce7b256a993328

SHA1
600d6399f1d2d0ebb7d6beaeafadc8c5d488139b

SHA256
38c895321009137084da67c63a88f77e602fb6e906fde36b8d27cea6511d6ef4

SHA512
a6316b87671a5913ee7848cbb063647bee81e84277993e8863e4a2c7586adad8944699b2d95d11e1a9f2701ba51be3ada44403206d68c4b32deb782dd17b3ebe

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
3420baf0952e635c90aeff9c67c63f3b

SHA1
f3c078a5ee0863d22ab0f8367811d62632378077

SHA256
9c2f7a530b0f7b96ec09e318fd6695efb68b04b12a813d09b3d82c3fab4a8077

SHA512
4c71177ca25d60c171fa4a68dda26aea00c3d841d935d072b261a657acb808eba6a27ab2b1781d4861223339606219db2904745e376d69e8b207968b1df2ac8b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
668a103638356fef41e6333ee1949422

SHA1
6589fe9a4240e52ea30088e4820613c97cecbf09

SHA256
4619bf1a4a0c2dfa1e790fe91717a938241f677cca769413360864881866232d

SHA512
788357f31dc1c009fbc77e2ea76fe514704f5719d4a1d1236f7b48a1cee1af248c2501d70462235e73a47a6d22b5babddf94b0515e0858a9469feec19729fbed

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
d4e582f433f89cbfcda9b3ffae82aa5f

SHA1
09674b7f876921c39194fee848a4c5c2cd37cbf4

SHA256
706c64ea94fbede91896db14d68c5bfa229285a455eb01224c0a6f49aa0dacda

SHA512
b206223ce09f5db811fb06106fc07c367b3f22d5ffe81b2dee37bdc249fe06b6893474132919a7d817ae82db5f61122eae820eb00f6f5911bc12c1f99ef58015

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
1308722bf564e09988cda860f1fde096

SHA1
f9acdfe97a74851d2add55d4ae7d8a7813ed243f

SHA256
5cd3a1932912097b9d4caafaed6256f6dd19c841d182e919eef78b46083c1b05

SHA512
cf21cefe9b42248c0e2ab14d633c5bae0ae513e5e3991b48b67e5e7874da91c371a6afab19dfa0420b328ffe48ad11cfceb9ce349374f2d59165176872aa312d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
256a0698fe9257c833e70ccb24eb0d08

SHA1
eba40035f35995a4957314d09d2131d4fb4b93b7

SHA256
d8f6f80a5d6d1a27ff1c5f1e76dff08f5e68331811e9831d840609c9fefddbe9

SHA512
4ab7fae41b12e818d3825a1774a8bb2ce4c5c7dc58519fdd2edc7e01734100d1c11b607b896ffd53b3e668830cde955c3ca6ed184a2d92ef9f3a9970e44244dc

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
5d356c9b78bec8cf2f66082f8759b0da

SHA1
403cf2312dc556d7abbfd2ca3472bed691f38d47

SHA256
de7240d0e67f0cfa557aac00025122c28cc8eb9df79038881fa4ea439a3c2102

SHA512
3536f439ab74ef9f12737bd9a05a3a19612a6c9fe869c4f61d88c43a34054a3b64654a95bc72eabd32b61e260c613c0dabc71e6b24023219f4c24519e07074cd

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d5008028f4989bb55ff39b16bf904089

SHA1
c22aa265a9c1e46290f3a489433816bf3e58decb

SHA256
eafb9f3bbcb9ad24b0c9de092cc2c51e02991b88e1c8bb05f738e805edf787e2

SHA512
3d19c9bbc452b91d54d951440af9ec677f34b4fc081673e0f71b07784bd39da7388ff96b0645374a11d07f63d96004e7ed53aba7264a4256c11bed7410e422c7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
61e3e15da43fbc374f4b5b1ca493bf62

SHA1
97e0f11848f43fdaeb642c620b8bc8ca1e171092

SHA256
66b8bf2f8347424b96851f6d6cc7537b88ba6793041095a7676ab6a1d8a0a154

SHA512
5567bb1e359191dfcd1ecf87fbbf960ff8b22510a95ad6d5da2afc9a55810193ea459cfd662f891cbf761ef8e822aeed2ae9121da89a615994e8a8d8d16e857b

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
6590389fc813fbe9e904beb306cf3551

SHA1
ae2a21f63c4ee28da0a08197a59aeeeedbbda4d6

SHA256
9a1b97adf37d51d0012cf86fe8b182ec8ec8095c360b5cc11cff84e8d4690624

SHA512
277d2944bda55efcfcfaf45f17843c394bf0a901104e6c2f4b2210841403cf7ac61d7c04ed1297c1c1226a0a78e51cf0d23d49ccbfdef5f1e9adf03b08ec3960

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f6a8d36f237d1b84dbdc64324ea6b563

SHA1
f95a47190d284f769d3ac8d9e6f45e834c2053c4

SHA256
fccaf5417041a65c4d93e0fd47dbb2a34403111b2e234802fa87f0b94be26795

SHA512
023831fd8dc9bdaec061a2588fe8341f14bf40eb598e0dd6185033625bef5356e03c9431df6d4b0c4886747a19366b8c3ae938621bfe48fa0e39810fbcf03b59

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
0293da39f0a8cc1a26ab529b78759ea4

SHA1
5bc65839f4169a7e8e422451582509fe8b6f3941

SHA256
43d2e87e39e17bae063b968e78d54747045faffc354d7200941c781cd9c26c27

SHA512
3cbf33b28f90647c7dc6789cde06ce28592ad00573009332da6dcdd5cdca42270eaba346d23df8d79aab24395a778b960ec49014ce0d2c0852f8089e91f46b85

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
6ec23098cd1002b62901424edf852f71

SHA1
809402fe6fda370372e4fb9ab6e6a510ee4c96b1

SHA256
91eafeaa7e083e87e3312009bf63c1b5c7feafc544b194df2de387a3d7014862

SHA512
307e68d0acef3af544330d69dffbc7267275b7680288475280f75e6effa22e4b2c9fe5bd1de775477e000130df9499ea63a91ade69a192e1e887dd2830db085c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
192KB

MD5
9571a50aa8031e236a671fab7cd2de47

SHA1
8302c767e26c9903f82f718df5a024590b6d634e

SHA256
cbd85b129637ad7ae37b285551ba8f1a3798fb93505dbeaa62ee8bc0f3f08492

SHA512
6a943f20ad778a87566d622f3a3004b17361bb4dd8f6f2efbc152bea427af6b0e84deaae3b0e39f3a65f053ecb63ee70d631a7d04511db0bc30a3452d07fb7ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
2ca003fbe6bf88c546de6011eee99e13

SHA1
55bff4f8a3ad3983169845b4bfaabe06c17268ff

SHA256
371402e6a430d15257a94554dd6e175e1e422235000c3b19512c194aa32569ef

SHA512
dcf9aad2375f365a2b19f878137ec76d40e1de2c330eb01d662f157ea88d28020266ccbd27354d64551e43c6cd6b22b1bc141f6ce95b31baafac5fb02b1a4add

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
95c0e6544e5e116b228b4f2338e76fde

SHA1
af8428a2abac0188e9757777a83b3177f373409a

SHA256
14848c6098b01aef21bb938d85ddbd2a84debf0f08d525403d5ec662a8793676

SHA512
17a79ea6eecafe7701dbf86eac09366d5a70ed5ed2acd54e2869ac509b0042e5d1e4a1a04bfd5ca13a10ad1e836a739e3509ef1c98ec1c85bcb844300ecdfbdc

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
1.5MB

MD5
44bc6d32cf903623064d9fbda3de9d1c

SHA1
d0fff0e41a2aa9424152d24109c5f68458366d12

SHA256
f93f2ee9c3fae262586dceed3a922c13136d75be672be634c602fb55461cc267

SHA512
79877b0743f23bc3713ae386e2cb108523684f713cf25e2d2e45e007e64b942422b6b6fc12d1887b404cc340ad725ae05d445a7eccdee1779e2fe170eed78dec

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
43f54d8a67a0c7fa1f78a6df918ec645

SHA1
90215bdf01315eb852206e1b90c5bcc363b33e4a

SHA256
070252e52d4c5e6e5d87fe90739f88f482986c2d9303cbd872481047877a33f0

SHA512
e5d35e428b47951432e33ab0528a7060848e945c71db731d45e53f9a4a5ad432792695600dcd99f3dac55296d65a8bd29845cd1a11670288ab9d5ad98090ffba

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
b5ba6bbb29bc5ac2bb1c1dd63913e497

SHA1
35e3097a8e92c5d9c0b506629b9c85214aae88b1

SHA256
66487838fab92e08986c61523f098508e41267cbaa1f2599138c9418bcf48ca5

SHA512
a9976c051665bdbd66b761c70ccc8dc0af4bc32594b3b70d1e6f155a855c0e528b79c6de6ab2c7d193c1858b62cf06a8aca00aa844e963306ed7f1a148025184

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
4881d963e05028674381ba5de66aec10

SHA1
07e18b7e836c2b38997b603f68076e5460216ac0

SHA256
132542279356b730a844e4bafa46bbebede235c654e4553ebfa4fbca90877015

SHA512
38a3b0a3f6792116897d1d661913c3ea17f594e232efb9be4eb9e9a2c2c07f67d3dce6ff64b66af2a17a5db6f39a6ecc8402042770d5901bdce3298fffe8025b

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
374dc23d8fc3f228f5af5e920bfd3747

SHA1
d6b9e0b13edbda92abb541a35629cf36fed0fb4d

SHA256
baa64a7a63e6e53d22fba8a66e2e03ad70487a59c45ab9b4817b89d10574dde5

SHA512
7cd9f2f3a50229c203d10d512e8853b97869a2e4e5d1b5fa76a78aff792217359fdafc52038d80b060bd77f061277c10973edfcfe9e7a2bfae866966d1d6e141

Download Submit
memory/408-184-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/444-610-0x0000029B3E0D0000-0x0000029B3E0E0000-memory.dmp

Filesize
64KB

Download
memory/444-614-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/444-590-0x0000029B3E0D0000-0x0000029B3E0E0000-memory.dmp

Filesize
64KB

Download
memory/444-588-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/444-591-0x0000029B3E0C0000-0x0000029B3E0D0000-memory.dmp

Filesize
64KB

Download
memory/444-589-0x0000029B3E0D0000-0x0000029B3E0E0000-memory.dmp

Filesize
64KB

Download
memory/444-594-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/444-609-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/444-595-0x0000029B3E0D0000-0x0000029B3E0E0000-memory.dmp

Filesize
64KB

Download
memory/444-587-0x0000029B3E0B0000-0x0000029B3E0C0000-memory.dmp

Filesize
64KB

Download
memory/444-611-0x0000029B3E0D0000-0x0000029B3E0E0000-memory.dmp

Filesize
64KB

Download
memory/444-586-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/444-600-0x0000029B3E0A0000-0x0000029B3E0B0000-memory.dmp

Filesize
64KB

Download
memory/748-482-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/748-567-0x0000000140000000-0x00000001401A6000-memory.dmp

Filesize
1.6MB

Download
memory/1160-192-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1160-420-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1464-139-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1464-136-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/1464-133-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/1464-126-0x0000000140000000-0x00000001401AB000-memory.dmp

Filesize
1.7MB

Download
memory/1464-125-0x00000000016D0000-0x0000000001730000-memory.dmp

Filesize
384KB

Download
memory/1492-565-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1492-476-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1964-566-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1964-479-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2056-101-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2056-107-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2056-170-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2056-100-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2056-108-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/2080-124-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2080-7-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/2080-1-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/2080-270-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2080-6-0x00000000024B0000-0x0000000002517000-memory.dmp

Filesize
412KB

Download
memory/2080-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2096-85-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2096-84-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2096-91-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2096-149-0x0000000140000000-0x0000000140189000-memory.dmp

Filesize
1.5MB

Download
memory/2268-443-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2268-291-0x00000000004E0000-0x0000000000540000-memory.dmp

Filesize
384KB

Download
memory/2268-273-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2712-575-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2712-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2904-467-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/2904-560-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3800-96-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3800-98-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3856-142-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3856-12-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3884-356-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3884-161-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/3884-162-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3884-168-0x0000000000600000-0x0000000000660000-memory.dmp

Filesize
384KB

Download
memory/4080-455-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4080-464-0x0000000000E70000-0x0000000000ED0000-memory.dmp

Filesize
384KB

Download
memory/4080-559-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4248-144-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/4484-179-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/4484-419-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4484-173-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4484-174-0x0000000000850000-0x00000000008B7000-memory.dmp

Filesize
412KB

Download
memory/4780-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4780-564-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4800-470-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4800-563-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4844-112-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4844-113-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4844-180-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4844-120-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4856-290-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4856-151-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4856-148-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/4856-157-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/5048-187-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/5048-394-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download