df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 20:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
Size

1.8MB
MD5

bbf6b69af230a218153024a3e2cf9d5f
SHA1

bcc4cbd46eccc70e317fef6fa778d7b9dbbbb1ee
SHA256

df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b
SHA512

886ef44b82468c18ff9132c7d81ee366c94e24dac6c00c52155354ba9554966db1b8fcc1f620133f6db8b1eff2fbac88da0fbdcbbc04e28c4cc3287b225e0e1e
SSDEEP

49152:6x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAp/snji6attJM:6vbjVkjjCAzJkEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2900	alg.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
5056	fxssvc.exe
2712	elevation_service.exe
532	elevation_service.exe
4424	maintenanceservice.exe
644	msdtc.exe
3664	OSE.EXE
4520	PerceptionSimulationService.exe
4076	perfhost.exe
1172	locator.exe
4600	SensorDataService.exe
1448	snmptrap.exe
1320	spectrum.exe
4824	ssh-agent.exe
2648	TieringEngineService.exe
3004	AgentService.exe
4612	vds.exe
1104	vssvc.exe
3028	wbengine.exe
1548	WmiApSrv.exe
4280	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\locator.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\AgentService.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\System32\vds.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\wbengine.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\System32\msdtc.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\488268a57d34635.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\spectrum.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\vssvc.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_da.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_en-GB.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_no.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_ur.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdate.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\GoogleUpdateOnDemand.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{703E9549-BDC2-4121-B382-D61E8F1A4A8B}\chrome_installer.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\GoogleUpdateBroker.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_74000\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_id.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3808.tmp\goopdateres_pt-PT.dll	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ee6698a9792da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000073e2c68a9792da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000016690e8b9792da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003d1a1f8b9792da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009433978a9792da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000656db18a9792da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009492d78a9792da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d2c328b9792da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe
1324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3464	df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
Token: SeAuditPrivilege	5056	fxssvc.exe
Token: SeRestorePrivilege	2648	TieringEngineService.exe
Token: SeManageVolumePrivilege	2648	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3004	AgentService.exe
Token: SeBackupPrivilege	1104	vssvc.exe
Token: SeRestorePrivilege	1104	vssvc.exe
Token: SeAuditPrivilege	1104	vssvc.exe
Token: SeBackupPrivilege	3028	wbengine.exe
Token: SeRestorePrivilege	3028	wbengine.exe
Token: SeSecurityPrivilege	3028	wbengine.exe
Token: 33	4280	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4280	SearchIndexer.exe
Token: SeDebugPrivilege	2900	alg.exe
Token: SeDebugPrivilege	2900	alg.exe
Token: SeDebugPrivilege	2900	alg.exe
Token: SeDebugPrivilege	1324	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 5172	4280	SearchIndexer.exe	114
PID 4280 wrote to memory of 5172	4280	SearchIndexer.exe	114
PID 4280 wrote to memory of 5196	4280	SearchIndexer.exe	115
PID 4280 wrote to memory of 5196	4280	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe
"C:\Users\Admin\AppData\Local\Temp\df4217652db68a0f297aac958afba272ea6c85571496694230eddf542c3f070b.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2900

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1716

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2712

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:532

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:644

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3664

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4520

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4076

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1172

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4600

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1448

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1320

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1104

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1548

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5172
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
1ceb24e2bac44dfedd7584392509faae

SHA1
45a443071d26cf804a117e41732bd092ffc641e4

SHA256
0cab6f341d5d150c11392fa9467de012174df7bd968cebae93d47f399b9b056a

SHA512
248ef7389c5f08b66223f1fc797bcda7a1e2f859f24a0818baeae1955b9c8ca60943f35925eb63423539d94a79bc55ed932c68a731b5b934f20b9174703038cb

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
4bd4ecdc5f3c110fec1b039a28613175

SHA1
d7b89117532033ed025ea769dc428757f7554249

SHA256
a817c58124ccbb4da973233144e070b90b6d85904fc36a0a91f6046b2d01a052

SHA512
557995ef270b854e972d4311bd45a7013fdb94b205dad0c9421fc8caf05edde1c6f01711826a336cbfe38956ec496f6095ece9c89a8bfc274e21e731b4ce46e0

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7831c25d36bd65ebc83bed5bed8da9b7

SHA1
94453371e3de2a7146c8ec10fa4dfbc098515515

SHA256
0ff04c493b5c1c5efc550cc92488033853de3e2bccf93fb0da45b005d62cb1c7

SHA512
8e22baedee9a95f2934485a0e6ad5b66b9734b93cc28c8551a39ed2457c6d61888a4cdb9ef912f4e61b0b6d5e496f313d0af8523a60b813f17c051dedf74e2cf

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5589ffc528aade82ec4d79431aa00ccb

SHA1
f16935b7f17312099b6b91b7151a3b802b09832e

SHA256
88b24b651624ab5b20bf0abd44facc07ca1e539b63cb83a131e3c62829cafdc5

SHA512
55e09003972ab12b19c3dc419f377cc3d1dbecfaf99b84d6e2351527ac7c49ea4fa69587e4e62ab5f7691f0a9553abcd7ee99b66e2f6a8aa5d7596928993cfef

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6d38c5971788932d7dc278b88038adc9

SHA1
ee9d6a763607c19453cf8ef82bb7f97c63152f26

SHA256
fa085a1b5ce17c0ea299add0fea699b5124b50e503bfa0f594a95cafac4c9ec8

SHA512
d25d51797557d6060dc883e87151179307b6db0c2eaea4194b9fa686adbbab617218ee5df58bb38236b833242a5c39ba7bd0f54d90b9ab04cf11b24cb7cf63fb

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
c0fc6536b098f9963dee705490c4f93a

SHA1
abfb13ea02c80e2469b96fa0ee3556b0f3e3982e

SHA256
c6bbf9978ebfa4a4506b32962fe1453634fef9ee6dc3a3c13954356b595d0870

SHA512
7f90b1a0b19f29c743fa04c8609bec7e37e9c44af866f2a76632023bdef38312664031251d31d007567c08be6c0fd6fc21fe7a7e7f212be7f972f5a3f4caf418

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
b81b346ade2cdc4142f1bac266f78be3

SHA1
b2ff31b57160824fe7764f4f7c6aca1de52f95c1

SHA256
e8d49f2b9f79dea8af3635c0157966b4d3b109b27a354837f9f12d63b2970434

SHA512
5c47e279ae0ddf1a77db6309a96f887b938477421eba29f5d024c37c892f379e987922b011a40c5ed052500365fa92020205a6525e9ec4f0a901d7dcf7e67056

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
74514d5febca05d3a9d69788bdf784d4

SHA1
2c63ca04a7eadd643943529326ae3bf7b7783397

SHA256
3216fc24609363b4bed6d93d2e12f8db6fb260bcfdd7e80308483a0f0094144d

SHA512
f69b38ae393eb0b0264af8867dad0e73ab7f816dc76dfe888f1b0f461e84c7f3f6f9fe28ca492b77b27ae0ce38e3176186fc0f50c6556790fa7c7b6e0d308707

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c19160a18dfc4240a8b0973e4208267e

SHA1
f5d531e554c16ad27d0653aeb268d51c2e351d9a

SHA256
36bba6b60017cc6b47dd95b500d80acb2ea6e13bcec8cc3586f122c87d4cad73

SHA512
7f766faa6f2c317af415e7dc413bebb9662283065f1aa9c5a7c9b42a03e8272f381943ad55d838e5039c1755f73ee24df47c814a5caaa39fd676c2be02358dfa

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c2e3deb49629f4f5849929fca5cf871f

SHA1
01fe9a399644f212f7a55801730e5052d4b967d1

SHA256
7e7c00bca21c322c8fb35beb4f518aa5f66599280f2c0926251eaffa5892c93d

SHA512
db3f63c209461040dc7b9ca4cd5c6c71f5ab8d2ca273818cb5c3b58667b3ab05b4bcb30118dd76e2869c59fc3a02453a586fa8cb577b310bf559571589f5eb39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
260bd1650568c1ef6b8552db7aa94509

SHA1
b3db8225f04e6a44f493fbe80271e2eed702fadc

SHA256
32e463789f8f0061544ba2572c9b51333af055416487259f571fb8ad3a2bf866

SHA512
0ce8f95bbb56940cf05c50ebcfe6438bcdbfec723c564a3b2e353e14d1e92770467d42944226f069f5c0298c045a68e71388c8bf24547b76f7f303aea6297e0d

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
60d8162fe91ba47e6935cb767500c58f

SHA1
93007aa5999c07af36eaffe267bd8771b1fde410

SHA256
3c642350a0bdecb3def1918a30bcdb43d5a7fb400726c1643b815cfa64c7fb1b

SHA512
753aec701810ffbbf57ee3973fb6a6dc25ba7d96883bd6bbd6d3fbfb22925e7e2e70b1a8572c1c6a3dfa5297fc22a5fbc0ec68c7e89f724dcc9feb9754f01b60

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
639c9056e831b9c5fc0b34f447a73fdc

SHA1
4af56a095fb5dd66cbe5344f151bbc9cbb1c32f8

SHA256
0a6a5f514aad7014cc5fe62d7fd84ca2cc9eaa3bd40ab324abef5f260977b56f

SHA512
faf270b94a7bfcd3510e9ff2389143fe35e9fb63a2fad9c2d9af292414bc0325b38479211b562e309f34999a54733880c6301f31d0add647babe02936d1f882b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
02c82b7b7eb134f0d12426b7da6fa62e

SHA1
0f9cb3f39724e0b5ce209a96277a6917623153d9

SHA256
21127944e73eed3597579392b82069f56bf3f00cdf3153e44c8fba1d9eb700c8

SHA512
2642919a7b8e850452b1e1e9a2521bf6c801da669272d8c21b0350c4c4123a5c2ca677834a3bd0772c233392743aebf0e45f07b321bd01f2aead8ee6f9a744a7

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
da777110b05b9c253c43a011ee504b6c

SHA1
6dd57fd5c440abb73020d5769d0c13dabd699a3c

SHA256
612a372e1512eee30f48ad58eefd51f98cff370ee92dc759ffd12c5c1b535fb6

SHA512
bd62d2fcadbcde0535c8a57225333b7360eff9f0b391294ddad822756e5839f14b578c28496980122ae483694c66cdfa9f50f04d3f98964570315011addb3267

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
ee6ee709c3a6077dc7caf0a3c4fa97b4

SHA1
cf90fad6262931b6c7d759bb6f7f79dbbe79a39f

SHA256
883b27a0892879fcbe522279d317b54e767304a0990d3e24be8be7b9d2ddbe80

SHA512
fc5d8bac602580ad261e7f4300dab6ee7dd9ece1828ec87afbf622d275dd5203f9dc8f8a91666893ab7132b670fb804bc9f172241407061cdc57b7b3178b265a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a88e0ff53312175d856a677e6227ff72

SHA1
eb28a0dcbd81c4c53401317d0aa6be4e38ba9864

SHA256
5e80a620023685865928cac635d0c60277a1f388bf2b62ee617ea10d81533467

SHA512
bd827169ca148ded87da30e60905f4ff966f74a42c3c43f40b402401360c261566f1dee1ad032c4f517d2edfb2be603062cff0a96b9f45567e218a307ada737a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9ffe0b8d24a1591ac4f54cfd5666ce11

SHA1
c3d38e91397c9ee745aae9ff416784a82b462698

SHA256
2417b1be597896dcf6e9558bfadb1f3423185f182f5926b661e44cbc4e1a6b31

SHA512
984f5aca1b9bb67665f5747d92a265360d423c28abb360eb6988b0b5295a2cc726882d5ab658864bcd0ac881ac2a73f28bba7cec66af81372d8e071feb61f1f9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
ac26f314c05b0d04d5e52f7f525b4080

SHA1
cd1d2f370f79a284e42c8fcb266222e2a5886990

SHA256
d0f507e2bccf8a32d5cdde30b9b21afe04b07844b1504695021fcf35ab9fecb6

SHA512
98b7d7fb3c904e75d83f7f02642761dbff84c7a8fadc23578447bb67e3a0af3bbb6de93a23773fc3bc6766f65b26d29d52e900343dc2f0fd1e1987978a938e85

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
b7db41dec056ee98d2c7dce3d98bd98d

SHA1
db4d94383cffeae7da6bfd98654a79e7c5e76321

SHA256
82f672316e271cbdbd2a6f2c0e19950a729674288665659cef828113d48a652b

SHA512
50bd039240e5eda20d22d5113ba962c1c270ea6258e0c631287735609123031273b9bd16103ab72960cb416f1042a8f2542d3ad52099ff4013568f0d6724e5da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e88a8c5f82a56bec4431ca831faf5794

SHA1
3a6c2c31e44d5c8070965be06325905878459f60

SHA256
def64f48ca4d94702b899a99f1d2fcf50d8752e98171aef0cffca57d8e5af45c

SHA512
17b51c3babd31855240333eddffb1629cf2bc8607a151c14ee3a2b6e2c49160762e1fcc62949eebc82de0c4f9d5e0ca3e3e630585183c196cd1fa255a4c4b8eb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
9cefdeab9353aec7cc3497f5a99378a9

SHA1
7019a6deed2da34f63ab5fc7c527b18745bb0224

SHA256
c6f9486043e09d28f1778b7545dd0e699b6628275dc8cdb40de0b8d61513a3cb

SHA512
66d11b9ea6e56543f23bdc2e5712dc85fe3cc4f931bb660868735467ddd91f715cac6e070f82a37ff768e2c7123ec1c851b8a326144a76f83e146c2151af9633

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
ba4eb3bbff876b512070c1a6148c87e5

SHA1
97a5d1b8eb2fdeaca2080fbb7905c6b23a174d15

SHA256
5a95dce913d6719c5b43fd8565318d762983d3753565c65b925302fa182ca781

SHA512
c6ea9a4f658b9a5d2435dfd8b7d2f5c883e1b5d549c853a79c08ca98b3f56aa206f8be07d253b1940f4f2a41d32b108ffd7516f834c9cb57c7b3aa5380abcfb3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1116aff2a3d5b5b9fbb943c5db23656c

SHA1
f9f7938d8d8b74cc6b6797b506bf79b46b8325d9

SHA256
927fa68759861cf61362a23857c50499f8fa69a1fea84f42f60060eacb616304

SHA512
62ba774ca5d33aad3e4d0f1e75a180e4f61de33c267549b7e1dbf5ca329abb066e4abb3773d269567a35f8b48dc819b8cacbcb33a0e58bb4218430ee82fbe992

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7dc66b13b1c30c5e96ff397bef7b4f63

SHA1
ff14b6d265b4ba78aabaa6a0c09fbd15d89a66c1

SHA256
3b1d3fa46e3e1fe31cd19c52b2e2900199dd877f5d38fe0a6189b8f1da901f76

SHA512
b56d4f962727052aa147224e5028415df92251199b3c48d46342df4fbc3efde9ba62c9458e0b3cf5cd856c7ed81d54215ae91fa07338f0f537efbe65401c8f37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
ec81c42ae2b5438d39f04a2de6dbe64f

SHA1
159905786f748fd182cd93d2607e2e455e957222

SHA256
39f164e6c9ecfd5ab9efc19480e24b02511dbe3a9e1288daa859df8f3aa8e758

SHA512
85a11b03dcc9453119aca7beb1dc6fa28922c6b15fae7349e2df65f757f2b6af0ab3fd81af76be68c7e0212fbd96c4a87816fc5fbd01e75f286a971dee8d8e29

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
fdf1e2c4ff8f73bc5789268ed057aa0f

SHA1
0a5d51a40477c72afd3d3ecf76e75a7bd875759d

SHA256
961af1ce01687dc49e0e52c68144ff97978f175687fea55deb19e0904dd6e297

SHA512
e87664da03a44a98922bf04681a92fea2e4bf1b2393f6a7eb435333cb97f808a8fa03701b7f7e8a922c51765f43305416cf3d6ce1ca6eaf671c1a807dda80813

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
76a6a324b915cc0dc53f57916314831c

SHA1
49a468972740594a6a06558e5e6222c8cbf3a764

SHA256
5288caae2bec92debcdcbbb9cc2c2fe528846c880ca96a918130c7bbcfb71b12

SHA512
a47344b6fd334617a8ebeb8b0816a946e58edc8d4a2a6925f6882035d59d48ee49c39e4d33f7323732e5ba087c4bfcbe33dbedb3e81157ab7990612ae07ff065

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
32fa6daa28f3ecc1ebb1d408440b49b3

SHA1
a25bf2341a849d984b228e691527a5afce711622

SHA256
3f1b84595a34d9ee2a0ea8f28f434caf38bfab4a47f48d596e26bcb330d7ce30

SHA512
c7a65d7206749ef446e000cf513ac3ccfc7ed429c75b965bdde4189a7b4f07c0bc3377ec7d77f3a324af25f27327a8eefda1a7aef98de40cd04e49209bc70f02

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
e983c21f9c16d9c54658411f903f5b77

SHA1
ddc97e0b123d03d5b3688134e4c0d54c9825f90b

SHA256
19e42946836020fc528defce2c873bd6004c33292582a53f3294b71eb90429f3

SHA512
7e27af7c04414bfdb7076370860d44e85e1a289416d849f5b640801786fae43ea516eb43c62135c7c790d2422e4dea2b8c2dc13d4e3bcc927f0e8fee5d08f34c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
4cbd4d3b16c47555d80881d87831d7ad

SHA1
1d0b7aefc491a4308abb3c873ad279d25223cec4

SHA256
6a49eee2c997b895ae1ef0d031453be3f794ef37feecda0389a860bccae6c07d

SHA512
058d23b6ddb2c6690a793a276581b51b6e8b5ad9733c5a022f3b874e52ca7aab4a0b2cdd112286794353c4508515ba81c05fd3eaa5d78da8035de77a68040c42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e0e0cbbe63701d17f29b3a5606a3fc1e

SHA1
4ddf3ceb17e96051bdfe5600d534da3fac8efb9f

SHA256
4f0e48642aae901f2973a78a3b88420759847d45e34f181e75cfefe16c0e0df6

SHA512
adf0ab4e835aaae33c8acf2168fe68cfb75ce4ab9c8d3cafe6baf10b98d6f109529c8459eae4278e58f0ce2ce2e3227429b347fed944443e1779a888a9b12326

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
323192092864a064fe7aac0ad86d9007

SHA1
f3d1c0b41e865c643fe5d34c5e59a760228d49ff

SHA256
ac1fc6b52b38f26a3cb7353732329a31b82b0edb5e7ae5374c52393e15a7351a

SHA512
d5b7d8dcd4fd7254427bd1b4a3b868e5000f84629ffa99e73061b55a3a50e5d58ef4132f91f0359a46d537c02b53a1653049d3d12ea75590b68e99556079b03c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
06ff2af5870f614e923ebba6762612ca

SHA1
6ebc53971740655a4696d733473f1149cfefa28a

SHA256
1e606deb691b8d5254a75fb466d062cb0e1d4205110908cd55a7d50601c544e5

SHA512
bb3858f2e09602619009df123eda8028d1609298814231866e5d8542d9a131647e4c961f7d81d83e70faca2773065d5f569bf364dec47a10596100494aff45f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
1893940f409d51c9d0a25ed69328e407

SHA1
92b40130a7c032f4ac54ee81edbcfba1adc0f13c

SHA256
6c01b9aa245416e7e5d38b2b98c15ffb916df4bb5dd5c2e03e44fb2e2686d6e9

SHA512
02cf010063cb014035d4ea9d9813f312e024bd24a671734f6e10233e2e0dece3e413fab1f401eab5ad8ef8a55193f6da759150a48708e0a2872cd35ae00e0644

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
998e77f02b0924684dfeebaaa5634f2e

SHA1
7bde869971cb402c503aa35c4dad1776f30afe84

SHA256
c4086867cbaffd885c3154dc1cc8c508437065a7b4111e8da7deecaec0c649b2

SHA512
5559bd24a433fc5e6a12b95b6ddf2967d5e5ce5b8566002c995190040008737658b2da075636dd3ae2d5caeaceedb672cc906d6f72f08a2de7a8cd12984a4153

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
ece960a090f7683bb91b598d25587c4a

SHA1
a295e49a442eff510c66faa552fa8d2edc56ed1d

SHA256
16c054944472f914d34bd4e6549078bb9513f8bcaf58e882f52d96326f3e3c47

SHA512
d6c4466499f143f1b21ed78274cd4fe1fbe7365a243ca97aa0f031917d88e084b732f22b6328c2804051d022bb67da1fde7f20f947c211cf4a9bfaf0324b8f1f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
14b582a3be89095bd669eeb4f6ba4ffa

SHA1
d64e9ad36bb3e3a181008cd19dec3b0da17e83d5

SHA256
4d8d526765053cc627ae5f348abfbb69324299b1abf792405792487f1c98af94

SHA512
4efc4bc7114b3862e45c3a41dde10496e3157483364c482fe1ee40d4c25e5d0e346126f02693d05e2dedc65c7b302be80956f70ea1346439ef262ca9118c3b12

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
fd586f75a9d9d4d8d1a911cff1f5591a

SHA1
63455e9c85f0be376dc6c6c9ad2f49f82c3a6457

SHA256
47630a0681d021c147183c1e57626d5fc4faddf65c1451217377506a6d6a732f

SHA512
2f7c90da88e0469506040dcdde5bfb04058aadc253b330b2995491dbb9ec2c92e55345377490fabafc63e1d67a5b64103b33410375558df673aacd33feeb583d

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
86fc19d7770dab20013a10c7b4b8c5ce

SHA1
4a64d83809a64fe47e2a7d3508cc7924b8e1a187

SHA256
f9f406d4632de7cd5c347c9cc24657f8def7ac517fa5218f462964052d6dfabe

SHA512
fee75bbef185a6282b6985c196459f7a7bdf20ada85b5027ac987ff684f29018f46d207858287ea03038d59404531350fa21afcb66ab0a57c15cd980c4d5777d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc31e536e16bd61918c64bf1df4712cc

SHA1
72e453f8578964aa3a724632cf88b6db5c5fbd19

SHA256
b444eac72e1ec1f3419d675b02b8cb1eb476c6a88a9e2dcc79aa510c1ede51c9

SHA512
a9813d4f01685b216f0fd390ff332ba944c7df58088dd1b09e21410fe85a289dedb428096fc22ad51e9ebb574c725e0c6c6ee7042130564c2d035273de7854ec

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
d9fee6d1816b1ed48a25b987efbeebf2

SHA1
beb24b08de5d7ccea7ab6f62375da1a0a41be219

SHA256
b1fd874e25fd127171424aa8b8205105dce850222d0096751726ec58a0a20d6f

SHA512
9eec1c5afc543d19bec5d057c16a1c5b67ea8f9f4e0ade5f7ccae7e4a098f8a307e1a13f7c0b44e4736ad1113b10e77c0e969137d2ab5d60eeb26bc0ab43bd75

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
347c6c46f766b4a2b87333ccd7e5a8b8

SHA1
9c798bddefcc8d2ae2be811578e97b5d7cc544f2

SHA256
1e095aedb31de4ce6308bc57421acea36d1e6d5c5b6813b727f0e037df8af39f

SHA512
374d677e8190beb695db15070f86db803c56505a61de9cd5c98b44494d3052b56aeee245faeeae9934d797c1eac3a13636185a470403d9d93e724376ce7a283c

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
08657b535aa04bde3d94355e5a4158b8

SHA1
a1234f062033e653672503d966b499f50aa7cfc7

SHA256
e98a57423de5c015adfc43549e73e651ec53e814e2f515d230ad7107214a9a68

SHA512
1f2fe1066a8d9e7684c0cc8ee6510bba40fa790a9f06dbb661d64bf1800e4bd5821e8962be172e053ed1d01699c9015368d4e38a2f53f061639f009ea3635ae0

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
d58d31ccab2d051539966d2baaa22881

SHA1
033d372f6b8cfe78e9c79e03b168c130f6d846d6

SHA256
d200b2a4212ebbfa14bf3f730e246cb01cc57f5db2091bb2072c9e4630a0fd08

SHA512
b0128eb2fd0c67992ae06dca3a39f22594ccd3fe95d32e794f1155b7822b368b143729c079024248734cb9fa1f1662ae4715bd0d865ebb08d12c2e8e9120236b

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
f87f03e8427f5803eab53fa0d9e16f9b

SHA1
86fb5ef860089cbc563db3f6d176181b1975b8de

SHA256
56391699db68e3f701fc5cb7c9ef9b22d9740a4e58c9ada22d71613bee5b6da9

SHA512
3853d2df9cb747f59ba783a2ae2d07baeb5cc8f2ed2ce5f9e91ded37d9f3bb45e6f56bfb925a3ddd8a0f09289fec2c4f29a690547dfedefbe2849e7df43d34e8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
8a1faaf6805bf01be7596fc71159bb3c

SHA1
bee61344a949eee42fffdccf726265bfa2be6e5c

SHA256
efefb644d7048642ab2491e791a9d173ec38970b9679cc3cc71d54c1b71673b2

SHA512
0dd8e1b2c2cc31dc4419e67e104907d4e93e5aa478c2d099e282d61f8ad5ad3a49f68a8afa6eda68a639c859cff1c2191f6bf1d8105e96393a9588d51ab6fd5b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
18a22f6b84f144a883dd6b512e22c3f8

SHA1
9adf90fe4aa0dbf3fe81a0e9a6bf2316ec9a0fe9

SHA256
e70f8929a6a6753695f9ae28cdf432a6332d5617f98d6fccf8c083088cb89003

SHA512
c7e4f029bd02a2cc8d36fa64122975f0aeb4d8635c81179160b0d92d209207b2a76ae6b91325a4cf95a97f903c4177d89f2095cffd5115167ddc1d599b0221cb

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2a1f749c49a29be79d5fd8ef4d97aac6

SHA1
c7818a54a7fd95e8c2f77c6c4ca8a33cd3bd481a

SHA256
2dd31dd295d69019056447135276daa7f2599deccd69d3d736c3088442b0f3fd

SHA512
89a30cd8a559db33ef61c965ab7d15a77d7fa08298801225bcb41491f062664700080aeda45468cd004d597e7ab712206dd5597dc8f54308996875a5b034f1b3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
dcfe505b3c9156300be25ee7852ddb5d

SHA1
22d7e40c79f146f288007dba9a2c0af9d3c5241d

SHA256
65c405b67fb0643a0ddf1fb4a2e6051efcf315cd6aa7644790e270b005561172

SHA512
9f88c75a837ff01d92b8c1f80bd4662ae1b149cb2313fbb948e4ce1490f17ef52d3b49ff85c6b464e6e2378ae98867521121f915aed41dbcd53aa51403219aa7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cf94715ed8d3dba3e3d0fded8fa7fca9

SHA1
b77f7983ebabe9a494216a53ad3c71e4d745d79e

SHA256
cce0fc6c59e59ea79ebe24d9eb8edebb351cec28ccea4d10223827c9c4c027e4

SHA512
3dbf482cba47ed1626d58196a2910ee6907afe4de29631682a63fb9c85e6756d2818934b1ab66042104773a21592df14627820b3fb7405caefb63f85f4ddc725

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
6cbc278d7c37a96c95755c73ca6182c0

SHA1
9b7c7eb75db3d229cd847f11e0feab65fb053bfc

SHA256
d42d1b839714b89c21669977c77128b1c0f9f8808e6418e4bc2f4f8d8d3bdea8

SHA512
39441d2d05165a9ac96c671187005c72753eadd9e7ee90efee636e5f8c295834151b10f747d6a41a6a9d8bcf6fd3879d488fbfcd6a11e28fc4eae8126cf68cdc

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0d5a34621379d28c0e982f51d951188d

SHA1
14b033304870d4615af30fb6c3d2235f7ca9811c

SHA256
3a4c7cdaa3186d81b973f41265f318de3f758b191720011f7eef8e9688ebd491

SHA512
a5ef516d5decc537484ba15d8a03c81e9ad6aad7dfe7528d9d7180fb255cfa177cc77d80ae905fdaa1a749ef07e0bf9182e7599113c225c9a25b89c1c9993608

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ff87bb4c4db780ca26f64cb01bd95acf

SHA1
0f7de0861c227de6b31fb5034a5b8a186056950d

SHA256
ef57a895321a57e7f23eb19268f7fd08028d8b4b21658f51a45777634515598b

SHA512
ea83f31155975ab40d778b090b6cf381871ff8d4d5d6b931b92b69879558ee84f15399a950a0f2f8e01e25cc0107e0ee8ba29a7095ae3cd96960de21192646b1

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c86b403663e3b4ab21a0a53020ab0193

SHA1
1daba313726ad5a5da05587278f52bde60525b4e

SHA256
3d30b829daa422f6df6f8b96376092edcdd4805bbc6da6913c40be6e5d17a1d1

SHA512
d85287c6b88199adffdbabafb3262b77d110299c7bf701c78106b423f92cff9f3cb07463dbcfdf4f2124e56602275a407795434a84e32de74e1a916569bc80c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
4978e79cadef00d710230360e73cb630

SHA1
8a8965619f0ae4505404d59d97b5317faa61c159

SHA256
fd9ede39bb931753035c2f0724b8ce6fe0c2c227fec3a18f19576f61a08f0cb4

SHA512
233f94178ec12cd92084b54daf52b983b6af4bd60bb9d2d03e6ec9ee5db7bf7567c0d7766c28e0fdd0bd171a76cd141edca7cd709fd70b7aaeaf4ce302faf467

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
c2f342f22f9a1b511020e55830a8d73c

SHA1
05e678617f511da9396b727e3f203b70ad5a63da

SHA256
6be46ce2d6b03122e942414080cdc95f225dec8066c73bce09c8bf74d3349237

SHA512
eb954d72b9cd8aec73b7b47baa3c388e9f8a4f63a6fd8522f5bcfc9f74521f060bfe28aa8acb998ba54045267f8aff566b395dc341eb6fbdf33f251e1b71853f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
07c12b71892b0dda201e58a335f89ec1

SHA1
87ea9daed17ab03c25234861a961a4aa8abb4b17

SHA256
6e6b9ae2db51c77fd2a935ec02d5a9406ba90c7d8a684a509737f4999dd0e7e9

SHA512
d658d7f76e2a9e115b8a638b2449fbd81d848b5d439d9a07362faa8b8c11af57329f958f7a2528f228c443e9ea24b576e03ae775a0bca9499c4a2b1e27fa3509

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
b6016f90e05f6e306d959e4af01263b9

SHA1
b7669b611c954a481969bbeb1d063ff4a933dc47

SHA256
aae924adf1cd04d9b082042e8b5ca6e1cc6ec4aabdd966081928044a449aa272

SHA512
cfd436eb2769665d723716dbb417c19d93989bca5945c40e6a53879d8856a211aed91d11de445ec0392e851fa8f54fea3e3a7c963c0493b7a5d4b3e82a06a7d0

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
20a8c337039be53425b54ac3aa82c9f0

SHA1
c594f3d3b682dafd91d0d4fb2d4a2a91ab05e277

SHA256
e518da6a5e582949affd16d5c677283d1298089b0926a930bb8a3c76f93eefb0

SHA512
e48f81a510d01eab75ccd375f473c4e038adf794328589d77609318804247ea3e5c068cee8727034035c4eeb7a9ee4aef62c92164c3558a1bffe201e67138a9a

Download Submit
memory/532-140-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/532-133-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/532-204-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/532-135-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/644-170-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/644-162-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/644-226-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/644-161-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1104-333-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1104-325-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1172-282-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1172-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1172-222-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/1320-263-0x00000000007A0000-0x0000000000800000-memory.dmp

Filesize
384KB

Download
memory/1320-324-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1320-254-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1324-100-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1324-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1324-93-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1324-160-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1324-101-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/1448-310-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1448-243-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/1448-250-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/1548-351-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1548-359-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/2648-284-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2648-291-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2648-350-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2712-122-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2712-128-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2712-127-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2712-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2712-120-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/2900-12-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2900-87-0x0000000000620000-0x0000000000680000-memory.dmp

Filesize
384KB

Download
memory/2900-145-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2900-13-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3004-297-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3004-304-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3004-312-0x0000000000BB0000-0x0000000000C10000-memory.dmp

Filesize
384KB

Download
memory/3004-308-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3028-346-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3028-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3464-132-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3464-547-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3464-6-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3464-1-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3464-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3464-7-0x0000000000C90000-0x0000000000CF7000-memory.dmp

Filesize
412KB

Download
memory/3664-187-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3664-174-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3664-240-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4076-206-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4076-267-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4076-276-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4076-210-0x00000000007B0000-0x0000000000817000-memory.dmp

Filesize
412KB

Download
memory/4280-373-0x0000000000870000-0x00000000008D0000-memory.dmp

Filesize
384KB

Download
memory/4280-364-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4424-155-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4424-152-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4424-144-0x0000000001A30000-0x0000000001A90000-memory.dmp

Filesize
384KB

Download
memory/4424-146-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4424-158-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4520-253-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4520-199-0x0000000000C10000-0x0000000000C70000-memory.dmp

Filesize
384KB

Download
memory/4520-192-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4600-294-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4600-235-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4600-228-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-321-0x0000000000B50000-0x0000000000BB0000-memory.dmp

Filesize
384KB

Download
memory/4612-313-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4824-270-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4824-337-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4824-278-0x0000000000A30000-0x0000000000A90000-memory.dmp

Filesize
384KB

Download
memory/5056-119-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/5056-116-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5056-113-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5056-106-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/5056-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download