f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
30/04/2024, 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
Size

1.8MB
MD5

f40288fade2c30e5ab6004987dd4b74f
SHA1

3c5af40d8f7d3da3478e02128ed7e2e50d994d5a
SHA256

f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843
SHA512

91abe3d439f7b2c67b7a6b4265bcecf045fe34b2422684e2bb9f36c84fd423334f744439e3bb451c6b6f2e45a9569fd0d2d00a6d74461d01b1c88f231d2701bf
SSDEEP

49152:hx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAJ6+ehliZ0FNOjnjkB4SX6:hvbjVkjjCAzJc6+ePiAsj/Sq

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4148	alg.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2728	fxssvc.exe
4324	elevation_service.exe
4356	elevation_service.exe
4492	maintenanceservice.exe
3936	msdtc.exe
4020	OSE.EXE
4600	PerceptionSimulationService.exe
3636	perfhost.exe
3744	locator.exe
4612	SensorDataService.exe
4540	snmptrap.exe
3632	spectrum.exe
380	ssh-agent.exe
5104	TieringEngineService.exe
4944	AgentService.exe
5020	vds.exe
3520	vssvc.exe
4752	wbengine.exe
2872	WmiApSrv.exe
2520	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\vssvc.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\wbengine.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e87728b25e51cbec.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\System32\vds.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\locator.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\spectrum.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\system32\AgentService.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_sk.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\GoogleUpdateCore.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_mr.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_cs.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\psuser.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\GoogleUpdateOnDemand.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_lv.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\GoogleCrashHandler64.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT33A4.tmp	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{A2B0ABAD-D5F2-4A72-A502-841B087E8C74}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_fr.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM33A3.tmp\goopdateres_tr.dll	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004b332f3ef89ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008fe6a73ff89ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d11e3b3ef89ada01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009495313ef89ada01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe
2484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
648	Process not Found
648	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	452	f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
Token: SeAuditPrivilege	2728	fxssvc.exe
Token: SeRestorePrivilege	5104	TieringEngineService.exe
Token: SeManageVolumePrivilege	5104	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4944	AgentService.exe
Token: SeBackupPrivilege	3520	vssvc.exe
Token: SeRestorePrivilege	3520	vssvc.exe
Token: SeAuditPrivilege	3520	vssvc.exe
Token: SeBackupPrivilege	4752	wbengine.exe
Token: SeRestorePrivilege	4752	wbengine.exe
Token: SeSecurityPrivilege	4752	wbengine.exe
Token: 33	2520	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2520	SearchIndexer.exe
Token: SeDebugPrivilege	4148	alg.exe
Token: SeDebugPrivilege	4148	alg.exe
Token: SeDebugPrivilege	4148	alg.exe
Token: SeDebugPrivilege	2484	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2424	2520	SearchIndexer.exe	111
PID 2520 wrote to memory of 2424	2520	SearchIndexer.exe	111
PID 2520 wrote to memory of 2736	2520	SearchIndexer.exe	112
PID 2520 wrote to memory of 2736	2520	SearchIndexer.exe	112

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe
"C:\Users\Admin\AppData\Local\Temp\f748e3216a11f835cd3d29f8283df33c6ae008af594f11265156e7c54c216843.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:452

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2176

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4324

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4356

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4492

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3936

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4020

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4600

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3636

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3744

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4612

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4540

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3632

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1100

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:5104

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4944

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:5020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2872

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2424
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
f888276fa37ab2c7511050938a0edc9e

SHA1
7927055765995a7f1fddfe8b0b02e483354f3e40

SHA256
1186e9d58a397c3bf08e306c91bd734632d0524d31f5a40451c14dd4fe2b1518

SHA512
3a507d66809202f927a30b80ae7022088cfd4ff4d4c1437292f723639a6fafda793d4d3d3404568ec91b2ce7bc30cdb5e1f57895b4685a3e1ea31ef6e908077d

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
bc10c48fe5493f21863c1a72e448f3a1

SHA1
5c358de5012c12bfc4cc9f154bc74694cff6adf8

SHA256
e6fb458f65da270337e685f5aad5ac571cfac99e6831c9c032979f9017726755

SHA512
17ad7d18ca31c15c17e86b61252b061fa1519d6f83d765e5851701633a44a3520f789590a40dba63b44f6fe557dc9b9a79c4162cef0627637252359e483f9800

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
814d3a724f6fcd3425d443fda36d901d

SHA1
1383038bb38a59e382a4ecbf0b125333baf679ee

SHA256
d67d42b7edfddbd327a88fd7249dc2ff8aac9d1739d11d63e098dfe0e6599e33

SHA512
02aef746047023559318dbfa4fc69fd952d196d6aa65fc3f8eb45ab82e8cad3a7cedc8d764456506bb5ed32b710845567674c587b8ab10874c6b593ff894fea4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
4d82c620b4be1987aa433593f3e245ab

SHA1
c0d4b5af580e40067b958ca0dd5100166b0b381e

SHA256
0596f1c3f06d2b44df9341a7cfcd075ff65b40d4f9b86e5234d178b53bfa2378

SHA512
82f48aa948866765138ba5291b6815b36d7451ee4056d2a1df4ee418679c0cf4ae31a952add9143f8d1a2116ef14764f9b747a8bc49d247ef86ada48c4d457ff

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6459262f39ac8fcb96eb75948c84948c

SHA1
94e8f1fd54b8088450af6e574f39cc58a75f8bfd

SHA256
df07ff10dbf76f2ba44044333c78c3e37964cdd45c4129484d395daa36a075d4

SHA512
f0406c83440b662dc69582f4ad6f859d78a3c3e799884d322ab316d5ddf1710060769cc3189bc0e8e212b68c22cb5ee1157d3d625b6f0a1c45d385a8ee4672b7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
193a917c3a3aa6dbded5b235bfb73cda

SHA1
460354b4e6515b6f9f29fd9b849eb98dc4b11ad8

SHA256
d4c57f57c61bed9b1c13046b9dd294c071bb278e58701c4ebe483511f2c38316

SHA512
fc67bdb0aa5b97cb107a56744378fe0e02d8100a4e25fd5a26677b04771f342ed95530a09577908b7cfcb7ffd73936aeb50745c24f918beb86839ef3e8a13987

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
6571581938e6458250d979793c6dce5d

SHA1
c0c7a2ed4a6ab63cb38c60013ebc10a8a6229e7f

SHA256
c7e8fb5a6790474dcf961352dc945b882049736f5c2a2641b0bdcc3dff06f2f0

SHA512
f0ab50ee6a7e0bc37c2944f0592709bee8178f910ba6c390c6ae86944d8e8bfa52780ef757fb1ebe2a2361d1cd752da39493419cf896ccda71125bb9f82f1710

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c227c31d730c4c8f40182d6d62042c10

SHA1
a3c16a92592a6b28c8b847ee00e29e317eae26a4

SHA256
e3ed39d66bf3694f9ba027fff208f57042297a184d7be9acedcea84b93d3de47

SHA512
d660cfec1bf1ae8253361bc6b36d0558a3ae2e392872ecca2f598f74632a579dd94ed9c0e1e77093360d7ba657e0a62e8804fad2582fff85814b45907a19ae11

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
38a675a4d9178fea29c12779d64ca06f

SHA1
04518bdc2c79cc2502340e32fcbc65d6c3364836

SHA256
51adc507224a38fdf2157702ba69c9c970e3345f2e78619ad67808ea078abc21

SHA512
59e1025929981294ab106a7b6994ce42de43a9dbf9ac6247347d71bae2e20062953215e7975861bdee732f0ec6a8d7a9e39e2c58b5754c7688cec0a182de5af2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
d1c9ca6e419b0d81f2759773bd5d4b48

SHA1
a4ff011780bb9f0d849a289265240cec6bdc0049

SHA256
9ead72a125bc950b3182c6196bc1e6cf5fef38b227e69711863ee8e1ac52fadb

SHA512
78636c454053a453dc64cce97c8efebe5711d3ddd1f4103e6ac30390aefcded4fea97c4b8cd7699e6bfdcfc740e8becea7637717a72537d3c9c4c2ab517a8e38

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
5e0a81125f9c18f47c3a01f13d8eb5c3

SHA1
d184bc72d3832c6d1889e9f361d8650758eca915

SHA256
8571ac2fd122b36738d38eed89cf216b46f35e95cbc93cee3fa0ff65e5daad49

SHA512
200d76cee151a4534b1a6513abc143efb0983ec7db870b0541596d2156c324db1af9ac2667adca103d7d6047f254731a9ed7b6b450f75d22990de1d3846370bf

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
3b989f7ebf7f3ff1e912e046f74a56fd

SHA1
b3ca67b6eb253fc775306c16b02667feaa56538f

SHA256
9d3a2bedb2be1299c55ffaebc40dda6fa908a9eee3750ea5f5153b843ec51cd8

SHA512
2f2e7dbefee5de704161a71c78f28c4be6bd2247927e5bf4f4c779093fd6a7daee850485c0394685f07eaa557a316d83c12baffda8e0988c5b0ce8c5b6f9af82

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
12f44518784b9cbc7c9d26909792b587

SHA1
6ae33cde58255119dfc345fda618e6f5c1ca3335

SHA256
9b164c00b7470d20b883c14babd3485c4893d22e08a8a9188ac1a34a3fc03d95

SHA512
7fcf397bd44d83385df6fcde9644a7b7d823e833177b38d3cd6ffb79b14759e63fb56c3f098e4e082121f1a6034d1a3bb4d2ef4b471c949bf98ba4e385c105df

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
10a84208dc9b7623b043dd053cee063e

SHA1
082d9fb875efd73768dc22b6ba8de421126d0e4b

SHA256
e7bc8f4e324031995d74b95e934e49e793d332ef88c0595c03d2809f94aa57cb

SHA512
16456b70d3cfd9cdb3773c7afa332912147e7b04a6a28208a2ecd3794c481bbaa3fd9852a3b95a4e4484b7f293f6bb4845d7b9dd4c20c8fba5df028a8e0efb5b

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\chrmstp.exe

Filesize
4.6MB

MD5
7a82ba4da98a7eb14642c2bc75c7a083

SHA1
d67a99142d054b116d701b01e1c5d3f5d3a7efa6

SHA256
0639d915ae0a1db65c79a2366af2d067e0e38c4091fe5a6db60bd6630cf96c23

SHA512
17c350960d16c7c2b41fe3e879f23035c3fb8369c304a9368e0bddbfc9e8b99ec0914fa9b826583a730b226b7a83b83f3d14fb2b3e8f6099e07e15ed378d686f

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe

Filesize
4.6MB

MD5
ae1ffd9ed80702e0edad82d8ebcbbaf8

SHA1
298190108a6c6a5419a99a07016bd8c263b9ad32

SHA256
cf4721757c264b82f9800574a6ec46e822c0e1aa4609d9cae0c95048d8322635

SHA512
a24e19549a9676decff57611a9935feeb3bf8afb66a9a824b282397098eac5ec5c71c772eb545e528ea2678834ee45ec2ba137ce84ce6e43fb3892cdbdf8777d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
57551cc53c7e49e2eafa263099976335

SHA1
6eafe1b3ab5fc0a47a0ada50a8f22769559814a6

SHA256
43d8a1365b7d9f0eb998976af48feece7fdede854db2689a42b9ad989807d077

SHA512
7fd7cd6f79f970b884f930e13e9c3202b130d43b88b80dd1cfdeaa1fc999e529fa65f39845b3e9295b2a0dd3b19d77fd7cb1080c4f7d181ddbd9ccf7501cac52

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe

Filesize
2.1MB

MD5
ebe0a353942bb36b50726a1871d692c5

SHA1
719e28b025b516d2ad5efc3ba06fdb856e5b7728

SHA256
e6cee56ee2a154e90f9736286e2f91890e9bfe0d5ee8b5a2a9467dfa1f4294e2

SHA512
8beb321ad7ceb19671b2866f39c16b2f64de4d9ca7df1356bb06a49eabba9e2c0454ea7d515bf62d2105db21d6623caa0ad663a989c04ec5887f270968d50a4a

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.106\notification_helper.exe

Filesize
1.8MB

MD5
e80bfe64fc04dc3b73bd2d451461aada

SHA1
a7c9c0cd6a9a2b18fd4348ce86c0f34e9f8e737e

SHA256
439f6138269e0499f84da641fba964b2a83b26474e63a42bd344b0b192424366

SHA512
05de2badfa8e39b8b1feb2dfff7e65d0ffe18d69a0861c7e7f1f28b9c20a0f1db4c314b29b427add9c47f6d62916b3173a0b672f0a02cf7fd7bc9018490649a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
4964a806ff227118c6d641f9d4891171

SHA1
bc3f4197aece919d7bdc2acde05c0bc188e50196

SHA256
c8b8f1743aa9b7f582832cdca833a6061efac40dad7099e9f684dc0b25588dce

SHA512
8abeb2a390e84820131c5aed14c346b665661f5c789bb845280ca34d13a2b4378fa9fbe49dde20336f0cd051b26f2d0966b54313b174cb7298ead926ad519bda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
e2fba8056fe4ced89262882b0e17afde

SHA1
44752406b973162b918fcd9b9499ec4e5c042934

SHA256
3ba79a9eb871f3b9fcb8e209ef37766d17ada09aa06513d0c99a002830ef59ea

SHA512
084fa52750dd1d058843f1f662d1f62475573e392871674927d05e6c157a350e136e4a861c89861aaf1e5cb9d9b238c9760e17d581383dae00851d66d701c430

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
b01e052b3e1403cd2049901056e4a66e

SHA1
9112cd51aa2df8d2b96d1b4025235b88bdd6df4a

SHA256
0d0d7a1e8fee68dd3af4256eb2efbf55fcfd2800f316028c83cc42dafc46d227

SHA512
1bfb26bb67c4e6ea781c3157b79d0b6ff0343ca1434336c8da596ec205a595a70f8ea4f5f9c0a79be8bd8a5e7dcb34665f4727ae08ef4afa972b7a341164f909

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
2f57e6ba8e6f55c8e34b77d067e9768c

SHA1
e7dd70186754ce6a80d7fe65ae2e2f3060bb559b

SHA256
f14abe67a36fad13683c0b87a63ee4e5c6ceee6ed6c93e0963f1158a594d82da

SHA512
ddca702fff33a1877b8b77a23c4dd969d6ba440ec4de412b65229b0c15c74dd36dabef688b2ec6bbea2142598065aac8276fa72898d729a8c293e9c451d59341

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
0b32a7328b80ae5ff6ba80f11a46765b

SHA1
cc28094d3431fd7c3a23519637510b8055d8e1e7

SHA256
58a938006debe4f69344fb2ebf532cd53da4033438923890c91499aaef0f36b6

SHA512
d06fa93ca2df645a89cb0048b41b7cbc9d5f6d4486535c27ec465aeba5bbae818a523832718e9447332450ce7823ad514a2e3445e093a156f277b2ceb23cdca7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
4479bcc348d6d9cf0d514f6dda01e7e6

SHA1
e304f07f4bcb43d3efee949d4f3cc75f4b80e342

SHA256
b73c8bf91257d90f2ab93edba2e9b90a75cd4f4e476360f79c63ac2413ed7874

SHA512
8edc865af0d2aa9e24ad6d52ca4ae78f279a22cb77d2dce2140af2f9b52391393c0b46a7f6665cf92f39997c60bc58f3ed9bf311355b5e206130f0bb8b82c707

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
38128e89ba892f3ed8d71835a2cc8d9e

SHA1
a247c731c88674e54c3e99dee0efacc9a079e160

SHA256
b67dc5a2cfc7c9e68e5bc4ff871527862a73f94a6f7f5cf92734cd4607ee6a52

SHA512
742b755b41a2e87e7ddec6dcec8c559772239d0fa936376a22d7f033d76a965944a49c349736290a35084f67a89b98b059fdc4fa60dfe413b53c3712b7de83da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
6c87793919025e200fe09eccbdf912a0

SHA1
1b56ce1965c67c09419348aadee7ab430fb80674

SHA256
896a7a9d8dcd6b48f7b7f8b55016962b99c43deb60860ef6707e48fa6fa34dca

SHA512
92f7ba1c918f6944b926206afb2f681a97ca14a5d033147af194175bf5d4d14dcd2c181242a75ac947aefe6612d4c7b42f191b482f999cc890a6fce87e18a4bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
36e2f0e06b080bd59b73560e1858b4ed

SHA1
e7befb2ea49375a711212ed11f87ffb7632551d5

SHA256
593971afb61fa2bd7978c8b8e304f71742027042cbc362a616e750866292324d

SHA512
99973046c81da3bf94143123ea2deab552769a3150fc24380df36cf9b6e82b9e9d3427797f9e8a6e3c8b641ccb8ca13538b63a2702fdce1ce2f426e738000675

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
de33328667bb4e84571937dda8880ff3

SHA1
70face33929c5436dbd0b3242724d58136f26689

SHA256
40444aaec4f645bfecfe5248e07ece719ceb8f65f53222ed74e24938de2f1621

SHA512
56ff4c6e9cd16dd758c1e2ade4f165974693ab224cb9f8d254b17e3ca38a384e5a05239b5fb030266b14ebb403c8c629c76eee5e8d8ac21b66a0c1f23e27b928

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
ff0cc5ae0ebef546e95176e9454ae22b

SHA1
a244357e54635963d15c413b9c1f1838a87df594

SHA256
d7f7c729dc9f4251ec7b784b03b9e76bd70fea28e87fa79cf7ff13f216c990b7

SHA512
e0fab4118d34ddd4c51692460f1f25dcbe80527059859f5d461351752eb876bc1c222cb108b22edfcfec07b9d650e8f5d3f8c28766c3a13af2700a784c14e493

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
2e19077582937eecd2f58a21565c9c3a

SHA1
39b3c7c97eb29e8930106cab1e8397ba7d1fcc6f

SHA256
abb9e9144dc073a5ba7a7b96348ad1afc5f65f644f5bcb5221464d97fa1e149a

SHA512
eefedd1ff5db4e09ad434e78b58eb3671d4a40efd95fbde1005deb5780e7eac1771ae31911572b73dce665248c82027e1d28afa78d6976b11d0b9e572166c4b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
e169f1ea7863e8062a97d589ce255333

SHA1
8ee6ffc1c465a449310c47c9d304f2abcb557fc9

SHA256
56cdc51e223ac037ab9337c5ecb2284cfbabcb746db6d255aaadd643b6e093a5

SHA512
4e56e97555e286f5b26dffa02f7ca7cb3f30d8ae2aeba667fcc03e9e7219f106a5661df96ec1a5abe0d3aa889f43e130065b69aa52dc8a844c71184431b0e0cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
a4dd5ea055c07bbcf270e107fd41fd69

SHA1
6db36b86bd16627aae9b5715719e5e208ccd2179

SHA256
98608e9dc11002732a632987ed0d5dfc3b0bebc51cefc6d799e5b53d595f2f3c

SHA512
4681330fb6e436aa4321d0527b4d7f0c5c2670ff0cefd3b3ec0165830852b651e8dd20b022ae154333b823e8a9e25ea1ecf24117d33b10e8881330d9f73d2701

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
aefc409fd3d7816e4a3209369645b996

SHA1
1e16dfe6580c36ce96567a01af42c7a5f1789b1c

SHA256
7ff97e23a24e5d8b1804cb1b5314fbe284b6465bf3618f0413c2b2be55ae9f48

SHA512
cc8e224da3ff117e23e6b44d0de70ffbbfcacb809e97cb9a81aa87a4d3fc8a0149dac1138d299fe46e23a67452a7bd9954f1e0cebbadd7d8b7918fb329da6caf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
563608f353b69a22a1712e03be23eec9

SHA1
e6f63d83f4ed6bd0c1b2e081b09ca71353a0f020

SHA256
5e550036542db297bd67347dec346edc35b411368e630efed343fa8d9569d3a6

SHA512
f8e2e99a582662e2588534081278dcd344fe2598472bb2040a5fd1fd16d7ca46debe3a528a9789b37141ca1e72be34c36343540ede317c7fc77c5ade01ff0dd4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
7d050cd9d8ca5f1d92337d887763f8aa

SHA1
29a6e6f5adc337697c41b8aa94a450876a19041e

SHA256
79a800068850a502ccae694cc13410d2c05cb9067ee40ff05576d9ce4b165456

SHA512
afbd99c81f1770701b1564e93ae5213b53ca0387fddd98ee486ef7e4377625b04b3d02f423e1cac7387065d674132e8e5baea04c6fe74baba19537a44250b494

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
111f8a19d279cebb7c462c571df6a45e

SHA1
79c0db6110c114aef0aea1b58cbc0c8de95fefd9

SHA256
4a69cca6dcd1cd0343de641132289ab84dd17beaadaf1ab7f2bb25fd11cd4a1e

SHA512
b3e3e83ab3cd77fc1556390e6da07af0f52d120c6ea5177cd5ae49f8159effa0b53696492d8123843bcf8e199433fef8dae82497db8b97a0293e68cbe5b602fc

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
b82bc009754585372f225be065de3322

SHA1
6e2871d07acb416a3f6aa93982d02fc20ca5737d

SHA256
4936bf795ca457ed76d5d58a462b2c46eb32fee1875b773bebe69f6712585a6c

SHA512
58ba4292e8088cb6589be061c1725c0bd4bafe385fb250d16a79e11637d63cb9c1d193d14ddd7518ef40439b6e33acf86019b272c94245aa2f2ae551bd068988

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
96e4a076cb175ad5c270c458e00f02ba

SHA1
1cf4bbe6b9ad58eb865dcb29e722e3afa81ec34c

SHA256
dc03f012eb33c5c130fedf91b2d8f65620613436e37ebacc160563075c547abf

SHA512
9d758f6778d17eb2c41cc98330796fd5b452c5e0a0d1c02ea2322b30c9c469bc410440a0de756a1de134613ccab5fe54ab99b4d2af4901b75a9282ad911efe87

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
cfe3bf57dc61689aa180510cf5c9ee71

SHA1
f3594baa3b801ba48163d76e9b05ef82fc2c8729

SHA256
f9b384a63b5b11a2f00d06973eded6fc91b22ba5b7701bcbe46767f225f77a18

SHA512
bbb88b2930c519955cc3d089a19503b8579cb32dcdcc154c69f30bdfbf02668f30a4aca3a67c2bcb8bd28fad6d9b79f58b475865fa981ed7053ab20dac7ffbda

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0389e32e934f4a66cdcb63b6e920345f

SHA1
e43308dd9bf236f6b9a0ef6a76e42feb07356614

SHA256
fa476342707a1ad3af9b91986079f0c15401c57c0de0be71d0a6aa8a61ca83ff

SHA512
0311a9deb87ec43ba4622ca211a81f8b02c68933d3a0f61f08dde476fa1d1e3923a3494b525e06b8389daf231816c3339a22862a3080f0a5cb3093d4f31228e3

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
f9abeaa2600bcd644c74ad9f496d0c94

SHA1
c7fa6e3490421097031185875ffe0bdde0102ffd

SHA256
c2d643476df53580daa9f15746878788e493d6891b1c5dd3582d3dff9aa08faf

SHA512
5195cca9018dd2494be20822613ca3a8425bf9074bd15a422f36fe5e47ba1d1d5825bd037c4361b9418ec747dff33cfd5fe709574e125a2e86fbc9874ab6a12c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
6fd12fb9c2ba9be3eff3ae6106ef1c23

SHA1
6ee8a0c54acfb9e4f47f6c20ccd2de6d5f7070a7

SHA256
03c04b51d188171fc88dcab824a9d8e13e9b846a4047e55ef1aaa06458d105db

SHA512
04549cb81165a5b9a20a4e361906648fefda16b0ab1c696872c43ec154d14ef1d91c61432d87b7331a17e44ade54031dc8cf911b0c3422c22b948e3920918e6d

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
cbdfe13ec403c4aa156700c892761052

SHA1
33d85fab7da7d9dfef23764615c9b0c77052b5fa

SHA256
563e1cb12b3967a14e100cab0f5689d49648c005ca191011a051312712bef3fe

SHA512
a3ff1e2713a205f69624e233405e92e682c0e134578877fb5f3e9e002c7901dc51cc1a0643ffd497cd37d21e5343145e55899f3ae34adbef5a6b8d364b5562fe

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
3441b5b58e65e416f4acea575944b07d

SHA1
968c1eea64fcd675bcfeaa4f31baf9d2199fe492

SHA256
00458c1fb2faa51efb944c1a240c2b65d6231c637adeb0555c080f34f890d3c0

SHA512
7214cb4373f710208c5af709aecbf9d1af2557086accd9647356de7d2ae9012dc8b13ad45b66c01a7d91948bc28b04c81db8ba7080fbb21760eedea1cd936771

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
eb1e9486f49403e87d0d1e13256f408e

SHA1
b8bf1c7ecb16597a931c9ae8d7b659a99a1f7c61

SHA256
1efc4c264c4fec0fa690def85d36abf766ef5ee8faa1407d4397698f7bb51a22

SHA512
0fdbd5d47cc6ad0224ab0f83290de4ae56c68ec328ea972bf32eab815388e8cddf4827ebbe662869ae5ad22baf47e3a655c51be15877419cf105cd98f528954d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b22729d88850500ad3603c91c2048a7a

SHA1
6d53e9849bc0ab6bb169462195a7f13cb43a42d8

SHA256
27a5cca92f9f8ae9d066e6f563fae8e698ffeb5fc18d2fbd1b9e33db3f265296

SHA512
6bd69be28cc1a2eec32e0b2ccb828cb58d17d97f9b768c0416e7d9fadf527eaa7f2c5a2d0ad4ad2e52f30bbd4acba7969877604c929b3fe856dc2535d7489b28

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
72fa792040a90158005a8665f84ca054

SHA1
40398283edde453060970c473a1423a83fdf8cc9

SHA256
c240c1faadd6484f12c26ed47ca1b076b0250cb8ce581642c154a4b81d1f5cab

SHA512
ba3b6b2ea3f74366b09fc42c80a1291bba66962cd2e7d5120fe1bf5385b135e3ecdb8ffa099729191a24e27862731ca27b0035c9a55c5db48b5f3704e31b8169

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b63eff171fa28bc4a426a6369f03d6e2

SHA1
da40c06ceec21aa3cd904457200c470092ef7405

SHA256
beae5358fdbcaa5af312d734b5ea98fc7219d57b8486ce4cd4b3893c6fd09a0f

SHA512
f4473c662ce527dad5aec05aa1d2d416924b41241cac935c10fa42d915dfc295d5aeace5800574f517fcdf8620cd7e42513bad752b544beee65fe77809980842

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
6a707bdfecbce88ba0b752fb1bf62867

SHA1
a932b4369ef03406e0b08dc8b9c41069ba837909

SHA256
6568b1ecdc8d6d8f8b5bd6a46fb766c701274ed5b9ee6f373c416bf2f25b1c83

SHA512
5c6ce81613a4fe794746773657b86b85bff9de3a53b98db8f6906eb58649938dd5719199c57f7c4e4d027a2255ceced9617fd223f06e236c045093e5f9efa7e3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
927274fca169c1a1577263febca668bc

SHA1
0bbceac87d2b3d95c9c93f93ca61e18e40d5d818

SHA256
bacd3d92f4e845a6ed5631885520a7b694fd0a1351bf3ed66d4620af0b96ee98

SHA512
e36733469388b7e9f77e9fdbcf3e0150f22a3df58001a6a16ad89490e7076ad493871c1a9a9fe1008bf3b85f77287fa212bb34340c640622c75f53a50018fc83

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
e2a559a6c49aa581a6d81763b79a0ae7

SHA1
e11255118798d5333f81442a266e1664770af530

SHA256
0332e52b2ac744e923556964bfa89314a7af81a916d2fbe49d069c92fa535691

SHA512
237b624da5cc15c292837adbc67cd6df1133d6bf39c55d1c98b66f8629aa6eb5cd1bf45f8b8b45bdeffa39728d4976c82718d4ff8f739c12b80c30e83abe7ae8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
206adf78fe5c4200e91059e1d85fa831

SHA1
6eaa4b3f025a63918b2864a05a7de543981be8c0

SHA256
c3886221427c37604110ec2544825359ea7801598ef7d7f4d9ee36648914080e

SHA512
3e145ad1b2e7bf02818c045e68aa995791b9726cee5ba325913a3ee82e6ac83fb4ee743db5425c0094603d89c6a1fda1c893ee8454d1d09cf95216346ddc6888

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ef0c7ed9b862050391b3bfc02443e218

SHA1
a383ea271a146fb1be21471284ad22bd038ee3d8

SHA256
0937dbfcbd969d0d4aac0346efaaaa6ce9d8cadfabfcc9dfa10740c7b9d2f8ad

SHA512
e2abf6ecc8c5965298c4fc0de20c80fe95ef52a28c87901c7607399f508207eca388a30d09e1f911b0052a7fdb30fe164078e2581a95a44d81d190c224835ff4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
df2be60b0041187b8ad89560924983e0

SHA1
02d535d10df4389026f711e3b73aa7389c89bf51

SHA256
f8835743712eda3cf3530b996ac684a270e08a0b2d52b2714d9773a68ef46d36

SHA512
303aa9c8c960c230c56d273990f1b446e27f81a7918fe6d59e274fc54d26353034ea8875f2459f7447cf3a47d75d59069263806b398630e625130fd36321f78c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
a2eb5fe6d1103266ec4d9d859efaac38

SHA1
b900a050ea68b9e1919e8cf87076725f5bdcb3bb

SHA256
9265396ca4be0d2db7f6f98c9dabad2051fe8660e892e620b6ea6bf7601676d6

SHA512
e223db853c42c558e12d6c48c5bbade7aebcee8d780e09be97280e1881fb61703e6305b2235c7085acbd74a63e344a9ba4699fe4edaecfbbe471a3bcd2cd11b4

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3852ac53b23bc423c4707ab7e21332df

SHA1
94fcec53fb628bcb956429e3450fc45513abdced

SHA256
0a4b4229794dee22319978c6bd6832a2bcec83d777846721696cc2167d605a6f

SHA512
fb9001fb30314eae0cf1320b0ad79c91471f21d1bdc2fa4fbf298c2348d0cd2a6c5fad387340f44e68e1a2b86488cf0583fe0ac37e67647677dff8add78e0a8f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
33fa805566eed078e1b2a49cc628af5f

SHA1
6d494039eb4246ed7e20c1c0ebee5532e192bbb3

SHA256
d24e38bcfad38765e760ba1c978b48090caf47611113d59410ae121849bba66d

SHA512
bf44590d0cc52e1892761cfd4a40f1b7afc2511c72a9400f2f2ffecf7ecc6e716b1f059c070a0f3b2f61c9d4d362c7bc095295565bff74e125e2a2d1db392ede

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6ebf9dd35c468b4234c1de3c5f5272ad

SHA1
733aa099a41fd3f5731c02aa04bcd48d1efd8763

SHA256
c46861235631201546ffefa9bf215e881e90f2eaddf781d98980da8ee0f895ab

SHA512
21f09102de6736f1e97e7e11f695d0104e0f3a9a174e7c92e3c01cedbdfed1bb73b53eefe77f65eb52af54c4d3116b3f540bec76ee07e80a7b89787262ae543d

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
2b1a3de27415cf5cacf0885758f9e763

SHA1
bbdf2d11eb6b436e7540362491013ca45f2bd723

SHA256
4e1183e692f1b82ed7bf81d16ac3e20facd9f1ee54ea67217b82b2cbddda5d4c

SHA512
82ed31b4cbb49f3939d95e43b6d44bd8e0d19f7f78a19ffb9f5e60280568548c9815537afb453c53a5efb3eb89dd30d009655cd717ef50a1a5eaac51fa82d32e

Download Submit
memory/380-273-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/452-204-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/452-609-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/452-0-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/452-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/452-8-0x0000000000960000-0x00000000009C7000-memory.dmp

Filesize
412KB

Download
memory/2484-102-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2484-103-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2484-94-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/2520-337-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2520-729-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2728-114-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2728-106-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2728-115-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2728-116-0x0000000000900000-0x0000000000960000-memory.dmp

Filesize
384KB

Download
memory/2728-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2872-325-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2872-728-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3520-322-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3520-726-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3632-272-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3632-721-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3636-207-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3744-208-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/3936-168-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3936-158-0x0000000000D90000-0x0000000000DF0000-memory.dmp

Filesize
384KB

Download
memory/4020-205-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4148-12-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4148-20-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4148-21-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4148-290-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4324-128-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4324-505-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4324-127-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4324-121-0x0000000000DA0000-0x0000000000E00000-memory.dmp

Filesize
384KB

Download
memory/4356-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4356-717-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4356-141-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4356-138-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4492-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-150-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4492-153-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4492-156-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4492-144-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4540-271-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4600-206-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4612-715-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4612-220-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4752-727-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4752-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4944-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4944-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5020-725-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5020-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5104-274-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download