e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
Size

1.8MB
MD5

ffba3569a817d40f0a49aa1358fd3b40
SHA1

1c3c74107df5a213381be2a81c15e2d0e50402d4
SHA256

e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202
SHA512

5bdb1d54f02bef40693921142020aed458dbb5c5c43d448e27c7b4a7fe1986c4f5caf53562003d9d79a7203bcb05cba72e76143c36337a361be7af29d444625c
SSDEEP

49152:fKJ0WR7AFPyyiSruXKpk3WFDL9zxnSDhKoc5CN6B:fKlBAFPydSS6W6X9lnCcO

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2480	alg.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
3952	fxssvc.exe
3156	elevation_service.exe
1232	elevation_service.exe
692	maintenanceservice.exe
4720	msdtc.exe
556	OSE.EXE
2952	PerceptionSimulationService.exe
2944	perfhost.exe
5084	locator.exe
968	SensorDataService.exe
912	snmptrap.exe
1736	spectrum.exe
3152	ssh-agent.exe
2632	TieringEngineService.exe
4608	AgentService.exe
4916	vds.exe
3656	vssvc.exe
1128	wbengine.exe
2424	WmiApSrv.exe
5048	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\774c3293d590e271.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\AgentService.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\locator.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\wbengine.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\msiexec.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\System32\vds.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\spectrum.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\vssvc.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Google\Temp\GUT7B4B.tmp	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_bn.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_uk.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_sv.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_da.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_tr.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_el.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\psuser_64.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_fa.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM7B4A.tmp\goopdateres_sk.dll	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ef59eb1955b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009245f71955b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005482d31955b1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000927f111a55b1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000acc4521955b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a06cfe1955b1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe
4048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2668	e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
Token: SeAuditPrivilege	3952	fxssvc.exe
Token: SeRestorePrivilege	2632	TieringEngineService.exe
Token: SeManageVolumePrivilege	2632	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4608	AgentService.exe
Token: SeBackupPrivilege	3656	vssvc.exe
Token: SeRestorePrivilege	3656	vssvc.exe
Token: SeAuditPrivilege	3656	vssvc.exe
Token: SeBackupPrivilege	1128	wbengine.exe
Token: SeRestorePrivilege	1128	wbengine.exe
Token: SeSecurityPrivilege	1128	wbengine.exe
Token: 33	5048	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	5048	SearchIndexer.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	2480	alg.exe
Token: SeDebugPrivilege	4048	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 4608	5048	SearchIndexer.exe	112
PID 5048 wrote to memory of 4608	5048	SearchIndexer.exe	112
PID 5048 wrote to memory of 412	5048	SearchIndexer.exe	115
PID 5048 wrote to memory of 412	5048	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe
"C:\Users\Admin\AppData\Local\Temp\e57e635591cfc4c874262c70cfcf6dcfb92fdf697880d55bf28cc01074949202.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2480

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4392

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:692

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:556

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2944

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:968

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:912

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1736

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2444

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4916

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4608
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
75059e643692460e508c0a5c2e9f83bf

SHA1
04abd1a6fee757b9443137ca93d79930fdc66820

SHA256
d7c5f985f97e1d407793933e4bcaabf9825f15e054014c414518a903f49bb38b

SHA512
955cf06d5733f805ff1d945da891ab50b0c1e15ac9250d309bd608b45faed83c4f66eaeb31d99168cedd97424bea3a73e52fc3d37f88e7a653af137fc519c297

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0e2422fe01993f5a0b30c17d47a2e3b2

SHA1
0aba09e1dfbbe8344a9820bbd4a587adef275858

SHA256
63b7622ed9174cff2f89fed77827b93a839db221becd739e118bd5033bb1ed5c

SHA512
957b24199762a2802bd91ad12647301429382af0b695b596b6392fd7ac680c31b2724c60773251058c3a3479e74860d27c9ef3a6d539733884a2a15a5418d21a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
6a26e152415a920dd8212ecf373f6c3f

SHA1
f73d7ce4561c89866e8aa2a8ceb2c6bb9f34827b

SHA256
17916a9987eb46dec52292cf01288d8c06912b1b7367689b38b879f02b0b931d

SHA512
3a0e9a598cec5f6bcacba04e27ed314e9f7c537b0cddfc75c6e2b6173240e97a7fe23b6e3edbb0cd01905bd6fcfbca99a9d0642e1f275b381d06d1c5dc88d769

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
204328ff865610e47b8ece0cadbbe212

SHA1
52e93476e1c0b1114d77a0cc324430f62da7b933

SHA256
b970b2e100215cf8e44d4e24c07d985bb550123fc0cdc2f73f024c4afa2bae75

SHA512
5f56a5c77538c649f01efc73be9172986c00fe37e57f4e0878967e8ee2dfd7de29f0f5e0690d97a7ecaea7461330d4efceb6b430a2ada58fceb32669fe37d916

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0f2b1d12cbcd48709fb806151569b156

SHA1
9f5caa93c56a3301d0404aba5736aa2483b965bd

SHA256
adf3984b7756245761a16d45f3f9a2ffc33e5ea88a71b0c40e1073a0c0431614

SHA512
c5af23c1ac0c62239c8bfe1d757c361d679070bdf23dc461bb704ade027137233ac93344d992a715e3f5274e9eada1728812eabadbe5dcccd74ca9f19b50c422

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
9354335148cd271a19b01b2b7d0ac0fd

SHA1
bebce2f8997dfa4c40da0653f3a3c9d4268b8627

SHA256
beb14ef7f72d25e5b9664895be4d7b1d92356025c4a1fc71807f68d9a7938a22

SHA512
509fb88ad74b6ea1a1a9cc2d0874b311488c8a3da4c275575f666120a0fb848040eb9eb5d369d1674104e34652d72720b0d8406637ac70c6189d00e914def003

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
9c6584916a18d2d454c0b5422c585079

SHA1
c62b6ecf1d5d04b13117174373489ec41cfd5b9b

SHA256
66c2f513d717b22e0835c8dc38244a9aad58cc0ceccac656878a12bcd24dd669

SHA512
238537b28c9e334d3c5ccdfa4e7936731806f5017425b825884272ee4c4918ea4081a532b3d866e2333547353aa395575da74c2ec64631ee57aa558960559ecb

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
685888a53535e7354b185c46acffaa79

SHA1
1f78827040b7d371bb66ed1c2a8fb0587d02332a

SHA256
038ff14b46a2ba32440c495c427b9935565a17d71fb506b19a511f18991a0568

SHA512
65c9ac4465ac3a7b837d4001f47884098aabdeb3d43477ccc0e61867dc9ccafb3ad03b136b8bd67f25cd0363192d5690d1ba82839154b8169f0f29dd38895407

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
2e85673462d65329e31961259fe7231b

SHA1
0b87aec8e8cfc1a38541eb2d7585c7bc2d0b1a8f

SHA256
7d439813009a45cf487749db1f314db33b5e9f24bedb9f6ca4070ced9c12b829

SHA512
2ac26cb5cb25b56e8a5c84d4470d55bd407ac2d944745bdbb0714f004d0f15c9556ac1f4e2c7015ebab2da750710ee3a8fcc18213598f4b216fa6bd24e4c5239

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
b302b024a2a98b79fe91c8b4fbdc9b91

SHA1
7ba64acb97fcbc2846e363d6c99622f7e583b259

SHA256
8daacd1c747199f5d14380357f1e0207a7be5e7f6223f2bf43ade2e62e8ab8d6

SHA512
a64020d53ec2a69d4d43a57bd3855e628b3da20a5ac0e2c96271fa94b2ad3d2dd990bb0673a88746926b52a24429530c1bf2dc0817f985b05b68240d8a97b25e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
4760b7da4b4b563580f8a42cbbb7189c

SHA1
4cf68b09f251930bb4bbbd2f8b4be6150d32313f

SHA256
8fabf23fb81433b10532f90a4aa90fd6517820ac6be182522009149298720c2f

SHA512
082824500a58168116d4c1a1792f7cdb051faebda490bb2152acd224626ba3e36b14d8e8b05b28e3a6f4d5421304ecd96c22d3928da57853dc39395eabfa4c98

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d379e92a6c6bb8a3cc7a2f70d48f9bf2

SHA1
7374e02cf671fc9b3c58c98b3b87ec6625df757e

SHA256
95def9e3b0ca40fb0bffe3ceda6e87593ec2cd1f0f4722ece7d5aa773483bbb4

SHA512
44cccf968c8938967d1bf64ca0a4f6b6c66fd443d129ccba1c29639ffb32f28b0715097b88c025fffc3b839730704841d8231220454691206ff709810d5d4de0

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1876c4d31827408520337fec115b9587

SHA1
7faac4795ca92309db14e009daf2ecf16e9c8fa7

SHA256
fa11b265128ab5dca916cd872968eb914f452ff178ac1a18295a38767e6aa4d3

SHA512
d1cc78fd9332582929518a56cb6a34bbbc475dce002a3758f4f2d2c55cfb3732d711dcc3f52aee5562e1189a854c230abfb5aefa630748a0277a5415e146bb5c

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
80e705789954b6a46466c50d82bfb378

SHA1
56faaaafb0af791deb04a1f5d8e873edd85da84f

SHA256
545def276fe06440b7ae6dced70e79b51dc4715ff1ea68ca517681f00ca68640

SHA512
e2637eead6509121ae9adf20c1f8676af53fce140db728a5d4ec6c066b935bd3583bbe6ad36c0408597883c4afaa0165cdd8a499b6303e49b4e4e96a883b8252

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
1ef4f4a2292a4f6036ea9c9d74b580d1

SHA1
c143547109a8560840bfe08e39ae67f2a7f52883

SHA256
38f091094b47189fcc620a5707ae39bda0bf75e8757ca0ab7beb1282169834f7

SHA512
1826ba7273998aeeb2d14f10d66af284ea2c3b669322fe3dff022cbe9d9da6b1a88a1e6f615ece263ba133f5229486f4a171cb7ea889aeecc6a90407bd260598

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
2f37391a6723f8b7865ad8f4cd262670

SHA1
f8c7f47ab40afd332e9830a6eca6695f8bd93eb4

SHA256
de7d060a8ddc6e61e7f49d3218499496712516907ce5d0c7e0a07a5e5177833b

SHA512
f308119a1657e54ad366b5c08a5aa3b05e8fd35d5008fdbaa3ed117a09b9b430688d85731d7b6e8b436abbbcf8abfec6007c539e1800269fe03eba3f44b711f6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
94eb5071dd3799c800e3aa7f0b36b9a2

SHA1
80438ae45cebb16ef43b7b98f5803bb3d2b2950a

SHA256
547535ab2712cdb977f403bdcbdc716beab455afa93a97c148f5e5728bd02a43

SHA512
82c1cdf6b3af03665439ceb723eda9775c358ae255cd1f6ce112d85c0ec4573354ba464313cb87caa7584f3d38948aba3ef694557ca8ae4892967cb35e6ec522

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
9a7f88b48e726465fe659c3a4ffe0b21

SHA1
4d28c23dabb366ca6e332f76fddb54b8a6bcb806

SHA256
a4c9ee4fd7dc7821e1df74af9d4a148dfcac04dbab9f94d8281a738075e9f804

SHA512
202d170529c150c0406a4ea0d2d1ae3b4c51198d317073ffe4e101c5069a68d4c10ef0d67ca1a6a02eab19001abaf2811bebca6f22c7df64ef8a2d641cf2a3b6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5a25d68ad014f5f8f20033c5e98df99a

SHA1
b26ed97541b233060a12059569e96fa80ca927af

SHA256
e1e35bd6e9b265373afea0d9c0dbeb3144843e4fc58bbaa02df199319b3536dd

SHA512
387fecff2ddd637328fcc0c84c7aec1eae8709615e95ace62972ac4adc9298639d12e07c0733c7394a854aa05c68d49e97e53a37b466714ef4808c2cb107e5c1

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
71bfa01632c1e006d66d714d8c309dba

SHA1
5a004d7bfe5341b0520738e2711abae1e1fc5948

SHA256
e2a1c3fde20f8d3dc7fbbc2a5cefd3d0baded75a805f9d464da7d645197e433c

SHA512
37f98cc19c81cc4880228ea76ebcffbcf123b14086bad4391ae197c258f082991e037efd5584e1e82df50de4baf5c4568ae1a2b0afcd45ed05fe47822053d9a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
7481859eaea3a3596481b590ecc48253

SHA1
f1d4542cadf64086af00840b7d99d23376db6ad4

SHA256
3d1bae70297a4f138cccfe6535387620ae8d7f7f2917dd4468229c5aff0e79ea

SHA512
b85462ce8e9834ccc00689dff844469efa7c995757b1445cf5d0535602a602aaca155e0d8583421448b07721d0c6842a4031e26c701e6079ccb82ed42193a7c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
eece4f832d917939b07019171aa28c5c

SHA1
0f453578062e5206075ee3657f10dc563929e386

SHA256
98963a1854e030610af3c045ccd388131431286fd122b4b5f04d7169c7ba1007

SHA512
6f637b7c40f3fafed50a1b7f959e6a7fb77096158500ce91c1c31bcb2f326e06b3e03016e36fb084546da0575beed8937855e37f6b2d6e772f05d81526b80527

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
198afad2684823e71f127bc91a7e1088

SHA1
5585889220efefb5aad8e3d3d0c8c5794aec07d8

SHA256
bb6486d856492e328ddef30552be5af67170b728b8a540ecd72c89b4f46e167b

SHA512
782e975eac6e481d41aab0bbbabe7f3acab6915b09fb3448eeb1c41a941ed3b1e83d1150c8e39997b2e83569f35d59a8b7c12e058f45044606078d004dd3e3dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2a189bf9a95d0e4c152edcecbe20d634

SHA1
6630f629bbd565e95d2b80bfaa1a722149d6c054

SHA256
3df0040b3b8be7d4321307e9f32cf795b9c74389ab9ed98446504294f8c8a5b0

SHA512
99614604ed821b024db1ac8fed87129d4b155d907eb1294484888e22d9a1e7a88d920168693328c6d5ea4062b7a205741bfeef874efe1a2532cfa116c19529d1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
7a7c3654744be3ed134a9ab22a6dc06f

SHA1
1df6ef371bbc6ee8b79dfe031edb5dc3bc1dcf82

SHA256
bd205bd2258353a6941353b3926b4689ed4bd811051015039403ca7a704fc1f0

SHA512
34e11d0d60c706663ddfc282b01945335df07031673aac9d36f7bff4b29609f28b14d744390e452ed2c8ec44886dd92e8048b6ed3aeb526e24901b87dc7671bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
28199fff59edff3232838cbf2d5d1157

SHA1
6bcb1214bcef7e9d36fe7c7f4775b473587380d1

SHA256
0aff7d069db092aef210f001f905a781e73ba581e6c73632921b12ee3b0b310a

SHA512
cb4183ddc22c87e67367359ce4ea478ea7b91105ebb691d9eb79277e581d1326c63d6680421cf6194374977a05bdf891788dd1032eb7412b6d54801ed654542a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
74ab64461c3d88d81cd3cae8d85cbb50

SHA1
64093930c207af988a3bc139c7446d294d2ba59f

SHA256
74563b845691108abac2831a0b2854199bfb6095a98a1239d6fd67af3c59ef1d

SHA512
b352eadb8683e3d0880a7d0e257443b580c72765ba34d1b0338335e6e7095528565d5092203486ce866ae0a11a5a42ea6222dadaac5d5fd585e1daba58647180

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
95e7f6322e7b6f427c7e829743968d9d

SHA1
4f0e7ecc4d30a179c06955736815f1b13ae24c66

SHA256
55e105c00f18b55d111fe374d85365de294c0967a9b3858dd53d4e22677ec9d6

SHA512
1cd585d9d7a05f724358676780424f44261a336e9e477f0aa5d6313e37391e076e1d35cf166049119acb77e04f1c0f2b2ec75f81ffb9c37a185cfd88a09b0ca0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
257b0711c3088bd6a79a981af55bb047

SHA1
6c1fa5c129888f085ef20ab9fccd57310dec54d4

SHA256
10b2612d72cf09489d32fa750c5ff3bae073c3cc84ae221e780d21c988b3ef44

SHA512
93740bb93810a185867aaec08cbfb67d6a8d2ae7a7b3415c43ebd7968eb91218bf7ef84779c2e8b0fef8f4503b2af99f043b1d1e6ab49d75260408df34d34074

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
2d3a63eece5bcb601e8ed754776e49cf

SHA1
b71157f6b6c3cc9b832c3242816afa1c988b6723

SHA256
5f886452e29bcb52195a378e52994d34ca67a1eea479374f91c1962cda92c5c7

SHA512
10aedcafe6df5c676a0dc6271266d194461f61fc5293b65bfcd6f7195024d2a38fa13d3e533963f10855b5a8566d031f078199cc518bfb2166903ac5b94d44e1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
1f0a61878ab479ea70a0378df081b660

SHA1
f27fe87ee864aa32900df057289be12a234ebdfd

SHA256
985b1e09cd25011c0455e11e2cc288d38defa380fc0ca41a43149d3b281a6551

SHA512
3cd5e20a40ba1112629241f34abb43293223bfa43a7450f8050287d6439581dee27ab865fe81592854a73a8062020e7bca38813941b44ea6b4de2b4280a3765c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
73d8d32da4d2f96649159e4921c24559

SHA1
5184e9d47a2f4a0e0e3a5fb608935dbf87cf4e92

SHA256
f4f1b73d7644a49b9393a19ecf2ba0ba4c5ad8a2de629e898ce5edaa68cef231

SHA512
bf623a7b92469982fc16895768db2fc50cc241f6d4029fe2113e52d1ba6d5d587b3ab9891ea87f0f84c15d347fe7c6b251bffcb1520025ee18221f1f3d5159b2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
28785057a3aebe0ca4911d743981cff1

SHA1
ba070e3bad1c870bf435202d6bf63d3b2234ddaa

SHA256
38726e71e2bb6f8276888c2a19470fffb4d1636456d670a2e30f422cc63596f5

SHA512
ab705d7109a7ace77f9d42073de0ec81bb9b6f0e2455b2d1d717a9eb7389e6cc57c3d97ebbea824d5304cb16309dec949f5a26a0cd26a6b9b422d158aab13125

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
b07b821df0e5cda7c9983fcf790466e6

SHA1
68e0173a81df4fe611240d5253547cf03e7c9967

SHA256
34e3cf44485ff675495efe07261c2d74011d0a16c1c9a85c146193878db89ad1

SHA512
8fe234eeee96fa363d44d3632d01a0af7728262a1b14a5d5bf5663f8123f1dcaeb30e540c556e0cbc40a0688c5380bff9e6c9ff9f91a0b4a2d3dda138d725b58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
992eb1a10fa7553c1cae0b23e1c72d76

SHA1
59153f120a3aab5be27c8afb9afadd67deb4020c

SHA256
9660ce239f4492713233e2e508bf64de4fc48d047efed5cad9d0f7db7b96bcd4

SHA512
4dcfd6e581be620f1fed8071abf38e19e36ac9736dd79c40b846f3d51a7730895ba41fa1eaf6d493790bdf4d2d38cecded3582ae0d0944310dfa6a9d054e2697

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
03adbeca64bd65552581a97b12fc64ae

SHA1
1d8d54c1f3aa6a2a14b589a6a0dadfff8d38266e

SHA256
28f4e9fbc4e5dc1936114eb7e786b7175b0882fafa61a6e49e69c12049215798

SHA512
7c59d6b9ca1835e761f7b5411f3c821ef5af76af01af178d0fdbde1c362d167abb6ea6558c1bd98d1b4b0d82822661e0bff578a8dd30d0dd21376ddb646ff4dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
67b78d9a783489fb9e6ec242b5fa099c

SHA1
9c591450ba3ee89f02f5968dbb5a5017c1899e35

SHA256
ca9e8fd6ac74790ffcac0ff6540efe024f562be008e63e94cf78307e123b54e0

SHA512
96efdead3b0e1762e15d4b1d861a6aa85dc6e5f6dc9dc2e5ca76817991752b47bfbb1e6963886084e6edd973feb2308dc50f6af7bc9f85801075214af9586d78

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
fa03a8cbcb55d58d0220a78108814b12

SHA1
0c3acf64c2ad494585fa804a86ffa0224dfa328f

SHA256
26d0a409ab57f9fd6b8bb72f05f1d3543cfe3c97b6ae8b44f8d118af57b9615e

SHA512
c6e959dae130e59dede0374539f768d0f041cb03120ddcdb6da77ed9e5eac0647c86e635a5dad652d9b7d7b8acfc071e31e66b45c36cc378af8fa3212336e5aa

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
ba541b9d3c2de3ebe31fd75a6613a938

SHA1
387cd0fcc591e7c6b3e6e0d5d8cec25cd281e0be

SHA256
e83078fc1b24352a325b3b527077dd0de12fe54fa8a44b17ab30883b05abf279

SHA512
a8a17da02343ce42bf1de5a92a0dfc38d8e92854bcd0c1cd6e22bda7fa32f2fe9f2d6a5b4bde73eb5b522fed060b8fb991157e35d9309fee36251e2f21150c3e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
c30e1dc805846def7307ed7607b7098d

SHA1
a3658ad1827fece53e39be4e54da61007bf25387

SHA256
5eb9a44559bd4279bca7e57f8bb28bb456766f2a3a9f735264dfaeffd9e38f31

SHA512
bda74055921edcbc694aaa88818cbec1bb2473ccef96357fed2ac603febac2b1b288a152a368ca641a2d6f152c443b76c2256f053f922f1b9d64003390cb605e

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1d181a7f8a28ec4aa7691e14f85938b5

SHA1
fafaf866565c899e6f2567238633fc396bf59de9

SHA256
fc8f050bccfc299ed1f8b68d921e43b38225cead06791b7cbfd9871669addaaf

SHA512
e4cf7f2750f77acc2ff6531cb144c70e9594d98ded8f9f0d7d649fd61624126b5a2822abb7517b3d1f64f73222399f1a9d6bb381fb44585b1a409cd867ba46d2

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b7c9f5082a06b296a5a9381e97ecab15

SHA1
25914c4a97b529dae092aea82389934eccd03764

SHA256
965d61e4fc1bcf0d19e8f2f56a0b6dd1f648bc509125c7eeb832d8fcbfb3ee67

SHA512
3a1359eedfd81ca83474c9d051ea4db1fcd1990240056a532aded4a4eff48f14938b40e896177720248f3a7e955ff98aaa565f63e920630103e9c4f6c13c7bcc

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a200fc3fa6c256b99969e970aab5956f

SHA1
abe401e14f9f27bc37f87147a7e35925df340a32

SHA256
4da2f45433542c8afab212c3556eb331d76c125fd4daa8ab4831a3672bedc05d

SHA512
ece41e4433e6c9d544792c294ddcd29318bb6749fc96196c5c311d17a7dd69c4638ad28239b6aee20c760c259c09230e923d9c71b4f95fdb8acc989a7484a7fa

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
a3fb6070edad28de2b21cda158a70cca

SHA1
dba60e08d052c77d6f0023c7bc64b3c2770b03f3

SHA256
7e90732d6ccdaa1709632f456ff9c605d1f5a4fde081bd144ac02572275fc8ea

SHA512
bbf81a923097384731f07893701a87024d286e0facc9e2a8e5a62ccc9ce5398e5a1c26938db55132fc9f06d90da75b1486a8ad43ce79450ffc2e8231d0caad18

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2f8c895e41d58f0bde264666c9f5e69c

SHA1
8e899952721dfeb184de6403c07f07c8d9f5cf68

SHA256
68e3384b3223b7eac9809e3e4518426b4df44100f248ffff3dee68994f11d743

SHA512
25b70fffb5e9468108521978d1e33ffd4c8dcd57349ef51e3b424d1239b07a379fa1a4401fd3acdbd8174e2ab3923554513fcb12a8e12527e9c339a3750712ea

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3494a3f39de886fe764c8f035ebb77a5

SHA1
b9644d96b4f91218149743c1caf2fc1e198e8e49

SHA256
69e41e0f07758540d9dfcfb105d97dfd7d28d45fbc308456dd5cb18b9459c010

SHA512
151d3ed3193904a7a859e79f2d28031d1ee683168debfc5d46badbcc08031169448ecc328b905d016b42feafba896a315f9b8bdbe698b8243045265fcce85e6d

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e28c0edf32f1a79e219ca08dcbb66f1c

SHA1
9d28880e7f2b986540b6326df5724bcc0237dafa

SHA256
9c65ab8d391d668b5956bfb8c9ea795cd2c47a398ea4ef975e9f8b57fee0dd33

SHA512
8ff49c1d94e0140f628247cec7a2a8ff7e1d1e5466bcd563e50d6c8d33a2d77ba102e6840302a206652a7917879f0c2bc66595edd8bd7f3396b2cf85d6bf0674

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b917ad52cce687291e6bd83ceea86029

SHA1
23a10c9bb08067ed8df6c484a9da7a39826bd40e

SHA256
0e9906aafc64984f09c5ae2f6b8ef558cdc061607084dbdec975dcd7712aabcc

SHA512
52923132a95d04f985b204d245c68a2ed215599587470f57e1867529ebd930fe9cada9fcffc143681c9028bc44d52e3359e71dfbf9240afbc8ae7276d2f8c386

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
dd17f257dc329d81876486a1047ee57e

SHA1
e798f188ff6b7209f5e44c13b559c866662f8051

SHA256
031bf788f08d48c9b28727f7e5bb51673b861aa20cd218c3c5a9bc81f2569a0a

SHA512
8c1acae7aac37a6f832290f2435e8a8a9c48d9cc6e153ecbd97e53b60ee4cffe08858d1e5fd2a09b06c45c57464876aa6345236c4ea89846a4eda432e567f1fb

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
588445cf02f7bd2d49f5b2043bb5f816

SHA1
5430914d4dece9e7eaa723a358375c01e4aeb825

SHA256
488befdfb6313735f800fea2bb44f401b6b2cc4c365dfe2d9099728cb8311a81

SHA512
1cbff0c84741f4674538623a7bfe38e64fd1e93a0aca67c2da2e8dd5595783b68fd86c45f6eafaf7d4479d6674f6e73741f5cd9b5b98a500b630ee8d958940c3

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5f984c691c324cd05926c0bd13678108

SHA1
eec18e76a6e9ec7e7635771264a24353f2a8d010

SHA256
d293e3bc63a90b37c8a35cb13069aa6ad383b3b7cfc4482c62e28428371f7166

SHA512
a5e0cbbc410acd3f62fb72ee5cc0225d8ea2eff4173e35c4c10f2d9516d33c453db9d9bb9a85f37de25ed0fa48d7938588c856b612e8a4ef43d19015b7707385

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
47897ae412b1d48d297d939d3f920d3f

SHA1
292366dd1f9863d55939d84a592cb40dfb26719d

SHA256
c2617bd450a6fdf155c795159c65fd63594615063a04cea29343204fe9d3d485

SHA512
93d5b44042635e3335915e4e13caebcb31dad3c6889d86d0b555c7169264a2f470329d11c4094413fbe4a893da0c971630ab9a2e184a639153aaee2db5e98d28

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
62d88d70143244bec2c543baaee329c5

SHA1
e817164165b16053374e8ab944b407a3e69f635d

SHA256
07c459c1b4364e299e6f0f0579a9389ebac754c8ca07cef2264ed7cede0fae21

SHA512
b241bbf45cb4f772a3333c64e39ebf40102efcaa2b86feb3f262a75cbea349b73238ca9915878d26f8036c3ca3c2f5a1fee7486423ccbe0f2ca3a3ad1d8b8e63

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
db5a551217c4bb98cc8cc78d432076af

SHA1
ef62dd8d6a5caabcfc430c6dc47bd84558f01d29

SHA256
94be0498af8951dd4749ca0da95eb43dfa6bfb91ed9480d88fc1b7eaaf386849

SHA512
13764424a3d24b7a9f4bcfe83a73bbe8851f33558af4c916bba11a2c640ea31316b6946d3c55cbfc75aa57bd933e4812535f1868fb4d6bde918158b450c6d8d5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
1cac9ca0a5c0462ec74b4e42418ccf36

SHA1
15d7726a573d9e7af59f07f66f115fe5c67471c0

SHA256
0d70a1a849d6d30f3257b0d7dd2c48bd2de11e681408de8dabee6c4d60a3a33b

SHA512
f8804855a11ca741735602ea73b356a02679ca0e0e5c0187e9c977c40c8d054598e08429ae5d00d2b82f6f141644dd95218165cb4e960f7931161b899fa55861

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
994b3d94ec5596e554452e72c536d4fd

SHA1
af017979c840423873d0088486f8fa8c27d7c5b7

SHA256
0b431419e169070aa467ec0f7942cfe02760d5696b6a1c62e38c5bd3a17c14bd

SHA512
443b730402e40ba37355b38e8ba531016101a829a32ad18a2cab3c675a287d111c18ce4aede3d8bb0ba929b18f2112559875e0348d747f5693f3024666757ce8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
dbacf134359b2d64cfc8e829a1782380

SHA1
b05b1d4fbda2bc03d6caa59dce7476ed25f1336e

SHA256
71af96991a40cefb7dcb7b2759d1ec8182006c838a36feb09b523317a47cf96c

SHA512
81a2d1d33430c164b8886c4d63d64f73f3af8b258320d029d63f05e45e17781c655ae0d7abae554b6a4abb40c951fbadb3f2b124be01932dff4142a98ebeaab4

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
535db134abd7eb67d49c2222ddc6fa67

SHA1
c23c0034fa41c4d225fff817cf3278a84bb7b9c3

SHA256
6bf2549bceddc171744d39903b3d125732d50814a17a3cf8c59bb037b45b4478

SHA512
61d3c2531e44ac67ba21af2235bccc69864a83823b37dd7976a840649563030e74a88822e499dcdf7ff4ae21b218eaf77a3746f52f97c1b7f9e461e3f160b927

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
4d6f3054af0cef802a821e5b4017df85

SHA1
f133f6ea2157a6daf35eb9dbdc1c8040cb3df746

SHA256
3499d36c1f38b00ffcd4f56ae1d186650000788a524f8a7bc2429960e769b538

SHA512
697cada353ac73931f2a42c9f9377953e7da840229046e78787dd69df5dd72ab59eaba2f1188d0de26da4470a87eeb91936f1530a1e2b275c82d4418d923e8ff

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
52a13da4f8deff0c2d25325ada40a80c

SHA1
a544e7e77c0befff3a1e9e74542267f4fec02b0d

SHA256
832b01857e52d682f443d81243b22d920ff454d4afa953268439efe56b061024

SHA512
cd4bc3d34445e1a09920a90dbf8af276be995668e8158c6f2233b3d58a2ec0869aadcdb6cde1187f40ffd4609d810c7d6c88b5ecdccce1f82c3c7ebab7505cc8

Download Submit
memory/556-177-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/556-290-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/692-154-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/692-152-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/692-149-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/692-141-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/692-147-0x0000000001D10000-0x0000000001D70000-memory.dmp

Filesize
384KB

Download
memory/912-228-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/912-526-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/968-782-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/968-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/968-347-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1128-789-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1128-323-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1232-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1232-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1232-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1232-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1736-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1736-714-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2424-335-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2424-791-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/2480-11-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2480-194-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2480-20-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2480-19-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2632-783-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2632-264-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2668-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2668-6-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/2668-176-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2668-632-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/2668-2-0x0000000002220000-0x0000000002287000-memory.dmp

Filesize
412KB

Download
memory/2944-202-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2944-314-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2952-189-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2952-302-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3152-259-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3152-779-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3156-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3156-116-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3156-122-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/3156-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3656-788-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3656-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3952-89-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3952-106-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3952-112-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3952-125-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/3952-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4048-46-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/4048-38-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4048-47-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/4608-284-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4608-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4720-275-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4720-156-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4720-157-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/4916-291-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4916-785-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5048-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5048-792-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5084-334-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/5084-214-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download