2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
Size

1.8MB
MD5

1eeb4d7accef1ce08bab42fa7a14c1d7
SHA1

4d6c7355c99ed34c00bc5ec0d83edb133107a21a
SHA256

2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3
SHA512

c0cbf39c2b4692329226fcf2e27c6c17149b030707a3050a7da388ca3170b8243fcb6772db74e1752673a9b5453a2325b70898df346a0bd579e363f35963bbef
SSDEEP

49152:7M9QPdxwfE7WlFwKAfzuTiDFUFkFMomUj2:71PdVQFwKZCFgFbv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2904	alg.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
1584	fxssvc.exe
508	elevation_service.exe
3480	elevation_service.exe
5016	maintenanceservice.exe
4116	msdtc.exe
1256	OSE.EXE
4428	PerceptionSimulationService.exe
1996	perfhost.exe
5112	locator.exe
3936	SensorDataService.exe
2396	snmptrap.exe
4988	spectrum.exe
4744	ssh-agent.exe
3800	TieringEngineService.exe
4844	AgentService.exe
4472	vds.exe
2676	vssvc.exe
3044	wbengine.exe
4436	WmiApSrv.exe
4356	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\62bab0a0293b476c.bin	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\locator.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\vds.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_102250\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_ur.dll	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_ml.dll	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_te.dll	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3A69.tmp\goopdateres_ca.dll	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5d1dd4c9eb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c145c6499eb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000094e6d14c9eb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005098c34c9eb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d197e24c9eb2da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c02e5c4d9eb2da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe
2020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
652	Process not Found
652	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4372	2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
Token: SeAuditPrivilege	1584	fxssvc.exe
Token: SeRestorePrivilege	3800	TieringEngineService.exe
Token: SeManageVolumePrivilege	3800	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4844	AgentService.exe
Token: SeBackupPrivilege	2676	vssvc.exe
Token: SeRestorePrivilege	2676	vssvc.exe
Token: SeAuditPrivilege	2676	vssvc.exe
Token: SeBackupPrivilege	3044	wbengine.exe
Token: SeRestorePrivilege	3044	wbengine.exe
Token: SeSecurityPrivilege	3044	wbengine.exe
Token: 33	4356	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4356	SearchIndexer.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2904	alg.exe
Token: SeDebugPrivilege	2020	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4356 wrote to memory of 872	4356	SearchIndexer.exe	110
PID 4356 wrote to memory of 872	4356	SearchIndexer.exe	110
PID 4356 wrote to memory of 2324	4356	SearchIndexer.exe	111
PID 4356 wrote to memory of 2324	4356	SearchIndexer.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe
"C:\Users\Admin\AppData\Local\Temp\2e30f92d33890b01ed10915137ce7cf5b0dc0976eb07f90f789598fe1ad31cb3.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4372

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:508

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3480

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5016

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4116

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1256

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4428

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:5112

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3936

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4988

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4844

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2676

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4436

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:872
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
02e1fa8f0c126bf17325d7067664c7a7

SHA1
1ec4869e5b66f75dbd1bcb6ca715d92c4b59f838

SHA256
cae7880de6f95ee4a0dfa89e39dc7eecd53db912fb8bb3749387ac7e556d27d8

SHA512
237947dde518fbc081ec12cebd5e1b8c63bcd2681fe6a28a3315afb5aaf7a4b2f2abccea4205165981c87094753a4e0eb71b2dd0b6a70372321d1a102e07a077

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.6MB

MD5
d0cf2830427f2fdc161245661b7e4176

SHA1
46bc11797431449aa93aaccf8d868c4ffa607b11

SHA256
24c05cece250b14c886dafce62d64fbcdba7b68e67b3a33397c419cee191340b

SHA512
f6a826d085361ce1019d3eea5323c676573050ca28ddbadec4da3882d774340c2c8c7f53ba03890b99c6b3aeda9f540327d8df059aa2c99059f24899487d87f9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.9MB

MD5
0b6142e9c67477041b3496593d76a21b

SHA1
60ce625bb420e183618ffce7442ae20370d1ac5a

SHA256
4dc4ff844cc77daa4355c4b63f13df02de20aa078768925e6194fbdb4c768d55

SHA512
6ef9f70a66a5948e1fa5a90fa5f1378492572ae4f6f8779f7afca9e4bff85528efb36bb6eb069362a6fc2d5e9c8faa2e4a46cb213f4a990df0469b40484b1070

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d8018da66fea36842e46e68c73a539ff

SHA1
790e920ccc6c431b9bc80ecb47d82b291c28733b

SHA256
753840ab0c93837a5e3bb155a19293f2345e56ec00570724dba36ea237706553

SHA512
91f279fc340abe6d5f767ba927d65a14e19245c8d713c656e63473b00b2ba0967d10d9378ddee546cfacf083234c378621c8aba0542b2c549b58ed5e00e503fd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
fb761434ba552fac8dde88e87b186ed3

SHA1
30751d0a36c3b91d84cf77b66596544493346963

SHA256
a609d44cbda3125231c15ed5f470a68089ff0685b19ea1da618f68758ae56bfd

SHA512
c6ed77c11de689bbcc5af46fe4c6223947eae9c87698b823a7434344520276dc14fb2f83ebb527eeea2f638402f355612d68d744a4a7b92d71a177f91b74b1a3

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
b4ea2cfaa8d9ba6ccc674dae8c689b30

SHA1
47bdd1f941cfec9c1bc267fbe88d253d994e7f38

SHA256
4b25387540aace3c0d3e6e382622e6240b64ba0f7914aad1579fff7c7ee6e678

SHA512
c2ed14c99719ec1b399dcc4304aaf99629a391b69f25f1a20794e62b62f41c2368e5c2f7628b09f1932621e6909f4d0833a35cdffd35fc4fb78152cf74c09659

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.6MB

MD5
ef4d8b9c661e3253cc17ca16d87b1360

SHA1
da6b2138183bc242b01da5a40d84c02e734cc10f

SHA256
8ef1496b993e460ae8ccf3198dbcb667881660ad010a107913f30984be683703

SHA512
1bb500d5bee9fe12fe3f551eabe217433a14916a4ebd649827b50459ba690cf287545a84cf8161abd391b27cec8498e150a468877aea8b686b59ad6204d887f2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
8d474455efd8287543492fd15449ee1b

SHA1
974ca8fd18f89327a38374dc74023e8dafa8f100

SHA256
6c5f422161573116f9e35826da9fa0a86b7de9894f95ad38c9b9627ed0cb16ed

SHA512
a0fdebf4b01c6b6f4bd0b681d66042e6f1efa9d1d1f2ae42da0d3e93019f6cd94db7ef79d35039eafc73cb40c3f557c65c922799feb55552cb02cd882e91c25e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.7MB

MD5
a56a1d16fd7f115858ba3b2fcc980925

SHA1
051d0725b6b4d88e63eb69f7a9f96aec02eb60c5

SHA256
1dece1a451668f30d98c44c1cf3efede10b5b3d09e26b905d379edbb4a4adacd

SHA512
2d78210b9dbb3a9171359c3b6cbfdc168cd11fabecbf621160aa44644adcdacbeb53dfb117ae6df657c956600e5b736eb2895c5a4a36a90a42356d2462503ed8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
32639f77bbd2e13b394328ba9d450b72

SHA1
f6db9691e25c9224c7413331133bb031cdb0118e

SHA256
05603b3219a5654aa225c4e3fd16dbcac2b678beadf49e91dfdededbd1295cbb

SHA512
f0d9cce15128755090e4c1689897a70d3a702b746a10cc990354ed05ae338e0af181fb145de2087501295fc66482e0e3a35a0954f8f096ce4b00dbbd774eb1b7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
23d88422ddaaaee45dd41b1b31de2924

SHA1
fe3c6ea7224980c0868d9599dc82ffc3b55dfc35

SHA256
b159a8f68b5f4e7d92a3f6a4fea3cd75f02a27ce561bc93d83b08b6db9c89de3

SHA512
761e7cd07fd31169556e0d755a7749c6d1ec0e3f4a1062f71453a6b7da27508b7d4bbacc1b22dc1633565d39f88e696ccc083875e010366993352bdcb76aea66

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
615dfe4183699b92aab70013aedf96ee

SHA1
ce4f2427708c993f76b68e92e1fa84d3752438ab

SHA256
ee58d1c1216e0f4dd4148db8f21f3a15a6816356aae15a45af75f93270938e97

SHA512
7704e8e76a2a6c5e12705727cf1b1891417055858cdfb3adf459afe4782ca77c7a5148edc581d8a260bdff15c870ee44f6fc8bb63891b844a930c8b5806296cd

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.6MB

MD5
b04e3a08ea6c8030ce619a5ac8173ba2

SHA1
9f6a6728b57d49bab77ed1e7b42245d00a1128ac

SHA256
4ea8560658d66ac101b80d396f1de08fa70d3998120f1eec97609f164f362c67

SHA512
3bfa36f01c31ccf32144075d7d86e89f74fa17ef7ba396abc4b13420a452faaef5cd6fe66ddd3a496dbdf0f64c16d184b1f7c8ba87983417b3444170fe4d96fe

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.4MB

MD5
835d1e8a310789afa87a2b80db3b1cb1

SHA1
72d4d9016667b892e5c386cc4780411cad28d70d

SHA256
01763fd53b033fb5effc12e556aaf259a2eaf9d1418c8c680c21e93750140528

SHA512
aa34ca0da2a14deb1b652b7b3fb43d9dcfd57617b62eab9aec3246256904f62777fdbb76569189c2f82c74f57fbec938b2a71e6e5682ab5e17dd67fa0330d487

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
4f11cce154a043ed2fd92bb236f9fe18

SHA1
914248b4088f7ead58ed35279649a43a723fe016

SHA256
2328567b9147aca0fa5568adb8bdfbce2c056abd80de5cfe8382a68824117dd3

SHA512
c470b2bfa80b559a2cab37fa6477dffea983952fc851c86c3f74774393ca272c506150254d63e80849ebe7167c4fe4a290023ad8cdc517826bcd486ca1cbe2b4

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
5a9c76ea09ab562e77fc655c206cd007

SHA1
549e31ab8077836e6e7a6de580d923c1168b3bc5

SHA256
0a524067c52ac0256baa396ed6b8b181a6629bf5286f2196d182a328d2a81c7e

SHA512
94e8b1d34aa1e42684eb7466707b331428ae55cbf49218f0c21525a610c5aa1f70f0b9e0cdfc0ae53fc69ceb4c8eafc75d0fc9368cc8f4c32c414bf54999217d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
ef8049f077bdfd30453d5fa9eb8f18b9

SHA1
cdfa4b4b070115fae62f8cbded4123d595464456

SHA256
c5bc25babc03d5a084cde617162f55bb24311455c183670fc6e08c86e5dc92b5

SHA512
d586349b42203f951738801a668d2c39c83226083ee60069efff3cb6e35eab772bd78fcdcc09cb35fa63fe6f63fbec685ee92dba1c48c58343cbeba692b15c7d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
e77c5d911b12cab35b1426e66e56755c

SHA1
133201b9df414a983b52627300aaa3292d8f599b

SHA256
deffe2e2545b076002229efff0a77fe601b41de8916fbc857b24d90e351e415b

SHA512
1a5db49b4943e843108266cfa602fe9d1afb4e9f44d5e09708ac7ad7468983e3ff61ebdbb5690a399f94727704ec7f82ba89f2437bbf191ae985f41d5f9ea568

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0bce569a1dce469eedd9afd267b80910

SHA1
de01892af268bb5162b7c42ab0f31813e94c20fd

SHA256
24eceb80743ac4a16b507b9cdcacd2737ee7bf81094f42ef0a18d743a8272862

SHA512
ecce089d6f9160d777bb6945b4a1400a75e75dcd4c9bd04560c526e18693ccd8319d2a88b91165b45097113ab00dc902c8c02dd29cd9ff892a882aef4a0d8745

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
987e208457cc678d81d05e3da665224d

SHA1
a6bed023335afbe843c541295bd488a13adb0860

SHA256
a2d5ef159260e8491c5edc50c82ddf3af4c8dd4d92c482d438aec94b9d2861eb

SHA512
a7f2bbf34353efb3b133feddbd8bcff3e5dbdd2e0c0c3a814197aa0fff439e41c5e9e07510543ad5cb1a48b7f9ac9fbeb9b00465a88161673f8bb7ad64569e6c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
37d39a0d1e49d0a714ea1e3309c6a02e

SHA1
d1b44c3eb310b9a92c8c8895e58e02d500444d32

SHA256
96da239665f49954a216fae86055af3ca64c3cd95bcbf094ac3f0d16c1a0fb63

SHA512
3757dff0e79c3e86f80331d70d3c4fe368a4cf0ca24c6686359647a9db4cada0d07fe75ad14aff0ee978c64e7cc4cabe777418304b1834febcced92b7d96ff4e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
b35a83085e820e44e27cd532cded8104

SHA1
62f9ab8c7612de7fab40d77693aca7cd8b3dee8d

SHA256
9adb6b88c5cf37d7fe020a2e6dd86ad890eafac4d17ffcaed12c0798430741bf

SHA512
fad6082bcdd8a50074750000a279840e366eb6f793c0133d0c06d3a83286995fec409fc1638d7ef62070b47846067fb6c0635e57a11eeda954ed2c2a163b4592

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
7f2d92c655af43604562ce0da3c563e8

SHA1
4e4814452db4ed742c1cadad842a53f48655235c

SHA256
281745fe4561bf21ce99781e8bdf9c155aed9954478eacb051212ecfc1f68faf

SHA512
8d94ec20869560ad33197d9aba151d7159c18012786f0bebedd97f895f0c384db21f095d1c9f19d5bcd32044b097e313973a44416b6359aae891f33f4786cff3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.4MB

MD5
64fb75efacb0553dbad42917156cb4b6

SHA1
fe942735ea3bae12cf55feff54c69a2899f5f092

SHA256
4aae24eb5ecbb6b018d750abf131dec0b6b4f35c8ea7c3acdcd31b897d37b757

SHA512
8d12f2c818162d6fed24ee238602ac3903ef1bfa3048a30dc8d7c4c830dcfba4aba2368b1e4582ba0c45c2ddc58ea3692619e8e0c0ccca835653436d861b296e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
ae024e6232d4e974cc5f9166ffaee162

SHA1
d0c92a200331c7a63ad3506c6497ad594c9c7dd9

SHA256
b5f8c28a793eae9a7000befe095f27ebe9f41d5b9327aa05b237feb5cd17e54e

SHA512
798a2e5ab44c30558824382c7b94ae3b90e3484ebcbf67d2990d131df3002b24929f708bf534b1c513090b694d06a5f9a1538b13f660c7d7925bc67692bdef2a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
3f205fc65a15768ea454a3cb2cb06227

SHA1
d873abf0421f7761f1a7ef6e18e0ea074122b1ea

SHA256
21f4a15367278a09041a22d53736199c36de6f48c8cc141cbd502392b97dd0e0

SHA512
7634b51daf7d7d6b711ff221c6019afe74e8ea4dbcdf2b4042ef5f65e337cbb6cc8474f2c9863fd9ddb7a403d6ad4f63c817c16a627c9b970564b4c663d07b4d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
3b83eec40c7e60b707037916941c1f6c

SHA1
de4896893792405d29a82d458231e6cc90fb4bba

SHA256
3fd4cacdc770f5453aaeb957bc5ca50db4e0398b1b9b0a7865151039558e0390

SHA512
f3154b1530561b6c8d9f467d905f2cfc31686ae6a98f186c688b2b027572941cce66d203e2006b085bcd6e89ea8818d6efb7d450c45adc104c2bfd80801df39d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.6MB

MD5
2a3e2475dacc29ffaf62343939580dcf

SHA1
43e9419ed98d27b98a717db65cfaf7d646238df5

SHA256
1d0029aa91aa29cd35320aeb5d032ff619373767d3ee357353c4b4a833efe909

SHA512
dc97d129b94a4ae9ec6025b70346187221776269d5e08f42d40c56935bb51f5d62434ac65a88b2e3b4417e2a8444b3b60b4296acac567c65ca6629f0da288141

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
db3270432e6754879a2d1ff1c2ab841c

SHA1
73e4b81751b6c422bc08df91620020a9ed72b3a1

SHA256
6ea856db978d5cba5ffe29bab0a0afea62fed43d35bb2e1745e0b01dc0f6dcdc

SHA512
63748a7946b763f28fc4face1a3f07a70f3fc4abe3f19bf38101391bcec9dbe34dfc6ea8b993ddb31ca082b36bfff3e1428100b59bcb18e62b170e82830a5731

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
959b0b8baf4abbb539920890a186a11b

SHA1
2f3083b7c15a63242946d1d69c646685a77d2287

SHA256
adf80c7194b842f1434a179389e3ede6e0f3c8cdd6da3dc80474c137750acff2

SHA512
696bfdaa6978d03229da52fa7ebc4bf2ca00f70a2b7df303e6804f3a1826fb4d215e2a682288fb35710ce53c7e9118c3aeabc9ffd190738ebcc9638a0a19ac53

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.5MB

MD5
75fe1aee0d88ea9d0fde6274a2457f62

SHA1
0cf2f08c93e5a133a8538b90c4f342d17247b14b

SHA256
a74d7f63d08a16b7b2e677287db7040e2b5bedf35f62cc76473941dbbb04dd0b

SHA512
6ae9ead477eb7a8c0fc04a4063a2fe7c4615241834fb8f50652fa18fc9560b581522a4b198a4e9499685ebb82ead4b2678dc14c8377f1d7b7b69086d0bebdece

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
4de597fc2f4f3f015764efe7f1293a87

SHA1
0418fe8efe5477a5b5a2710ac9d838d16175c452

SHA256
6726905b0b9176807cbb0eec860f171e67c913cd52f1959514cbd624827447cb

SHA512
84203f4dcc34274081b7f4b0c93f15d5f7705a9403a06095f793c3cea290acc20ff95ecd67752b28fcc6f72d4f9f53cdd260da37552030ec8b66e99df9549715

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
5037f7e4bdeb4aefbdb064ef9f822425

SHA1
3a835cd7b9cefe20c7e7ab2f9e5c32e08ef52855

SHA256
24485b8afa537faf6f148f1c0907024ccb2da5e2df0b2753dd8408a37675ff13

SHA512
b3dc2ba0bfc6efca3606a88723e9264330c6923f3b44f9182775eccbeebd322759961898a304c2ae41953d6487fe958143531c28fa7c26c47fa5a861119daf95

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.5MB

MD5
270cfdd56c187eab2e5245a231c1ab0e

SHA1
18fc50e99cf400721f904598564ece0aaf3a319a

SHA256
f87650c386b3fc7619557993b8d47b80d6a6043d5dd9c80bb51934bee007be09

SHA512
e0ebdc542da9741d8bdbfdad0b773a22da565a1600e7aa2717d9a6b2d9339743d7d8802780a14a51f2493af45a8c87b6fec846330ccffbca1091cc28c5fb0d82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.6MB

MD5
8cb81f641d96c6b21b791632b9cb9859

SHA1
2defd45c7123797b7864de86dd5310bad80f1a79

SHA256
5ec6a2a970ad7c6ad51c081475d6620b2ab6bf70e872b96f3638bb7fd9d6f921

SHA512
d4edb3c5cd6e26a6d4739c7e667fed18abbae03a3a3f9696b4fbb39b6e8cb460126c5a7118e234c0e2e6c014e13abb876caafa597dcc6b8f0f1c9db63a904a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.8MB

MD5
803e83cba5ab2141b1552e81294366d2

SHA1
b98b667756dc27fb2d678c8dbf20d571fa29020e

SHA256
7783d354101da65138477669068cf2272ba02e3dda3dde19f4982d0929f8dcd0

SHA512
c35ee7fe3f333847a9aade29c849b51d4f0ef34b5d7b997c94f202d5a0f8fab63262e4712b83846049dc063517a319a72a116a8165d6bca1a4f039e90ff81245

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
3a164209a5e7a1840b3fffe486e35eb5

SHA1
d9cc17318b9f710b5a23663a7529c03a31984651

SHA256
6680c33e5673ca87ae433a0589cd2d17e9b8edc4e7697e2e5ea8ab6668c0bd99

SHA512
638880871493c4bdf753bb453e81a0f547b50a67b215879017daf6e5b632cba18553c3d1cda9fdff4e94e16c0ba7865c5d532495caf29c63ec2de762eeaa87b4

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
a73b9e3365eda93477f089f3c0f2f912

SHA1
364f7bc2c33c8eae6e77301f88becec065cc9faf

SHA256
13da4ec6c1d79413860d34f2a07f31d74af666fd68a0268afff38312bc84a0ab

SHA512
d344056e11315a525d10b67f18fb220ac17d930a7d2a7a1f129fa2e9546e1859ad6622dc8fcf2bbc51e9d93f17173ffd8255c5ceecc594c533a490d007c7d2c8

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.5MB

MD5
3a7882e1ad203409426786e08d02ac97

SHA1
94a0dbf5afb1bae0bfb4b25959020182c1aa302f

SHA256
664de541a328de19cc9d7cf0f891d3ccbad6c08dd31e3380d9d250049c642462

SHA512
8eb4e66722554bf8ec811b7b018424d489aad355b89695dc84a2c2fb592979e8b88714e96f495ccc875902ccdcc812485b3edf59f57c5df18cb4988ce4f1aee4

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
abfe409ce227b69b7d6a6cfb9efcb6cb

SHA1
bb241c82751408122a714aac79a3df34eac09408

SHA256
8cae324c0ae3c1e258c389bece819c2972a2e5f89ca8247d22897a84dd29ac03

SHA512
7f3bfae93f8e0f4c06af40c7dcdc6948dc9838730826e4e2730cee0e3ca078253f98bac7240c2265a1779b41149913d084eb9c02b48a2bee112f870a65d02b79

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
532d465a100e6cd68e2b3a2fa1f43526

SHA1
9d27ffa4b956cc45963efb5ab201c56f00eace4d

SHA256
eef067cbc7a9415cff16a5a69b6c639fac5de8a954e537e6cdf9ec40c89a2849

SHA512
dc699b701c14a683275ad50f4000b51ec9281dfabbd4262e8443c1b923ec313024783b80dedf2bb8c163ebdb17ede17f8f00d3b53015d9e7653d68533184f917

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.4MB

MD5
67dc8b54838170c5daef635277293870

SHA1
db25d075e071f64a6ea7dd22ac9e1e6ed20587a4

SHA256
dd8785f5d9f48b4b66b7898fd2d793087a972da9638436c4e1665efc907b653b

SHA512
70d09004036287b96e488745f14f2899c056b2b2853daa1193fc3f526cd4250e160b45e03122de6b050a73b53e01ddabc0696fc808f7e0644e5d8a55e2759e2b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
68adb9d159cd46f4415ffc5f94996e50

SHA1
e28edef817d2b7a6b0fe0935fdb645ab44c0b01d

SHA256
c5b2c125e6a8f89b61df80e5622ed6aee9a6691340f4b6bf6db4abc10754d38f

SHA512
70c718b2a27ad687fa6163e49d734fbaf0ca05dd4c48e070d52975c0d9d8935401abe63532d1bbc8dd7d4881da96448ac331aefcefca7ebff1896bb360369078

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
0fcfedad9d21509f6e4930c2c5dbcbd9

SHA1
d085e29bb55a33695bfabba70585517bfb8e8d8f

SHA256
6bd8b14dd94e0cde4eeeff13b4019158868f38a7b3cf6dd4c9ac10f2a9a555a8

SHA512
0852055c652393bbda046d02e80d7d3b0824fabef22b2295058af7a5f10b19b1f931d7e1e1c826152f380c7c17e5ef9d06368276c088523d9713fd5ca2ce9d80

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.7MB

MD5
d1141dd4384e618343e2ca06255119e5

SHA1
b5746214de21e2a3aa9a9ceee7d3f42af67c88de

SHA256
27b2ba1564a01f66c5a6e7cabe37876d05ab823e7f1b02e5b3342af62ca8072c

SHA512
b63b0177a15590f45e3e07a5da2e9b09c00c13a3b1dc7d65e6801596e1340835186e927c1ceeeb2b6c8fad923a4442e576933ed71aa9934a80982465b70a5176

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.4MB

MD5
9fb4b55c2e888d5ed38a241a5dc03410

SHA1
e3a79fd73864ce90cb1fd0894c19e9cb3c4948e8

SHA256
f5de055c21201c6ce3cd81a43b6b7806dc51e0474859ad08089a9b0c4d671bb2

SHA512
7c950666cbb45b31c7335123f99e96fbe12810bd7a7c63084a4e3774304af6495a83293c67085da22e3fea1fb56cfb648021f6d80125134477db7f4cbbafb509

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
dbe673fae357d327992125301018e2e3

SHA1
95d50812c0bf84133f76688916f3df76736827ef

SHA256
a20c9431016bf7abf3f695c8eefd8c9bc0ea7a1f147e61ecd2d496af77d17ae8

SHA512
f518a5a16d87cb07f688147548b9377d9e3a35f99f63d5de9afa946b57ee01529ac2fdef8a85a7a447bb210315049a409b1d80c8a6205e71f6dd8aa754875377

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
eab31aa6cc56453c62a1d560f8db615d

SHA1
3931672b5c5635708a405793c81e4a6afaea6b21

SHA256
735a67d807ee6f6c5879d0d7d4ce6bcfc163191197c1f00bfde985af207d4938

SHA512
f25b9500b0fcd867a963309ff2135d6e72cbeef67b7f05e8e1bb825be95131d3d99b67b8a0f32586fca315f5c0b266eb96261c032cc548dbff882b0757da8d05

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
a36f6890c9f1b1eaab573d4b2ed45d16

SHA1
4350748be0ec3910a4693c0c04391d9f5b351f07

SHA256
da141d7c9e8ff97edf34183c59643dfac4ad3cb517c9485b8f7f5a4b56e787c6

SHA512
8145c2c7614f0d930acfdc5c404d1d48fce2993532b5c3b5e8b303411a5a64e7cf7ed58b7d5e5f463f8144d3ef31f121731022b6bdb367018e884f075ee90537

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
f953b25181daa6ed6388b56d23a694ec

SHA1
922eac34e212faf7f81035bdcf351f174585cf6d

SHA256
9c7dc978b3131450d4d2a4dfea0357798671515e50efb1723786b2701ef381d2

SHA512
04000975435992c542972ee97ab0caddc0e332d3d47987abd4476a155f1b63b701e5503591ed76ad07500caaed76b6233fd9acec030c228ee9768616aa07a26b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
21ef72ecd7ca6b37a823dbd46d26c355

SHA1
6f6beb0857e5a39f97ce83d960aa9d4a00c794cf

SHA256
3b92b3c9cbebcae61a91449101108dc8f0c57fa7633cc4c2349c30b83c7a768f

SHA512
36b91fc54c6ac0ffc4461b99eea24c585082ae9b4bc9c333b8bf6183801241d88324c35a48a537e44a08a422e9a9a051f517142e537de2fb15fab742ef1858d0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.4MB

MD5
2bc9f40b54d56d193092ae0e07867b76

SHA1
5014fb7fb16e53f4425fa71f81b3072c51d99889

SHA256
dab4bda12382763bd7780a68c26dbd1c943255aa848641b07e2d03498516fef4

SHA512
43caa548d7de8f38054918eec3c9f9756ccf2f8d91b978908c164b4c723fced8cef0c95e32008b0d29390924ec5d4dadc98a3ed4a84c5beb376a18a1c96136d8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.5MB

MD5
fa8c8ddba7c0de48e95fb4afd8506154

SHA1
a182bb44377dc9234d3af05f762be62725986ec0

SHA256
f98f2d9736c1a931bf216e4d07bd55c1c95b0b73d41733b97b2eecb07084066e

SHA512
adf043091111c7c9876358dc234837e8ba6515b9b1bb0ac26309f4c0b9ff1151bf2775f1908f95081446e78db3609624690c8c94759ea6edb846460a3bc49762

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
7347d9bac069d898a30975c262e3d04f

SHA1
f963eb2a12e5418232d498f3276728f4bf59124f

SHA256
3a8155d97f483542080f2d59f5f6e5eeac57669d02e6f8021e004d2961acaf93

SHA512
053f7b9b9b4fb3cdc9cf58fdbeba5a37f942380e435b063a992ebdefdb4f5e28a81dddcf81a8666a483bcddd5547d5c8f63eaf26799fa3b3b6fadf3baffb8b5d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
319e26fa944b11b91cc4aad5be19f859

SHA1
f4ebcc1139d2549e8b892505bc62b40f00cfa4a6

SHA256
879c973071c010345d431283ec067c1ad8349d20bf949e31b884146ebf955c30

SHA512
86414891cd80f1956b4bdf9857a09d6ce85b8c1ac4a14079fbbf74d3494546df26e6fd4dbbff361df0eb4ec1dffe500b987f4f3c8d5c61a9752156d6ce092fef

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.5MB

MD5
9698871dfe7e5f47979e70f716edc1b3

SHA1
afa80db6b7e3b582cc37b5317197eb2081349ec4

SHA256
09ea29132dde162c9ab299af161370ef7cc42160c2d8234689a5a21949ef4bc2

SHA512
cff92025bad5abb9594d58eb0f4574e2f3fe8254c0dac0e8da9760075ec7398db0943e6165dc9dda8bf8bc52126db2af4a36e63f190d11cd587f4401bba5d6f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
45d2f10471ef6703bfa47f1ea92c246e

SHA1
38a6b8793100ec49767f63473185e15c1bc9dc70

SHA256
94efe91e5918d9237ba48252ce81992528c9d26243d25778e377f89ecbb53a41

SHA512
e0dd8721e204b3c6c5718be6e8594ac363e00a40a0db7958c598716e0b749068e681e152f97eb051092fa12bfe90d7de129c966fc3728d9068d834af319df11d

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
5662e1e92fcbd529dc06241aaf4b95bb

SHA1
df6df12d17cbf718fc80d841db127dc47eb0b65f

SHA256
8e0934015738a390b63b7b37d91bfced232c93ad2a5034b9d8c75a3b6dc7872a

SHA512
1cdacf146fe0ca5d8736d47e6c3957e9d551491b54d3baba4fef6795541456a026fc4725afd21fcb325d64a58d4de27ee5f7c9bb6f15749f7855a5e7b2eee4ae

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.6MB

MD5
9edf405b8097c029f0e4b07aa65a8b17

SHA1
628dc54200201a6815ab2b2aeb330b3bdb566cf2

SHA256
d327f6f0b49e53f5e4b144cfde8361b02e30114c6fb3cadfa144a3a4c3e7f235

SHA512
646e6e4ab001434af2327a5e367b38ca587240e6768f0dc148e55d9bde760676718f7a5ea5dcc0c966ca08f170638e4405be61b417fdd92cdeb9493c81d99c2e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.4MB

MD5
a8aee641ac8f51313f56bdd71506be3b

SHA1
59027bba9437f906679c31ec3c43dd1466e66b8e

SHA256
f7049a71f96ea649fbd0a01d24c89cdcc4ba0bad4ec03c8039e21e21e8ea37f0

SHA512
d5d518ff6cdb120bcbf35622c1dcd3f9449cafcb3e4729a5a87d14a0c9d2f1254af170af30ee2598e06ead1f2bdf0242fcb25291dcc648800bfc36ffd6e0619e

Download Submit
memory/508-668-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/508-123-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/508-125-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/508-117-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/1256-221-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1584-115-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-140-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1584-141-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1584-112-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1584-106-0x0000000000E80000-0x0000000000EE0000-memory.dmp

Filesize
384KB

Download
memory/1996-223-0x0000000000400000-0x0000000000561000-memory.dmp

Filesize
1.4MB

Download
memory/2020-94-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2020-103-0x0000000140000000-0x0000000140173000-memory.dmp

Filesize
1.4MB

Download
memory/2020-104-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2396-238-0x0000000140000000-0x0000000140160000-memory.dmp

Filesize
1.4MB

Download
memory/2676-317-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2676-754-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2904-12-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/2904-20-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2904-329-0x0000000140000000-0x0000000140174000-memory.dmp

Filesize
1.5MB

Download
memory/2904-21-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/3044-755-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3044-318-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3480-749-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3480-134-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3480-128-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3800-314-0x0000000140000000-0x00000001401AC000-memory.dmp

Filesize
1.7MB

Download
memory/3936-226-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3936-651-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4116-167-0x0000000140000000-0x0000000140183000-memory.dmp

Filesize
1.5MB

Download
memory/4356-757-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4356-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4372-8-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/4372-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4372-237-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4372-571-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/4372-1-0x0000000000920000-0x0000000000987000-memory.dmp

Filesize
412KB

Download
memory/4428-222-0x0000000140000000-0x0000000140175000-memory.dmp

Filesize
1.5MB

Download
memory/4436-330-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4436-756-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/4472-316-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4744-313-0x0000000140000000-0x00000001401CC000-memory.dmp

Filesize
1.8MB

Download
memory/4844-282-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4988-312-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5016-156-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5016-143-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5016-149-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5016-153-0x0000000140000000-0x0000000140199000-memory.dmp

Filesize
1.6MB

Download
memory/5016-154-0x00000000016B0000-0x0000000001710000-memory.dmp

Filesize
384KB

Download
memory/5112-225-0x0000000140000000-0x000000014015F000-memory.dmp

Filesize
1.4MB

Download