507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14-06-2024 21:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
Size

1.2MB
MD5

05e4ff00360653463f0ce86dc9b9ee37
SHA1

25fd32e340f361d1bcf7f1be804acc15ce1ccb81
SHA256

507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1
SHA512

0e34fcc1a3fc4737f2849ca1447488d8148d4e577d5f170670ccdc4087fc5bfd9fb71053613f296d13585b3f91f3a96f0dbfd55e7254b773644bec45dbd14f7e
SSDEEP

12288:w2txKXfxTHP5vDDtbxTezGwd7EM5dEfp5MkVK93P+SdkSS+C3/eoPdBvn:9txKvxTpDD6qrf3MkIkSFuv

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3524	alg.exe
544	DiagnosticsHub.StandardCollector.Service.exe
1532	fxssvc.exe
1760	elevation_service.exe
4440	elevation_service.exe
3992	maintenanceservice.exe
4888	msdtc.exe
4404	OSE.EXE
1880	PerceptionSimulationService.exe
4444	perfhost.exe
628	locator.exe
3668	SensorDataService.exe
4284	snmptrap.exe
3760	spectrum.exe
1744	ssh-agent.exe
1152	TieringEngineService.exe
4988	AgentService.exe
4596	vds.exe
1060	vssvc.exe
5072	wbengine.exe
3544	WmiApSrv.exe
2360	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msiexec.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\spectrum.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\System32\msdtc.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\System32\vds.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\wbengine.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\locator.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\vssvc.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\AgentService.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\a34ccbebc3a5208d.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d1e2a80a1beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000059933f80a1beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000085dae880a1beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce321e80a1beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e3942080a1beda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001fbc2780a1beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008eba4680a1beda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe
544	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2196	507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
Token: SeAuditPrivilege	1532	fxssvc.exe
Token: SeRestorePrivilege	1152	TieringEngineService.exe
Token: SeManageVolumePrivilege	1152	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4988	AgentService.exe
Token: SeBackupPrivilege	1060	vssvc.exe
Token: SeRestorePrivilege	1060	vssvc.exe
Token: SeAuditPrivilege	1060	vssvc.exe
Token: SeBackupPrivilege	5072	wbengine.exe
Token: SeRestorePrivilege	5072	wbengine.exe
Token: SeSecurityPrivilege	5072	wbengine.exe
Token: 33	2360	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2360	SearchIndexer.exe
Token: SeDebugPrivilege	3524	alg.exe
Token: SeDebugPrivilege	3524	alg.exe
Token: SeDebugPrivilege	3524	alg.exe
Token: SeDebugPrivilege	544	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 5292	2360	SearchIndexer.exe	118
PID 2360 wrote to memory of 5292	2360	SearchIndexer.exe	118
PID 2360 wrote to memory of 5324	2360	SearchIndexer.exe	119
PID 2360 wrote to memory of 5324	2360	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe
"C:\Users\Admin\AppData\Local\Temp\507523679f56074465fa75d48ce35279c2fd42cc1aac8f0478ee594328535da1.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:544

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:5060

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4440

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3992

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4888

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4404

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1880

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:628

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3668

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4024

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1744

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5072

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,1067197275908310731,12785105794523264014,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
1⤵
PID:5012

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5292
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

Filesize
2.3MB

MD5
28c6eebfe5e64c6bfd0a02b7a061a606

SHA1
c085092c36b797f3a3d1adef81c9ce96769bcc28

SHA256
0d91096772ce51b4748a09e649c579e9c4be00611fd58067060ade683e564a2f

SHA512
b97b7eebc06a877e9ab30428a3d5af795f0a254f2d02c863cd6110f346b64c92b719ecdbb852bdea19e37f29bc7d51dd0012ac8dd809fae7fdf351531baea3e3

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b579f0d5771ec271297a05ab7c5bc6c6

SHA1
d912a384142488055b9e424706e3ddd719b54f28

SHA256
956d71a3406b3e7e0c85e1d807248fc8565314131a0d57fa1c4e6a9dc648bb43

SHA512
1752dbf0f5d5d2fd5f57c02ec5db089cc0e16ee639dbf43eb11f2645e8eb5323e6252f72c3cf50982a77cb82ed0b6ba94de6d50143c84e89b611971ee45c961a

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
5bd0d91562c509bf8f47eb2b4f70c666

SHA1
eec1399a408a7a629b0c3d8529d41700b45fac4c

SHA256
b12b47a910f96a0f5035032bee7d60fe366fa4a3b85172a84823fb5fa2df6c6c

SHA512
3b53243beb3e9a735b46e9c8f5261ef858350c8d761d936a44857d7193bcbfb3cf54a5ebfef403aa38a73c66ad2e9aa479eb53b9cc8b1dd1c06ac9eecaaed088

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
5ec98676f7250a46afd1ade9675ad274

SHA1
e4b06f2a55c6646cbfd504afcadcc5764203adb4

SHA256
e639ad412c7cd56b9623dd3b8897e5edb2f21985e6afb3dc5bfb011fafc66e8c

SHA512
6bcf719f6497a2acae7a0a4908d9b49c92fff80697378123cc07f5987c92ac08d943e05b12e1c37ee83ede36b1488beff442ae9c0c2d2c302a6f4339910b50ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
6632031a87e22879559374f33d99bf03

SHA1
846f57e0883427b0c0465d63f976fe274cd6f51d

SHA256
2260edc3f26acecd3b202198b978accf7788e1a532f2f5b8d3854650a71bfddd

SHA512
acce1b88ea401cc8ef6c140636e874ac3c41445ea7eba395b031e1a5b2f9975bef16b0c115d9f88f257765bb2700858b596b7c2a95902d2e2bdd778a95b1f15f

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
56916c4d6385b3fdfcd20c5d9439f55e

SHA1
58d2c25c1b8c2251cc05a3b5f2b8b40eb3a2164f

SHA256
aeec57f063840830ab8dc692b64d1aafcb223aaa74e50bedac6707dea1ac4347

SHA512
deec86589de18ce5d163b2a218952719d01deb3775fe3fb0b9abe8b159431f1d99752d4bcccc5d5b3c9c2a17f9555ed85a0fb37b5fb8830b9b0d9776ac8aab0e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
b03efc76a708926acb88ee4d054bc3a4

SHA1
a65604670746208742d4bf3a5e05fed7a8c97936

SHA256
641fadbb5e19fb5a3c5decc03a6fb25dd153fc59986eb7afd3a1d95ac24e3950

SHA512
fef7512038214aee9de563856d3db81b7db8fe8b7efe0ab0d1971ec8f1cd89d815e1cbfdb4290ea262498f9f75b50cac929f9cd730f3d8f2646936e3f293aca9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
355b80a77dc2f1932295151d2b2e9e1b

SHA1
982e72844732cfa2c495885fd09e275f18f7c961

SHA256
f7d79a25b3e2da4ee5fa140761b7ed23f361889812422e4cb4b9134ddfcb2ced

SHA512
c69b619efcb39e604da24f7b3a549aafce4c7e3abf379e5bb4a626650a263669472b736059faee9cd6c5433061278aa88a4740eb54e5fb68ff0c48fdc2cbaa39

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
f6e54a971581d96ee0dbfcb740a02984

SHA1
55546bfb0c878556b8de6fc388073c9894da929f

SHA256
d04f55400dfaedf0f11db8161d6808c050e203675caa2842f04c05a20c72cc7d

SHA512
9040603b19384af6118f98c48f67d1bd4a8934ff7a04c58ad92a5c5eb2fdee1f45ffe1f289516c757a7dd5f300963b649d4c0f09f58862672e01da2b601763d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1a6ae820e7e99e932d0164e9328f68bc

SHA1
f22d142fda95eea1b80f0f9f922af35b6173f28d

SHA256
4a7bd02dc08989157b017540d59a2cc13bb7947c1a49ef176536e4ed443d5b1c

SHA512
397cab45cae0d722e4b08f9e98aab9af779e95c82e5da63dafa64ebdcfda600271244999f70d188f5922ee5d2fada653c408660a9daf751aa0115d41326dd4a1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8533650085ddc2414a0e2a09f28cfad5

SHA1
5896823531412a5757d521e8c179a12f01f02a5b

SHA256
4c7667531b72dfd287c4974a4dbc928ddf001a1b8c2f268a360db6cbaca65cf4

SHA512
2b98a1cb4b78bc45b18a0f2c0c687b9fae6af3a528eab7a9c860d3e2191d1349193fdb1685d63aef963ded06d503f2e0952cc2afb3047868527424d608e18a80

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
66bca76e7c54d45faad50c3ae543d5e7

SHA1
17fe11ece4e7e6afdc31eb6582da6d79a3954083

SHA256
4320aeb451e237c67947a075f04d76b40730e2c0da71365d0eee7bdcd2a7e413

SHA512
01594fd1bbc4fb50829bf6f8a31208ab985654c1f20142986b44f2d2237460fe7e548d3c4b061ae4804cb3576d3a7e57d5af90dd3a3053d10fab948d406e638a

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
46ab6fbd38827484bba50bdf5442dafa

SHA1
b74ac23fb01e238ca8a7bef9652aaa604e0d187e

SHA256
d089d0d6c05b5cf6e36ced7aa30fc5e8f201e63477455160da2caf32fe8c97fc

SHA512
f6c5e26bd6fc860505af9948a0644f7b70d20a05365c0a0af19c3412b3b74dae19b3bb6700b26af85cce7baf1d8f7dc202f31f775d7f21a9eb7224ae456bb046

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
9a6b8cc9cef82984ee986d6e68e57468

SHA1
828f002a387a85864672b43e0d59b9dd1690315c

SHA256
b2c7389acc088cff1af19c45394f8988ca5d78e7b1438fe7afb047a6649bea8e

SHA512
a110b2e70b6b0651205bf7336dd68b6dc996a3b297ad04ab019538c100b49a703aa98ef7f7835e018afd328cfb63214f5bb5ea52f31ce157723ee62cbb3cba34

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f2001cca7ceb5c5bb47204d8a9e71099

SHA1
767f4d83740ce47517105992642a4e293b8bc4de

SHA256
7618c74a8c2b00de83c7c7babdc4e3cfd927b53e6bc3f79624be08481d827f79

SHA512
5447b65fbeb504fe4e55515deba1522b958a8a9f65636b0e4d73640e66143862a124a9414192a7a69109e38afbf14f1418142d4a5537a6ba48adea81a83b2d71

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
95f3f0754b6a7df32fd757b85613a533

SHA1
b4ca7d05b6207e1072d32faaaade9505141db73a

SHA256
102e8fd21443b44a6fe070e66d364672aeb853451ee6290750976cdf5f3cda20

SHA512
299e76fd74db4232a38dd74e4817c9186c52b9cb0775e4a33f4a31d12b0ed357b368ac647a0a10409eafa4b8103b90e48c95e47c142bf6925dd5f6529fdaaedb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
c9abe18f40b6fd99dc8e7fa6194115cf

SHA1
3b3415d5fc644f6e3269a2cf7c502a4ca84f6abe

SHA256
8b0509055d2f2961cffb53db8be68fcf6cbec02d58d49cec65b01ae586791522

SHA512
9375a1d131b60d5bc11b50e89ba3b0e74114fa3bf3a003b7ce560b5db4830a6ade70ed0f6be335aeddfa45bd56c570f4cc951f91fb008c1508e82a9561474c3a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
47838bd0d040aab807960704b36357f5

SHA1
b5269095ca764d5cce6d1286dc54d068f9e05810

SHA256
ec4fc2718446cc7830178ec95e9fa04387aac14203c42fc0d1a5b63e2ab6bf8b

SHA512
80ded0a7aa9d7facd45518846e1d58604cdf7026e9a7231c235c1d814e73c4731aef180e5e31d428a3bf28d0a8b437eada66925d6ea5cd82ed3385f92ffffb12

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
b5b12c71f7a23ad16bc29428a21ba54b

SHA1
c6ace13ed4e613a6e4c3c9d9e36e33544972834f

SHA256
1a9a8faf69fe5f4d3a4bc357ef5863c1650aa78546aeb4b27ba63488d97ac192

SHA512
f95f1046de1f82b21028d0977c826c6b4da6438439923f1e8d6de100e591b4aa7053a8251bbbe3b86b19a6a71341088035f83e99e269c7a66bc23320774c2200

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
6da651dae390ff17d21e669e8b9ac5d7

SHA1
46308d36c471effab5a4b74f9267584d0c300d6c

SHA256
53a60e817ba72320951fa3e1d192f98bfaa83872e1af97a9e932ff71b93bcd46

SHA512
0da376964d1c0a389a5754eb4767eafb0599b648c90e87760d9e97807a009b92977b051f8897293a8729d27f50ea2a5a94d84a80428c097f1b3c39ccd823689c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
14effaa4184c88850096e097491cfe2b

SHA1
a0f58d3a61ed32f02562a8c2fbe827cd81555d57

SHA256
c3cafd9f2984e13060a8eb11576ed3f755a81d50230882ad49666521b8b00553

SHA512
56522da006bba65511228808cb0b3ad6e5a23c3af15ee39300a607000fc2f4792716717d90c8012a1845c062972e4d72de020236372a64fe6ef94be3b5ad2b88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
916a55f8a4b4607ac97a73ea001e3ba4

SHA1
99dfe8b8238d6dce6677ebe57085b2d4d6abf73c

SHA256
677ddb10b989301f19f694abd71020422587e1f62899a861a8c2aa94f5c6c8da

SHA512
22536407f25508dc6131d5ac9835bb1b0a1c550ecf840a334f340b8e7f3f1bea77ede8349dcb1c97ce1121d48b38589e56f938d009bca52a5753d4213492aa67

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6149e84ae18d67231887ad127430b13f

SHA1
d5e7741e27fca74bb4d61faefe1e830a17ddb029

SHA256
16f019175899e2395e54b6ad1f84ba0f91777e2640b5aa8a0aa22fcb4719f56a

SHA512
ce1c32a3167f93cd1a7bee5757a12afaf2e39aa9c28a409cf0507ef207063e130c25caa3a502a4f56d0bb8162d4678c6a7bf7bca71eaef801dc3c12a8aca851f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
53bff2a13b76e5a6e78b9b14b1e82fe4

SHA1
8627beffe70dfb6e17fab63b8b8c3f00526fc42c

SHA256
d7375de347cb254b3728674f9e10700caae4c1650d27d9499ec7c90b35c7e528

SHA512
4b99b5624ca724894d327b8fadb9af9a55fdf47e5700a1b0d104be9e964ea55a71e87ae0329d1f1d1a59d3dbbdef6ccf6f7c6929a8445039fbee836d936298ff

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
6cf0698c3fca58f0e4e993adaade2156

SHA1
65072e93463d7c7c5d641ec058ba84066ba79f80

SHA256
129e9400b828c2313fe6f58e1d769dedf97800bdd309bd71dd873c9643614f04

SHA512
3b30bafc1988bd88b25040263d8e5de249d0401999948f9ad554b685bf0292cb987511617dbf3652d2c1e068f8df6108769c8352935b0cf8e5c3f93c3c378bbf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
58f099a852ad75fa58dfdeda73250ece

SHA1
10ada6a88db696c4abf26d7bdef13623e4f6e2b7

SHA256
4d3261e81ca18b4415307d35a8c9fbf83636af577bbd00cf764753649868d65c

SHA512
246b52d69e6def6dbaf4796c41d1a0cc11e6a2cf4cb7c38ab73e76fbf331bde05c311ccd7e54eeefdaa0d665617ab88ebd6b2fb2ebdaeb155e84408a6ec24f3a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
cc0c7e2e880b73f91e2ba57a1e67c22e

SHA1
69ee3a0bbc631e54ecf9aa33ee8316c1100d81fb

SHA256
10ba481a8f3947ba7b88c4f90446290fe9bc1ddb68f01386bb51b72313e1a20a

SHA512
f392d5de18482a1ca4acad29b9b1c17c457dd6f493ea88a7850f6ce473e3db73828353965b514698db87274ecc598034e4a4d806290ef8feb9426177e16c337b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e95e7490617193d41a36a54bab06d753

SHA1
1d3bd11791aff9e4bac175cbd0ab5b8c52de0659

SHA256
66182eb28d52c3b97ea613529b7172d059c4fce2c13b2b58365805f28829985e

SHA512
4ba6a78f70949482b315859e8bb55c53b9c03fa06df671796fa2bb47c39ebf164e29f97c79614a10b60f79f70310006c834a17e67970f1fd845ba1fbebc5138d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
f81b443ca54dcced0145ff76b64700d7

SHA1
d18fbd2f9fc50b05caaa06e9d562762ecf609d09

SHA256
347b2df3f48391ad6dc3fe8728a7b4e7a614209f3b3046d7caa4846c40fb335e

SHA512
3f0ea7e437929a42b12be3f9e430ec08cb662260e745212efd2d9d26f0a765523c477e87fe5947bc7134ed343a529b7c11a6042ec746b52f997b010dab700baf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4216f6b8de2ab500b7200445df22e1a8

SHA1
e082f494077ebe86777d6fd7dc047314b3a816e3

SHA256
45b5a41b006c0f3bfd4fa70a854d57a8f9718ea6f729c42186323c82d5194459

SHA512
05ef02304003d65a95001a0b3d20ed8f123b6d152da492e0880f5a75205872425ae5d75d05f57c4d2dabfcf654d023816d5b79c8de00210818d78af349fb457a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
150f675d93b5e06b461d8c50f47f655e

SHA1
1977caf91c222e489e370d352391b2b4d41dbca6

SHA256
928031a2c4135e90d9982d0bc675b7d9372af65f3bcb325e57eda5cbb5e7c757

SHA512
ea6101f981a7404e3137ae91aab8bff1aff1082d52d3778c4965d3745bafd5227898f359fad57c0814ebcab56274c6c9214415e880f0abf5532ecae466341b0a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
9a6833da89cd20a94646d3f1f4c4d39b

SHA1
ad3704e0f3b45e1f72e11aa254e2f4b20b43b56f

SHA256
570294dc5869f75ebbd88a2e44455c62b36ff42435911cd888fcb4c4c0bc75af

SHA512
59b7cd94fd7a91b59d02597c41e479e5d0cd187bc06be9256e5f51fad93f2ca5c2d98c094d453e89406daaa14d8768e9eb8cfb7f6539122e78237c72c807ee1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
29206f0624325812d703e846376244d3

SHA1
543f7555637ecce8ee7a068894fe8d049e8b8870

SHA256
894832994d7bd6c0bc53cac2f17e25453bd9ffa44d1ca97beb6e50b6c29b7653

SHA512
8063ce5b791726a5cc22ef530bc34e6bc38aa04beca324da6c9c9c5d83cf5ab09cbfff5c59d22af28e369bd79a363c2aee26b8321cc69705d1e81a6a49aac7bd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
aa2903ce94c42388dcdec591132e35f7

SHA1
5eb492d36496a5a481f2fc88e8b459fea1908d56

SHA256
4a73f56186b0ea4e067da9fd891ba890cbff2cec61e04e73960e3c62f2b24e61

SHA512
38568472508982fcb3973d7be0d431da51774dfb1d5bd3a5bb2ef4fe1a95ccfa4d9b40f2f7b03b527138cfad49fdf3dc4a054cee3ee7daa9ef53c731824697fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
876ad097b6cb26af3ad5394e66f926d8

SHA1
2d0d42fe2fe0c9c79d367c5789d656b9176d20f2

SHA256
fcc4dde809bf4c595003fa3ea0d91473e95a8e89ae2aca881fc72c8b7c990c00

SHA512
ceff1cbd15ad5ce765aa3b161a62ddff5830207f7fe12c2fa6e82fde219ffe22f27bf17163776062d6ebfd95bc2cf23472d72c6a4d642e1191a2893cb4143561

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
f5fb3edd4585485054ebcfa38bd8d5be

SHA1
1ae5de97d66eaa3a9db9885808b9c41c827c0424

SHA256
942cd5ea72d351926d835b2bde727bd28a186ab45fd59e42ec499b8b7de5a345

SHA512
26157f6b24ac44f2dbd6fcfd21828fa87a20cc279a01e06bb8f8ab201bdbeb22b6a838680709a77cda282d4a64620c578cc2dbcc6a5262349e1d264f7a7d07b9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
3789bff79642bc47d2dc2502172348ad

SHA1
6a5dc36d6b88703516e36d399e016c4f6767de71

SHA256
b7624e9ff18b706b38a591fc5c396dd11ca36bc8cb202d4a4c3d31771ddb1a56

SHA512
0fd483879fcc6de087a850889091d072d96b8aaa32100301424f1b656b5343b37a25e655531420103a0d99418a0e7750c809b0aef04349fce6c7cf82c9a05758

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
0b484a8dc50bc1a96f999577a3f5be23

SHA1
0f9fefb7c8b58f2ef92b5fc7489768d9b84b880d

SHA256
93a67379249408f3ec48c30e17edb3f4296bad838e70ba7a01a821fc6826f129

SHA512
8d974c1f02021b38fd9f74ecbb59a4f2be6c1b8c0e9b3ba5d6a6136ed7ca4795526f4c8aaca5419fcc10ece5192d440497ee0672debeb8353352daf91c289a1e

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
febc8188ed7c71aeb02f1da553c6ff9a

SHA1
883127476cefd164d11c3c38b0bf699edb710990

SHA256
205e4f26c046794f3d22538368a4fb57b6a5dc75fedd5441630e90ac80e23c87

SHA512
5b2a44dbf1df0067685e0cc6f19c88ddd0dff1647e5166510f5928851f23f0be31562c3ee9da5eabc0ba5c14efc8a302eefacc8ac9f6b84be976f081f1c2ff02

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
e94f53afc6a8c3584e5b3205d5c0c0a2

SHA1
039afb1ab7f3226c252d15f1206c7725be02deee

SHA256
a54260c6eb1c44a8205a4ead0591d068113fb1587aee499a5e008fef63664e2a

SHA512
7ede96316aa3be98923fe976afdf7060a01c854dc6a0331b457deef442079964439a037da66d05bfb422e600b5c37b9870166a0c584c125572562b6cc31f69ab

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
24fc6ffac72f1e2c4c02f62de6b00916

SHA1
044d286df5846317bce0d962a81aec7757880f4a

SHA256
0e3e22d16ab069bef5d2cc2163699211f20207a95dfb4fda703d533415e479dd

SHA512
46b3af53a3fc7726ce527c70b1c2f6147c8dbc8b2f808626f5a2351e5e83518d93a2abd68f81dabc301b1784adcb6f440e553e782df9a15c7dd1426601361736

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
b394736dbf4d64fc688f1c3c4cd86e06

SHA1
243a3d5062f28c8bd402d6ed576082622eccf90e

SHA256
586afc56221056443d3627f2ea02aac31107cc7a6c596f5d99f04f629148e7a1

SHA512
96b2c201b83c1c05402af0c6f10e882e47363df67393d6681d3b5eb2741513ac0ef474743c1a5f29fcf515c42e83c1989ede4de5af5e346816b6b58211cb2b9d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
945d3e2aaecb8f552e6b1354e6cd0bf6

SHA1
bd61918fc0ce95b7c8b96e2f43d79d5fc801090f

SHA256
b589daabe51ff1e2324cde6b641d46563438988062f84c1c8519bbebe08cb376

SHA512
4be4a8f972e6bef39aa3f2ee242c93e8e277be904dfe1fcb4cf72e248e991ef80fd0bbbf8f6c3143d2208f87bf45bf890c07d774a275e5783bba8a7e59405a2a

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
8d4b3f9f688b1fa0e93526e392a107bb

SHA1
6a1417c5d3b9482358a56786ac5a59950e088de7

SHA256
ff9a6d4b5769f65845ec4649e72f25e51728cdfa43535971c88e6547eabc3915

SHA512
51a783a3d4768ad94e8b35316575a3df36389ffeaca870df86716cc705ee7171ab46fa0d11aaaddee47b194a675b7a26dea979269aad6f038e95040ba8affece

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
379d3bb82b58a752f03d2b2af93a443b

SHA1
5afef79c66de23c166e7584451929c6dcb29e866

SHA256
c4fba6f32fae385deb58da049f02e30f35849c335366666b5bb77751c24f1437

SHA512
b275eb645f6e7612e060d4d3fdbafbbd1cd0047fe5ecc569ada617083d3fbdbc728c3a050bdf09caeb927ef6be2df9176622ebaba4e5e94f33cbfba9cd0ddbab

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
2d88b64f73ea0e47938bb55ed6d41456

SHA1
47132393f4f9e899577761baf43c5ae4af298ee6

SHA256
b37c184b15daa9f1180c1448e5d64951e8c2b511eea93b034c73db818a6cfc2e

SHA512
51773d74276ba5c8200f0a0bc993221cdb0ef1134ddf2c2e27cf02d4ace249795270a5a5a3558e91c2ed1190e1a232fc3066a7a74df2f5434fb6cf00decfbce6

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
e9c2988ad98b52f5ec2852ad7622b7e8

SHA1
04b92e65acb637ddbcd864f75241dea90cbf4fd7

SHA256
a9cfdc61e6accc1686116049246aa78139d7529e3c2ce47e75cc4922c8406c0d

SHA512
a888350f2f1e4dff4c54f43ffc4f3798b46a94b2b862890141f45535a8658a5e47ac12a4f79f64c1209de4bdda91db3aea62bbe14e20d264ed835dbfa0ea8d8a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
05ca7675098339dfb57f80f041dce4ca

SHA1
db491b03ba1686f3d565158e6460249bd5a7e771

SHA256
f780906a95c2421a0d245e4f2df8bb0ccedc3cb586fcaf5de8945af569bb2502

SHA512
e0e180b8ca44da22b61233ba257db5a477842afff4c31437854b8bae13d39874b0038f5f484e91054c9626062c97e63b8d2f2d0edde1685a7122fd94aebc65f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2405baad472c72ffea981bfcb1bff81b

SHA1
ac6a4705323de2e8201781be9eb9e9c0f575578c

SHA256
1ba48d7741b2647f705766f68a8990d04bca247092bf30cf97c80803a4d33c3d

SHA512
fa1cc44f881f4030d7747a5fe167f02d34b034b369c58be5c15c1db1703c5d3349d38be36df85355648934ab9b035565a7b4367903ec7accba428e10654042f3

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
2a83f1d681f141befb630aaec8727464

SHA1
d70a35ea2491229d7805deb23c722b9438cadf38

SHA256
deb8d5c3620898c6e66664cba6a797f543fa240a3a64a0cebcf9cb013802e23d

SHA512
6f01523ccd3421b6040542a2451d30acb7424f97f03f60c5a89ab51990542213895e3fb3bf6246a900c4715728c861a01c8d3ad9c17e9e2f7bfa42a391228ae4

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e2a91ac1769e65a5f7c7f4347ce499f5

SHA1
8cbaa84d9830cff4ef6ffd5077ab3c89cdd6ea8b

SHA256
976f16545c8c866a26e2811a8648d1b2e4648a6502bf3e55903b8340fad7f416

SHA512
813af8e657577e504a11074c9ed873119c568af3f29f7bdb8d10b0e0791e7ec4631f052ef281e82e6dc10d9ba3f0a36b9b8ca69a3dc504ecb0c8562ebdc8d352

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
5719c656eab185f2d6de4642696f6b7f

SHA1
8f19dd48c30b7250b5028fd3b06374f2d3ea8269

SHA256
eb4613ef16366b25fb59faa7d11a1c1412061f0201807c48a652653fad4687bf

SHA512
d5910d65ef63c996ec147fcfda95eaef0eb93093bf2b5558b9b8285d19cd3502374f236f4a8c642ba2fffe7aba4740838415bdf944ba7010507d1386f08bb363

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f8967e7a9dde95129f9a247184ef47c1

SHA1
1776695d55452a67aa9da2aefee0b1a5a5a7b428

SHA256
e65104967927c509c9a5702033a5d516f2889448533b9ee9e5c82491ebe44ecc

SHA512
50ee3036abc7e25a7e218ba2677e7e30fc9978e1017d62bc224f520813b677f0a4d44130863dc966fdf0362a7c7ea213e26a3d7169881b4e2596eaf2d63ee0e4

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
d9ee7fde57cdf360376f65fa6ac254d3

SHA1
4767a56837666b6e6473cab7360684c97c96fa19

SHA256
8ca842e8158e61cf5e09445daf6b1dea5df7265f989a1e116fff51cf2b245255

SHA512
18b85ddc782e061ad7a24cacdf9e053a9811c4a83996849c6cc5886fefa97e78867bd8dbb38c27069b4b62c1215dfc54838b2e40a4fd04b1ea64ea9fbdc90fa8

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
a773204434efef570b8314c26be8bf2a

SHA1
60d090d215902134a32fdd31406e157f59b68530

SHA256
53877a2f98ff027d66f5697638806824c05ddd43984cd3fba3cf57d4b6d41737

SHA512
1c396a41c824343b445cea758a6470205401ac11a1333e36b83bdb1285dc745c2215abc322b0527f5b81508277dfeb051e79b1a657050feb142b5a86741c603c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
a6985b2a4a7fc6792c140b4dea38fc76

SHA1
0e89967d0e08d51631fc12451db64f9e5a56da5a

SHA256
8f288a4fe818a77d0deda5a849e95910db25b84c3eeb4b9a65b31e105178ce9c

SHA512
79b61b956da2310ac36758ce1c59a19358b86cfdf42b514a885f4a1e567c0cc9ccb7d4f134719d55e6c20ea6287136874cc99c791267bc8b7e1bfe9e4fab5dab

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
acc93876f6f10eeb287601fbf069c364

SHA1
da8c57b0253b53a32e06c45c28c2c696d0f13351

SHA256
76d9665ec961520c88b8303b40940c6a31cc0ddea8254006db6150a10f41b816

SHA512
a833bf3c0b948ade2c208f7edfc49fa4aa5566a6c1ad08c0ce4ea5ddbf938c55d263f257d6703e7e84f4b1b594cc605e04efbcc3de9d9232b93b644047814ecb

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
23150e4348fdbee105943e5a83448819

SHA1
f1cacb1950c8b406a05b402599216f1066e6ba33

SHA256
5826445b24bc0df5ee5c97dbe46278ecf6e9ed77f644f4f0d0b1031a80bb4bb8

SHA512
8c667d61ede8275a117259f9d302264cad218f9ac817d84081fd28d94c30214fcf1eb401c3b7def68fac32c3dc84f6246057ef94afd257d27d41ceee20dc6a57

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5c844e57fad4b6322285b6c7298bf367

SHA1
c312c3adf1e93383008870af9975f2fcb859a513

SHA256
09eda6d2b1f2b5adb32937dd4733ff53aadca8c1b8fcc378212ace22d21acb24

SHA512
bbc1459150e088d51d96032a946605381433709a5e4db964811334bbe0d46c7b3633d22c4d99f8ae2dbacbc7a48b73fe9291cfb2340ad4b1ce467d03537f5729

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
c3e2c43fea07d16782825bcbd5207b40

SHA1
785d13ecb84b0008df8796287b2a2c371cd2cd8a

SHA256
5f58a76e96825946b19465161140360e9ce42b404ba2b3c30b79511136013a61

SHA512
8f1a44c71fcc58899e2d21b4b66f9ef3467c5b60c63c87887ebee9846a57282a60e9a13cb0b7c59e47cea4fc37991e05a16154887f88beee5f6104b50b506303

Download Submit
memory/544-25-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/544-34-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/544-33-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/628-257-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/628-145-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1060-654-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1060-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1152-196-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1152-652-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1532-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1532-44-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1532-38-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1532-47-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1532-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1744-651-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1744-185-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1760-57-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1760-171-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1760-59-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1760-51-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1880-115-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1880-233-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2196-371-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2196-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2196-6-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/2196-1-0x00000000008C0000-0x0000000000927000-memory.dmp

Filesize
412KB

Download
memory/2196-103-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2360-659-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2360-279-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3524-126-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3524-19-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3524-20-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3524-11-0x0000000000610000-0x0000000000670000-memory.dmp

Filesize
384KB

Download
memory/3544-266-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3544-658-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3668-278-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3668-642-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3668-148-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3760-647-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3760-172-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3992-84-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3992-75-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3992-80-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/3992-73-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/3992-85-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4284-580-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4284-165-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4404-108-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4404-221-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4440-68-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4440-62-0x0000000000990000-0x00000000009F0000-memory.dmp

Filesize
384KB

Download
memory/4440-184-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4440-70-0x0000000140000000-0x0000000140267000-memory.dmp

Filesize
2.4MB

Download
memory/4444-127-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4444-245-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4596-653-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4596-222-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4888-96-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4888-88-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/4988-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4988-219-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5072-246-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/5072-657-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download