2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
Size

625KB
MD5

7559af1e218d7b77a6b7ad9a17850ead
SHA1

aacb971a9aba8922767acf81e15eb8ca2a778014
SHA256

2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6
SHA512

70658f562b42ed2a38ef46f2532ff096723ce8decfecf16972cf6c126bb2c0a202543bc0e6234a6db2c07a5fa1f5cc756336bd854c40fb8ffdaba70a98059bcc
SSDEEP

12288:j2VqZiMwQJXx6a/YvRcFKBsX9Da2XbJda3Q93i8OPowY79pk/DCWN:SMZiUJXca/VQBIe2dhi8OP3YGv

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
412	alg.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
1520	fxssvc.exe
3280	elevation_service.exe
1724	elevation_service.exe
1200	maintenanceservice.exe
1492	msdtc.exe
1156	OSE.EXE
2212	PerceptionSimulationService.exe
3660	perfhost.exe
2884	locator.exe
2888	SensorDataService.exe
2388	snmptrap.exe
4364	spectrum.exe
4316	ssh-agent.exe
3028	TieringEngineService.exe
3140	AgentService.exe
3936	vds.exe
3764	vssvc.exe
2080	wbengine.exe
5104	WmiApSrv.exe
1488	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\bc3c7e6ca29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\System32\vds.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_82468\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	perfhost.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005d6b47a6fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005a5867b6fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000fdb577a6fe7da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007ffe9c7a6fe7da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001ab8997b6fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000005d6b47a6fe7da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe
3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	668	2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
Token: SeAuditPrivilege	1520	fxssvc.exe
Token: SeRestorePrivilege	3028	TieringEngineService.exe
Token: SeManageVolumePrivilege	3028	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3140	AgentService.exe
Token: SeBackupPrivilege	3764	vssvc.exe
Token: SeRestorePrivilege	3764	vssvc.exe
Token: SeAuditPrivilege	3764	vssvc.exe
Token: SeBackupPrivilege	2080	wbengine.exe
Token: SeRestorePrivilege	2080	wbengine.exe
Token: SeSecurityPrivilege	2080	wbengine.exe
Token: 33	1488	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1488	SearchIndexer.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	412	alg.exe
Token: SeDebugPrivilege	3536	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2252	1488	SearchIndexer.exe	112
PID 1488 wrote to memory of 2252	1488	SearchIndexer.exe	112
PID 1488 wrote to memory of 4188	1488	SearchIndexer.exe	113
PID 1488 wrote to memory of 4188	1488	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe
"C:\Users\Admin\AppData\Local\Temp\2633dcc60bb01aa4fd1f186d05f03b835d54823b10785417e4df08477856abe6.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:412

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1596

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1200

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1492

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1156

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2212

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3660

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2888

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2388

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4364

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4316

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4304

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3028

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3764

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2252
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:4188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ff2dc20ff597c66bf92a093934daccdf

SHA1
ea1cc61ebf4322c6b7b998294c36ee8c617b24fd

SHA256
40ce0e8d69213747659b2692fa4e87aa0cfd20b6b60427d763e0b8105053afb2

SHA512
86d5bc67f204844edb040cbbab854da22ac4aefa9fb47e8ac6e6578690858c7a16229656865b81b6a9c985dbeb9aa4014104a2e5435732423252bec4a3a359c4

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
1e1a156200c3b9970664a28617ab5b12

SHA1
068e3302f4046c8ac8adf1f623345b215b474417

SHA256
4c9fb841a5dd0dc817849e6f1a41f0702f87bc8cd263a1cd382c1331a7fc64ce

SHA512
c14609aff641d145f6ac9a6f972f120f6c7b86690f8bdd0a4d01ccf48ec99812b424fa70465f18ec859e41229bf7dc6546dfe4484bf718134959936d9e0b82d1

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
7747042fc540b1afc90e115c3e454eba

SHA1
8905811950d4b3bece8b27f5becd703071f56f09

SHA256
21d585359d606d330bec0f2f1e2f3c091bdae25b43e7b2b297dcfaae395c0f10

SHA512
2b39f27c25ac936ea1a63eecca8b3040ffe7cd6c5ff66569ffaf0a8df243c3f5e00ab774a55d0f95f87f540a779f2a6799092f72c66cfdd5d5a02c46cd9901ce

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
b74101b8979575160b9a1178ff954364

SHA1
1843f0d52ad306fc0ac569f865e25c926ba456c1

SHA256
0d2c6ef7327158a1293e1643547085ee23a2905d47771f63e2107f01534c4a67

SHA512
641197b8fa240b036499311e5773e6bf14a6ea9f4eee8cc69f6e269541c4c2f9e32d026877c66b849de6ef496be97b0346af5183462fe85c666ce7330ec71867

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
dceb863d115b0e6b4d6707d87675fd6e

SHA1
abbdbe5ae15b3c4ae7b733f0eeb9730de2388598

SHA256
e6e70350805a7ba9bd07f01bc638a94d8f939b09a325b5682a7b0f855c37424b

SHA512
39e880eab3bb6bd76cf026c799ee8ebe365afa5047ddd946fef107cd69b8d6b2ecc7f10485e76a3870e954ed4d1ee4dc707133e48ded0aa96154f377ef8945a6

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
57592757743de753804f8af7ba6365cc

SHA1
704df2a9108ef4bc67f0aa2da8ec972f41b3a61d

SHA256
0c79b125d7866c74fea8ed2de53b7abd76368a799214919acb7d02bb98151c6c

SHA512
7cd5892b0ea9fb0a732f35e6d5ebe65eaef09a0fded012bddc7f1853060f46020c3051bb9de1d06b9fce446cb52bfaea22be0edc941a558a9b769ecefa113869

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
e3e2e9d49184e6b2a27cac8f97097964

SHA1
2923eb9e98a0d29691d7497e86852deddc0272e8

SHA256
ca3a6a8b7520d9ac1dd433c794fc6741ef46e9bb8bc20815a8979cdef3de0666

SHA512
07748f25f6b55dedc2d75b77e52b7bb7d696e7ef9a6b1e4c3689a77e76b9cb47bbb3b2f1e94fa1770017e39bb704f352f97446715a269d637b5ef6f2732f00e1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
753f3ee51486ec6c6704881ee65ed6b9

SHA1
c586ba29b34d0ce31060dffdb1957708cb13fc06

SHA256
3b46e8dd03782d09fa37fde31c3c7b3c0d7c08c3f4b621a7fff0c3043406ca68

SHA512
6d1b0c510a833d468f018b2c29ca7fa349c94380d0ae94a1917510a7a26ffd3ec50c10e0bc6c9b522b5dcc87221bad7345267f4850e5766fca91e02a9f4406c9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
0bd94554a84feddb9cb99c03937bc0e9

SHA1
48496f9bf16e39141836160418247545feef60c8

SHA256
8acd1c20d5fa82230b43b2f76099ba7acfb90872b1cad1b9440eaea064724e37

SHA512
3fe664c3e978179bbd97639a06523fffade11ebee7d40d25427f69740f874a0118de288fcd9290801ac27fb69cf0ce368de8538114412b05d18f077f2d3350d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
009f1c5c711fd8b7889549f3a72bda5a

SHA1
681e4dea445c16d2202e7cd517ba78f4947ff01f

SHA256
3c0e35d1b862aa6dacec4e121aaee6b075962d28ec059f6a6433c0d8c643644e

SHA512
3c7776a65b6f3a8fb5b9ffd14995335636f8b675485385753ab4963da75803b52ea2d05dc5e0dad59652459330ebae85994c4cb88c44d758a2787dc8e5f6ce6b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
f3d96aab24c8774cfea40a0fe65e5540

SHA1
5dc7d0512a305285aa22a816d810d1a6f3da52fb

SHA256
c4ccdf144dcdc89c76728002ae470826ef08c2c84497122cdcd548fcacf84213

SHA512
3028fd4f062108bfc15cf73eb883118088941110955bbd8d26e614d41e7c1abcab0ebd6c3e066452cd30676d3780c734d96fd1b394b6f72fe54e1fe6e9df4011

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
8d642b9069b3a62bd2ece028b6025a7f

SHA1
e3a68ee7884b13e95fb51385d3cced98c06e5743

SHA256
beedc8978194e95445389836e9905deb234a0d9cb2b17564cfb567a2990f6448

SHA512
63e1ea5870c14603f90c3e4e3e8052eefe14914e1f7de7a35f0f6641edf169ce143d775580c8cdb7037def4bdd6dd8773ab0d025fb205965cb14b99ef5521607

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
1fddfc066ab51c346d45bfce21d168a2

SHA1
76301f0442126e0d8a2ed02a2a25a55fd2b3a474

SHA256
daedea2b2d7ae556cd9780875e94e4f2e99617e2f8b1fb314863a0a252923f19

SHA512
88624f4569e7f573199c8faf3ac2ad78e80e21afcf414d4ae67d643b16e0a96cbef80a5847d8a73f8e05b5b228e674cede73bfb3c64dbb8c25456cd20d44e19d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
1d656a7352ac7d07be21d092d0713601

SHA1
af2a7c8a959e6323ec8389ac6333d251d8528bde

SHA256
520eba08b7aadc93c950a6fa4d86589b3ce20eef628ba052fb58bdeca566f6dd

SHA512
8ef3efb51c945db770db7694b4a54f26653274c16105766a7914bb309591640f6759804820f4a1702fc51e1c2ee8aad724f37963ae80f7d626fbe004a5331824

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
a103ea5b55fdcb9b84b1f4ea610200af

SHA1
ccb9cd11f969aa5b82d6bc3b1ecc63fa05a3dfff

SHA256
065231c56cbae010125f596cdb62f570e585e4c44793ed3e5fd1bce70f955149

SHA512
3bcf72cf625557208bd8f5955e69afb8168d5788681150da2c28ab53e9dd9c4c76119636bde66db8578c95f3a66a2da2f723d690a46fcbd6a5cb1efd45430ca8

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
0c21dfdaa914713486513416cfe8050a

SHA1
948f5fea9bf4b93c86d988d891b86c3067cabadb

SHA256
1a7ace303b5c10ccd790c45db6a37b42cc98cda828d136d555b3c448aaee1d5a

SHA512
32a90d66eabfb74c2e320a18179de815f23b485cd6fff6199207c9d4a766480adc2272c2b031c5b14058f389d5afa2f642ec96b9ee575effe472ad1f00cc1bf6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
7a54a9131ca3a9d3a3b90260519b53c1

SHA1
a7678632a3fca9eb111ae47fb61b0a6f68c181d5

SHA256
6cb61f137ecb23bae4c5f4cdd4bf5fad431dcf74eb2f84d5cb9b5a07f37ea63c

SHA512
3e092203e869da650846923e1f3d640487459e3520a754034cc6921c0a8a83dd0d7fc8c4e606a0a053357c86608dd4d42c09cb492c2594983693337d68935f64

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
580601d6b393b42021d0300f9b6ada48

SHA1
7d8c57f3108aef40f07115e351c0a7c013d3e487

SHA256
78a5ed551844502ca0b4eb25f9052425b895c6ad6570fd5700365f7136166f22

SHA512
9fc04ab1b0a7bc45545bef9b2763360e149883b7032c2cb9eb173a0d9b77568ccc2f3fc423019791558993fe818e2e9067e97eaadcc4492818ad848cdcce5458

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1d09295da8286c7ce07e2cbad0faab2c

SHA1
5a87caadf96a4c63800d638dc23ae4b785d7b2e4

SHA256
4d4f2447578d4aa77de9869490d586e8885e4687e57f181ec618d5f0d451971f

SHA512
6f3bd881054fd7b1663b2a9952fe60a1b43256f3be35744776aaa8114d2b66cd45209b851de6e0182c30868fc41f08fa192199b45ea889e4c9bf055ee454844e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
671e4dfedda22fce1961bf571c35a239

SHA1
30616ab82b3f3326cd1004b3dffa8bee9525ad8c

SHA256
4e7846823969ce67b7d2221644b47f40554d06292e3f88e0c1ddb16f92917151

SHA512
fd58ca9a8745454ed35a581884e7cb12d9cdcb9727521750830a53dce684f828c02668dc84ea48cf93bdb18398eba693371b73a7ae4ab3c18e75db1ff4f37c88

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
58fcaccaf229ba739294b2f3ced7e560

SHA1
a689c4e452b55526c1e5f76884f8523d8fe0656f

SHA256
1a0e9df6cbf8cf63a4404c2063f744335f5a7c67b88147cb243834aa3d8b6463

SHA512
359a4308f350d7390ee44c8e7c166f6dfd5401d019f7e2de9384c9a47ac3c8a8c8d49ec5f6805224f049123811edb1a7caefc55351c76cf0b801c77109c492ec

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
1b77a6be3a8b99368ae9e537aa4856de

SHA1
39cb1432b1066d318946f6a0d47609bb909547b5

SHA256
7a821bc82d2d7492bb2878f0e25b56f49c7785147d7eda47385c8369072dcc68

SHA512
3ac68640913f97898e3de6f470ebe02da4b00aeede71a81c5fd810963583a33ee73ee939ff702d17051cb36c7bad05c421258a3e32511036e422270fa37dabd6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
adb365e331921956c14fda7d26d9fc0d

SHA1
c292afbbfcb4c13def9507bf119f1ca1db08345e

SHA256
6d3ed98bc724a36b86a4710f975a976e29b4e470bd9513b1099a338d7ba29bc3

SHA512
7b8df271cdc270a8109d625009452bd06126c67a029072fefa18049a79169f602643d159062756f81c9c576849a7c5a38632d0f0b9b2c94a29c9b20eac1cda49

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
174cd5dfccfdd41c86dfc2cedc56bf63

SHA1
613d6f7f6eda012c00bc886b3b42e327b639a608

SHA256
7535a97d9ad84219dc9e2cd7bb8eb65db9957cde5cf1362e3f789f6fec86ff6e

SHA512
e854a5f92a5d6216f96dda6e8174f73188a9973753a5ee5623bfdb5f3173b8f8b2a60f3f224ffe4611d55ed41440f45e9e25e095247ab072f16936e6fd58f53f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
0f65e64cb717833107c06cacba44ec69

SHA1
0289475c0e61fdd003fb370452ba7b06401a3139

SHA256
45ff90ff3389407f877e1e20a42aa0984db67c82060fd947244a3aa8c71f62b0

SHA512
1156503cf3d8aeb0d6fc17eb73713908b5b783504b3acf0d0a6e3eb251a5060985695ae91bea5edf16998104ed8249b23bb92a4de49f9ea6605a9bce90758be9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
190a3624f9acf9e2c9adc6db25c366d0

SHA1
058f908481a9d46f3ed7d0654b880cee9a3e9cab

SHA256
ecf092d1c36b163352b9902815c6f13fcd1d4b469ce15119ab0d7d646107a804

SHA512
8d7a265139be458bd55b6e50ffb229cf813a2107572a018c5d151fbdfe1e4958a506eef50eaf195359666ca56be9979affbb431bb8368c2f6d442974d49f0e91

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
1bec7611714ba0264819396e49e7b44c

SHA1
786b7d20bab3dad1c56621893046787b76ac22ef

SHA256
cedfd07b11136620f5e1465061facb8f8d8ae4114afbc8c62331cf6002dd96e4

SHA512
138808bf11f3cb25facf67b2270f3477d811a5b214424a312c9a2147f52fec2e4a0ece876a427e73558b39cb0dead0418478930c51da265c21e8a163ae972dd2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
9a5d7469ec47609dfb905b9769a17b83

SHA1
54b7dfa009b6b6b9f49e872895d79d3e44c53b9d

SHA256
8172ce22ca24290ad262ae07fe2b508758101124565d78978fb6b953d4d8d96b

SHA512
92b0af3aed6901919c6c963e38c554ee285400cbd0d48716dbd7754ca4fc94aba0207125173eab03c34519864ebff1e09210f1ef7939f52e64cc9a45caeeb47e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
a0418b18cc50f79ec9344a6454fc9114

SHA1
cb9f6996bfbaedf94b17132b7f3f3614b710cef1

SHA256
c6e61d03189cc3ccb3c2087ae65481d4e9b0255f704900b0d1a06f2745a8ae69

SHA512
bf00138e405958906be73d1f787a93d0f7f69d81ccfb39ff7d8d06a182dab18f6752636099c9a002a6690ad4843b049407c2e9e515e4bfef8694c333c95c09b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
f468044f0aa7f9e2f07898997bf634ea

SHA1
ef6fbd9ffbecbeefcac0cde96008218dda29175e

SHA256
1915f74d3a0a5035b5abf9e75e45438553d6d9ecd26f6e9d467a93c452efff78

SHA512
2afc059cbe7ddf9cbe1344413a5b1a40eab2380adfb961b370db29d25bbd7de9ee59f95bebcf713ab4342b564ffa71152ddcbc52c7d1762fc9441a8c307767bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
467f26c3680606782bb2e7e0c44dc5a7

SHA1
a7de9cb958199e096d5b1ad6001961dac8563f0b

SHA256
71b94682a6f68dcd9c54bbb617c59491203f2d350b49aa2841cdfa934113ed69

SHA512
01960899d2cd5e47ba66cd16f50e762ba5d330a968e55de6d96e1eaec98cd8d4b48c01f51aa0e36cd94dbd9decad641cad2a155f567987bd82b13af7fb51e0a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
3d1ba3e3063425bcf976a53da2235558

SHA1
6b33190ff3f6144ed96540c12d6f8928ffa6a081

SHA256
dc6bdb32c34aa35fde56d30973d500354f30ffc7073a9991e366c2c8937c2002

SHA512
7d1430bacd751572194eab1f0de449652dd9453999cc5c3cb8be0ef9e078c8504e49745592f4bee37ab0faf8f64dd725242d08390c70223f577062072d1f8230

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
1ceb5e496cacbba63922efb5e52b84a8

SHA1
4a23347dcc1cb421273178067951989f27dd9631

SHA256
c8e9a22d196a290ba01ff4ca92dfef0aeb71fb13b66aeb8087fe7e9dc2a882dd

SHA512
dd04d4c513dafcfec5dd7bd408ac123b6830df80a9ab8a825570c24a789f136346357e87d5250c31b24e36a6e9abc2fd941e5730159ed5fc98cf920bf0baf096

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
eb181d5cd7349981473e205bd32e66ec

SHA1
2243bac9985bfb723d9fa6cd7b01d5ded1ca1811

SHA256
7973f11da4f738576c5ef86e5fd8ad3cccb53a644e90acc65a053e236162dbf6

SHA512
195fdf7505d42fd354b378db419f9987f67d74892335c6d66f60f519fee7a9e5fc18fe194bda3280f401b8cb7b5e2f827db723e31ab2db09a28f7e628fba4d0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
568460fe66a0c46b7d4b228a013affab

SHA1
78662cc363a9658e0b2ee7ece43c298971845a57

SHA256
e1df217051ed9595b1e384540058e00f6c11bd6bd6a7708a5ef1710ce6b34544

SHA512
eb2da7ec1925ab75e946ee26237efcd75dddf6b8bb8d79d398f5a861006ecd83a43584b34bdb91d6c2378c85a73e75febd944d74c9c5e2e072d291d338185a74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
d2c388eb8f1adbbf2c8647c6cfbb2a4f

SHA1
7c641c64b4b395f5bfe41cf1b3a40da3a163e322

SHA256
47b01d66266df7e59d6bebbb07ffdfa625958fdabdbe8438724373e929c4ee94

SHA512
234a6e45cae71dfde462f7c9f5135f85560123509b5beb8fede0aa3826b820eafebb52715af71bf97bb86492dca9e035a1c5a724a961c0e163f1a03aa62436be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
eca6effee71c7449422bf29dd08ec50a

SHA1
31c3eb9ca94a45a703e7b550978a526a57a551b6

SHA256
c126e0cc75d33b7a1d8c38eea339e6fe833ebc040fc52857a27be9daf3402b9b

SHA512
e29483ed7e21e7fd240ff292b7c523608b7bd23d88f6d9fbeec36c89486eb2dbbbfa3bfcf8df85afb91e0665087102c7402dc1ad184b4390cfeda3a1806b0fe8

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
2dc77567e0405cb97062344cb1b2e4ad

SHA1
c2d86a165a881efc60fa1c2571acec3a70c744f7

SHA256
bcdf853588160a6f640e26fd581c2ba0f4fb267f466210359cc81d7565f25fb0

SHA512
77febd9e0d288a3e34736b43a41c914c8d117e0963f29013f3bd2c135bb41da31e42456ef2a8687473112c5aa8fa3b663ba6ff2c3fab9322fc8e94034347587c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
6337bbab72d9d17cf66928f381dc15e3

SHA1
1ff433b912eb5ef2d8adaafc7da29c311cdaa24b

SHA256
97a01eae074ea19210fcee53166bc09141a8b5504f449ea60f365b9f7db9554b

SHA512
710c4e15a95a53d8992306ad3c533515c7bf806af54d2d599e62c130b42940ce5cb65e973afeab56dd319c1625c2f3f34ed101d31c87d06dcc082455462ade91

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
41590a63982a12b05925977c0b859821

SHA1
e67d721b6f7944d56e08a3aaca65600be925e1a1

SHA256
8e294741b609f30e7cae939bb946e81a64acec5cbe304b2b558ada6e9008e6c7

SHA512
41af7a66d2366a00b2e69c4c10588b84a25f955f4400024983ed99517ff792ba68af683cd581abca73f9d28cae1e41f3aa5f356e2a961cd30b9d08f016a7dfc0

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
c047fd2ff4967baf177128d29980ad97

SHA1
4fa03158dfb8cb7247f5b78cbf1f065d5789ff83

SHA256
42a7ba932b7f89948b0f8f87186281ba99b66935cedcbfed4b1d42e56c667f1b

SHA512
786772c20773c74017a2b85a21879f4ee1079a48bfff56947d67324e6f7456a543b7a785298125fe88ddcb5a85b4e04a38d13bfe15b48d52f16e14586a1a0bd4

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
9695bd5549508f3e7f76a1f5d2ce7b24

SHA1
ff7fa9735014c8c964c686ba23f26e69719fb32f

SHA256
6b3c846b9d17ec06fe0a86461ee913ba51a58675b8a8768ebddc7f869ccf2104

SHA512
8fe1fab563f768bddcc47d9777c2e3d3c2dee5b6bc8a345720893de71a78ef786540581b54f08a276fd927050cd71efd64459c978b6ee5d734ae0a96065d828d

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
9c32a08307212d9c4384bf345a8c518c

SHA1
4c6d69f7ae81a8cac781a69044636dd488ba7df4

SHA256
1db2b646e35851a1713d300d5ec97d697bf28a75946a256aa9048d65e1e7f3ec

SHA512
44d43ce13b5a3f85fc023d5f8eec7fb04421cb25a0b607c8da6eaf1c6cbea924870bfcc6c74e2cabcbe4efcd35412c3f8e4dd0f58883922e241b194bef429e9e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
22fb0beb3765a5734bc6637dbcd29168

SHA1
0ff64dd1c3f9b229b54ce70190a04ced40314210

SHA256
aacb1f2cf29e1bd22252884cd665651fab98cf2d28d201b70cb69fba13c9271d

SHA512
609df00a6fe6dcd9de068f52217630354ac8808c23e57fb8b44426bf3443a73b5a945a25d7cd76dc35eb479a96d5288c57b23380642241718736bdb215a4589a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
075a503efe3cf139ffd1387999e00a20

SHA1
fca68a86b071b6916e582391401c7fa8998f839a

SHA256
a82e5d6f61ed89812e8da25d5e4f6248678b5e0b29915b4e5526633b8b741c7c

SHA512
8f1e279ca0746b3aef40379db29b97dcb88dd785d5d78aa7abfb2fc29708b7a9e10573678d2e52be97ecee0350777390e016a49cb009b60e209a885b746560fd

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
fcc8821d98daa37bbd3820fe8cc3034b

SHA1
3b306b12791e451cf7b8cad84b5b66b54354e571

SHA256
15de0ac5905850468fda330a3b6ce932ca67a9b3159339a931975cae9cd5190e

SHA512
06a06043b1f709caebfe4a447940ea48d9c9541b1a424b95c3a5e9dec2651b1742f806eb156ab2d5f2cc86e4d3a2bd42dd088d8d10e8c7da575eef2dbd904084

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
a431e4e03f569739c70a2428be612821

SHA1
f34e81b7d8cb176f8ee3980ef11f2c4f92a6a4f6

SHA256
0e5af8cca94ed04ee22b9c169486fac9656d0b2644479e92b6c63d854b63a9d5

SHA512
835084e611767900bd08c614ca5aec924e13ca19f78728570e2a6a227973763c6eb7ca8c000320ca2b53da809a57e7eb96eceaa0ecdde5bf6e93f2fa5f1a498e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
550d4b057dabf83defbea125bb4d9b4e

SHA1
3e90d9f213512025f4a3ce13382082b37bffac00

SHA256
7eff1f69be09384be52a1ec1c5bf75376fda766f16c0e141c2bfe5d4ee08a169

SHA512
eb2e5de5b1ce618d07f876959f4b8bd03572863821b9783b045d6695c2861bf3f69466667a7210345d334e2ed0e5fe80fb69cdc493dcc8837399151ed0e5ee55

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cb30b372228553ab02f3f179789b2734

SHA1
3a951ba02c5107785335dfe872bedb4ca2b91c90

SHA256
548afefe36c628e43fc7da113759a1a08213be450c8865452a66987da5347b7c

SHA512
d94224afb172ab02395181bbb8ad395af762fc0f0c18051c489673a940d9008e3c17f12d085681fa984bdcbb9dc45f598e17302a1a142f5554083c4c93c437b5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0c08587850d70bf07b51f95d5676cc78

SHA1
ebf8488275cedc9e1bb997448aa639d9eeac59de

SHA256
5d94e7609e2c0b21ddd9c7b6bfdc7f6ecc4bdb734b7b7584ff81e7baee38940d

SHA512
d37c5cee4f171bf3f60d073c619f4f8d4d3f0c65759e6f61c39c0c5a0f1afc2033d0996af2131cd920f3dc66ed84712c64abe8b80be588993963ab0ba5c86b42

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
c0c6768e8eb969e442ba923af242bb11

SHA1
ece8e0bb65365ba70fcaef1f94c7239a848109f2

SHA256
bbec116d4ecbb6bd4eb42587d8bdddbbdb4fefc8d60c018d220800ad2900e50d

SHA512
9319d263cf3462af3155e16cf663c5701fabd8ed52ce4a8388327c5f554aeb6c430247f6539484193b43b8d2de918dbb3d09430281f0535f6f2e384901bb6977

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
59bbc9f77864da2b473b5858c829d584

SHA1
f41a49a34d50fb77d5ba33a41b02dd087cb4090f

SHA256
51ea1bed9d799317daaa91db8c08d7955b8c632aa851e37760539f7764eda986

SHA512
0887102ab7fbb09680118294dab93f0f9681d6418457cceee6b20f22351bedc5929e47d86a363ca66ec466d9ddce7032e496438155757214e5606a5bf247b8a7

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
c0c9b37c377d9c457236f36c2304bfd7

SHA1
458a223384af7f435a207d0213ac3fdc6e03efd9

SHA256
cc2177f0ec7fba41b68cd1fa5d19e10adb9ffac9865bd825d0644c5fa1e6b49b

SHA512
f4ac740d9435a62ade0c007065f8940156146b11944e7a89eb269bc8c741493471391f6789d960b85fc808e0ea609bb29a5cce7c73101becba5c0281f13824e9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
2007fae88c5f6d0d6c6da5842dc090d0

SHA1
1c31cfc20652fa97695261afa093d12a8d8e6e9a

SHA256
2cabe795d49489d52d693705f834a4c232d8e4179cda1d7e80824e8167a2cf46

SHA512
4745546969aa0741789c2fe3a784768bdaaec48733a0cc76196b85dfb46ac64b1fc0bf54c603fa432dd69cf7d07aad8de3c7f649091e75c2ee59e2a0903a9129

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7ae91b1053285c98f8482cf73d58d6af

SHA1
40ac83486506af98c7b2c6b688ac78d3104bd05c

SHA256
b4a7b6091b70ae2f5c274999f7a52309f058650356b71ef0dda0c65a1a64ed83

SHA512
495bf950c29a38efbe9ec8e65917154f1df86caa81c26ef32b43d2eb2189bb22b01e8f95a12bb938d2dc1d280f68a78630c14e37f58eae7c07c5487221833d67

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e31cdd169cbc74e975feddc0cd8f9fc7

SHA1
4a085f544615172d56563d875e02eb4506f54099

SHA256
e065a049b45a0259df92b9ab57d42e6ae185a7924430081058f8b3428a29647e

SHA512
159b866ac1be01dc64129539bedda461c8d5581ec0926497a2af5b0e3c68ef5f7a3733274662ac3ac47d833568d32169351b7e78521f355ffc9022efbb4300c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
931b15bed9c88c93ead9f24d7adaf32e

SHA1
978c1be8499c8c7f5ce95ab30b77a2a7f12992f8

SHA256
6350652016fbab2af6a5c4f7212f4f020d7ef86673cee5e51a7d0f246ffaf309

SHA512
2e00cdf7190f489b1114290173f341f099dbd653961609ecbae04d55c754465178c6e80d63b8641a4dc9cd7eae50b5a74f5654c13745898aac7132f13e9f5a58

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b61ac6b39e93b284b68e624fb05a9902

SHA1
e6ddfc0b959ee4598db9ce491509c84f8bfe2659

SHA256
57c837f63ca940820f148eea67001c2f3b8e7b0323eaaac8bf2d316576f5eb2d

SHA512
fb45431bd558de95e7f8a3716e28b278e165c492513d6842e767b8264f124015bcd21f8cc3d83f9c2b45ab27e5cd261ce94eb1ec48193b04e8dc8667791b095a

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
5a727e4f7fea3adb60fe24bc700254c3

SHA1
5d29032c5dacacce2c2d60be2dc533f31b7a62b3

SHA256
471c3d47395234c8681e5fad4ddab193d32b3175fbd31e30ab1e30025e1de5eb

SHA512
706b17ef120c5e82d1941ae1e3270c3232f2f76b21f625882bb26c41e16d801eff9cdf01127a2b068f00e4548dbc2ed17c8220824bb9bd8d91c8a815285f620a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
f80d92b1eb9f747fb50204d4ac2c97da

SHA1
e29dc729446a5159def9c950b0fdbe98a15b03f7

SHA256
ffda6367983c4858eca0509adbc334f0decee8349fa16f2c04816c6ad74f44ed

SHA512
2fd5110201d6bd0978858fa404b967dc8eb283c31a3de40bfb03464e30eed3000967b208c00baaa35e17b661e4ced7204d6fd681d2aecc1faf26f9bbc2b3fb83

Download Submit
memory/412-11-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/412-19-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/412-105-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/412-18-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/412-17-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/668-89-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/668-6-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/668-2-0x0000000000AE0000-0x0000000000B47000-memory.dmp

Filesize
412KB

Download
memory/668-447-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/668-0-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/1156-224-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1156-114-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1200-85-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1200-74-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1200-75-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1200-81-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1200-87-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1488-742-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1488-282-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1492-209-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1492-90-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1492-91-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/1520-46-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1520-49-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1520-47-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1520-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1520-39-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1520-44-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1724-186-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1724-63-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1724-64-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1724-70-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2080-740-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2080-249-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2212-117-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2212-236-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2388-438-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2388-170-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2884-139-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2884-260-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2888-279-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2888-600-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2888-152-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3028-602-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3028-206-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3140-222-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3140-210-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3280-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3280-58-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3280-52-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3280-173-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/3536-34-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3536-25-0x00000000006B0000-0x0000000000710000-memory.dmp

Filesize
384KB

Download
memory/3536-138-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3536-33-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3660-248-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3660-128-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3764-237-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3764-739-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3936-683-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3936-225-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4316-601-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4316-187-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4364-597-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4364-174-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-741-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/5104-261-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download