7c568ae4201be12b615deab92feafd9705afc9ef483cc79d893a44f1051df50c

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1afc64fd7fdd01576f1c80566e114170N.exe
Size

2.3MB
MD5

1afc64fd7fdd01576f1c80566e114170
SHA1

156a25327524395337caae8552f3002aa8839533
SHA256

7c568ae4201be12b615deab92feafd9705afc9ef483cc79d893a44f1051df50c
SHA512

4558f163d5ef734139eec17ca7805a42eef83688ff4d01a6b7dd74c30784d8d628b540f45a64edc0af064176aeb467247a0a9d75cb34204602777be18cebd515
SSDEEP

49152:VQixbpVndRcpfqwYO3u2XoKNLlMDEe/pmVS/F0j0sdZz6N3Q6itmOH:Vtdnfnwp3oOLuB/3/uxdt6N3u5H

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 23 IoCs

pid	Process
3192	alg.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
664	fxssvc.exe
1184	install.exe
1848	elevation_service.exe
2900	elevation_service.exe
4960	maintenanceservice.exe
2864	msdtc.exe
3940	OSE.EXE
2492	PerceptionSimulationService.exe
2520	perfhost.exe
1840	locator.exe
2264	SensorDataService.exe
2816	snmptrap.exe
4448	spectrum.exe
4500	ssh-agent.exe
3348	TieringEngineService.exe
4516	AgentService.exe
4840	vds.exe
2428	vssvc.exe
3908	wbengine.exe
3536	WmiApSrv.exe
2860	SearchIndexer.exe

Loads dropped DLL 1 IoCs

pid	Process
1184	install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e1e89d98696f5a03.bin	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\msiexec.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\spectrum.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\vssvc.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\System32\msdtc.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\AgentService.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\System32\vds.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\System32\alg.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\wbengine.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	1afc64fd7fdd01576f1c80566e114170N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\java.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\chrome_installer.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	1afc64fd7fdd01576f1c80566e114170N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	1afc64fd7fdd01576f1c80566e114170N.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1afc64fd7fdd01576f1c80566e114170N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000070f6def64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bffd43f64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c79a41f64fe8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042743af64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004d4c52f64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f44971f64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c5252cf64fe8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000009882ef64fe8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe
1944	1afc64fd7fdd01576f1c80566e114170N.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeAuditPrivilege	664	fxssvc.exe
Token: SeRestorePrivilege	3348	TieringEngineService.exe
Token: SeManageVolumePrivilege	3348	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4516	AgentService.exe
Token: SeBackupPrivilege	2428	vssvc.exe
Token: SeRestorePrivilege	2428	vssvc.exe
Token: SeAuditPrivilege	2428	vssvc.exe
Token: SeBackupPrivilege	3908	wbengine.exe
Token: SeRestorePrivilege	3908	wbengine.exe
Token: SeSecurityPrivilege	3908	wbengine.exe
Token: 33	2860	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2860	SearchIndexer.exe
Token: SeDebugPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeDebugPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeDebugPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeDebugPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeDebugPrivilege	1944	1afc64fd7fdd01576f1c80566e114170N.exe
Token: SeDebugPrivilege	3192	alg.exe
Token: SeDebugPrivilege	3192	alg.exe
Token: SeDebugPrivilege	3192	alg.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1184	1944	1afc64fd7fdd01576f1c80566e114170N.exe	89
PID 1944 wrote to memory of 1184	1944	1afc64fd7fdd01576f1c80566e114170N.exe	89
PID 1944 wrote to memory of 1184	1944	1afc64fd7fdd01576f1c80566e114170N.exe	89
PID 2860 wrote to memory of 4720	2860	SearchIndexer.exe	113
PID 2860 wrote to memory of 4720	2860	SearchIndexer.exe	113
PID 2860 wrote to memory of 2176	2860	SearchIndexer.exe	114
PID 2860 wrote to memory of 2176	2860	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\1afc64fd7fdd01576f1c80566e114170N.exe
"C:\Users\Admin\AppData\Local\Temp\1afc64fd7fdd01576f1c80566e114170N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944
- \??\c:\b84a4a1a3334ff917a\install.exe
  c:\b84a4a1a3334ff917a\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1184

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3192

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1160

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2900

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3940

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2492

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2520

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1840

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2264

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4448

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2496

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3348

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2428

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3536

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4720
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
981f966ebdc6ef5b4fa59fec619d9576

SHA1
a82aaf448b39350a9f96d3e7330f0b35e7af7fe8

SHA256
d43f84ad4a61fb3b4a536bf1dd9b64e9332fa6ea1d73f94a6b4adc3ba3951134

SHA512
a2f1c99aafc636ee650b244986c6f3ae9d2a3cb1ea1555caf3d6772638eaa8070f4db24ae8f1d1d4f747bb9d2efc84115c20481217dac3982ad0b9a3b29c828e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
789KB

MD5
50b68990acfd0d0225ba58ed40396c95

SHA1
e257ab7a677e78cf94953bac48c0564a52390460

SHA256
1bdc717a63de2f90b1ab6b7f5b4f5076c11d94f30eb36961e5f727491d0f72d7

SHA512
a3369c358ec96978887bab478927163fae994620f200cea0ec55c4ce941a5a5b63562db51d0ad48cec978a7e1c7418a44c4f21f3f90fcf98a2f45f99594f2110

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
490aad2693835414a44f15ba497e3d11

SHA1
b40f12792cdc8e867541ebbba0636fd4faa3a04e

SHA256
77531a20c3f6c570ab47a2944518e8dc41ee98d4797afabe766d6235c33a4ee5

SHA512
5028c9379ecd554880540659b05ecab2a41a7f94af10aae02103ed22b6a82b7e873c88def0f0908816b55defc6a1a66bcc6d4fe10b5bec6324621677337c8550

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
a9ba57b3b4e39dbc8fccb4ad831aeb8d

SHA1
f3b42c29b4630a2108577eebfd52b1a47501fff5

SHA256
d2ce15b459ae4381a7e9efa48e6ae19b53a53e59ecb8b08380e3e086bcff7142

SHA512
2af59350225aedc11e53d7247b039eb39456e71894dae9c842a3df142ab4afcacd98fe09a526efaf41b5ae307c3b7ea1601baf6cec532b180a061594550f5647

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
1ad3939eeacb8a233087f2093e0964f6

SHA1
99a1abe94bad9c6bc26cd23c9b301375131d89c3

SHA256
f3c9903c1bd748d485b017a2a679d0541ebfc269ee58fd9c62b1115583b06773

SHA512
3f973b46786bf1131f90c43341f4bb6a4928d005f14843304b3e69049ff3b29ce9346a0505ab8a3ca51f457138b3974c5574136d56e12b1fe5992a7d51a45f2d

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
7011c7203bb77af4904af939b9ae5779

SHA1
fc5bbc4142de09edaa9f580390f07d5187f846ec

SHA256
6a9f456491fe92283accbe0343787b929f837cb7b32c15473ef28aae75721375

SHA512
4a7de9e7f3cdeec8aa05981f49b244712e9301f85c2e170dd3c3fef58a06501ceb8992a176e60a68013b260e3621ec3cb44531413f5bf8ece2a31fe316c63569

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
1f3f8fc7f66596b213c0480ad44a7580

SHA1
6e978138b7686128706dae3c8d0d5fb69832e9b6

SHA256
65d18ba73af31ad8068bb954f6b6702ba67f65c9e813c4b31d3909b8b5765b1b

SHA512
6e95969a17a3db0df8c7e157b2b3ee94b736305acf9cd81f69819ca8a5a243e0b9ddb9dd5e4239c7629f44336e2fac26b2f79621dd8ac45214784cfbcfaf98e5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
94df5c0cd84e2a557a3098a9ab1c9c69

SHA1
cada436bf320ab90e33028864e83d6eec7ff297b

SHA256
c41cbad3b2d58f9483e8d493db3a8d3bfebf04f843819a21931ff572f5dd7c4e

SHA512
6aee662d4f06d3759df19f2e9ebb4211022f9a2d17dc66379f7c172967c6a8dd1384e4e58579816e638e3b0f7949790a1e17f878c360c8de9c0d0abc3f4f6624

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
c396d4a5f9fb4269b5ac2461b4c61d67

SHA1
99c0f72a507eee362e80771f6c5b3f71d00de1f6

SHA256
ea12d9f278258b53215e044c885507f5d1d5d64cc557e8706cc6e50ceca6a8df

SHA512
45f0af864eaeed8b148272cc2a0d2c5307f96bc131956c0c447d69964604644e46d4a7169d5de988497e06c19a15909bbd8884040d7446d05774752254554eef

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3f7bbd057f62305fcb297f0fe25b05b8

SHA1
7edd0c91929845248b0c46411aa8367dd88eed30

SHA256
5c0cb9da3a1af815e53a7fdadfb3f541ce2eb9ed41d51349d4d23c48855fad3d

SHA512
8a9a31dbfa9d4bdaf7e047814f34f16ccc29f51eefd763ae1e6782c410378973d2bc80ceec3df053eae3528bef7ef207bda12f3c69101de8371d797c8c0085b3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cab6bb81b614c6241575581e13732b08

SHA1
ede8438089481543c6db73b12ed252c277415801

SHA256
13de687aa9d4a61a7a4b01062ec1c6a1e8ac49bfab09d3a335579e1fd1edd9ad

SHA512
1dc01f38b0ec39c27580463016f6b7504a82975c2bfac56641d2391d8c97d4e1d179bc09c51c9a804f78fed821e382d0cb05ad496f4f59d5d2b865024de7f64a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
38d3afb2e3aa54e74aed5e34844b230c

SHA1
98b791e8365bb1a65c88ab7eac49399e2af0fbb3

SHA256
3f1c6abd8e544dd9ccbebc5d3c9aae8cee12245cbe9eb6c1a608b63129e2f2db

SHA512
b5eca0d3f7efa667662b35c2dc4a4ceb062cf09df9d48ba30dc09274d1536015afd6748915098da45694616f72e3e170e0d9e66b21b682c13b8e65c546ac98ca

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
89e65d8570c671eeda86d6dc367f1699

SHA1
67b5d2e02f18943f89aa148fb1e330b785a58f92

SHA256
48aa6a0d51e5744e47e6c3dda8ab281c85247202492f1afd827f49d99c6707ca

SHA512
43326ce269930738e3f5530174cca18a9182f5e36f9bc31cf80d91fde593be14791d1e0fdad8293685cbacf7a9e9e4853250cf00f560cf4d4dbc1466f77ce86a

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
205d61a751f1aca2da28e2b455de149e

SHA1
f400fee5a726f2820ed192a00ad1d2c2baab5a2c

SHA256
e350039b0fd68135c0490364c4ab5a33c3c2483374606b66d16040284472c36e

SHA512
ab22f3794d8590ce48df5e107081de16bd8f9969bc4c8728eb4ed2b529d1d00fc1e8f5f79f46ea039a5607523e32166659d175c0dc8d0788a164caf5862b1f4e

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
2768225e0847f46139adfff5027974e9

SHA1
870d1c9b34aa5cf459df85b6e46fc76233b049f2

SHA256
96f7e22ac39d24535d620a26edfa6c624064898079af16c7496173803395d285

SHA512
e1989d032ead6742e6ae8fb6ebeac65671c68ce50786b8a882641785f08f60f9fc716b347c20783aff567575cc1da945f262ff7749610508bb5657534a262d0d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
d914047872cebb2066b97781e8bde488

SHA1
a7277a553371cd2c167c83e9a1363b96b58602c4

SHA256
7cf61f1d06809d7e636a59d07d220dc7b3cb3de96fd649586940a149d9d80600

SHA512
83e26af0140dcb821f3dca37350653412a9642c95d07627b0680acf355a77a6005460da530a743433282025d9d999680c09e85e1a734d093f34d95a0876a12a6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
28c2a860a3337b72a8fad04c6779b9f8

SHA1
bdc800178bc620571dbbd96086703c7a73ab4a6e

SHA256
ea7dbf9d9214414551dd88891d936981549123588d68efc157c3c55847e7f94c

SHA512
c1533f56b99f39a20542cb2b27e6f456d3f19017ba7ec11a5fe5f6eef8348271639c590cc880bc7f8a864a45408d9da1304e20e3044a214937557ca18e83334d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
87547e7de8d96b64f8e47dfe3ad62b6e

SHA1
0b224046180139efa0ac9aaa80d40c552f70bcf8

SHA256
3c4e74ec08c8664bf1acf0c7336faa35764c2c47404a9aebbef9a5ac4aefdf1d

SHA512
edba164a16bca371b0a4b6be419e65a1c155074c712b3dbf03aa7704465022331cbe0eed57fdb80fa1a5f26542b269f1c6c96f246b445b3253496d057a6f4a3c

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
1830cf9a9eeaca5529575c30f3d7eefb

SHA1
6761439597dd2c5cb4fa39dc0f935e968a3b77c1

SHA256
0c7b263e6c880a13b17966b62a1af30eb9708b1f6f9d2dc7056cd7d948da5d78

SHA512
4ab3c368144b390d4f9c00a2bd67fb0ffbef6adea1ebc9b734f2813924d3e4a46ad1ba981a79b5ee78483d5101bede027e4d9ac668e3ec6832512f1761a0d2a5

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
90261f02b8b1e0821aaabe1197027bc4

SHA1
cfbee15905418a36ce3d819a3ed8a541b8b5be17

SHA256
a236a32befef325ec8ab9575c64d25b5373c432c57497593f6625d6a1f006962

SHA512
21e2ae0bfdf08bc02bac33bad7e7b3558bfefc64a0ae7774f94e4b2ddc393133f595550d641bc86b3f6063d5cfde035ae038f7fc9df7e972f82cf00eb949aea4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
ab4fd1b80214b03ea8bd0423717f7664

SHA1
1e32181113b382582074a785b9b8513558d3fd90

SHA256
d9530cb72dcb9716489730ecca738ee8dd4d56f2d449ec5e0588043c0ca19bbb

SHA512
4bcbfa1a23820e412316ce7707a35cadf466eb9b45380e96e885635e94e0cab642ef1bca78f4f47dc46d00a3886c0004093f5aad8c079420d2cd3772d2bd93d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
f7e45bc1ce69a962afd8b1669ede0d80

SHA1
2dda560fe0d80f62c59749c9dbd826dbdbacdae1

SHA256
1e586361cb66a9f42f02443ab7382fe7fd48842ed0297ddd16b36ee29cfa6da4

SHA512
cf4012190cdfe521c0f7b4d9fe53279bc77d9b8a80c93d60a516b121623041e81598cdf19817994400996847953d8fd85da60e1c4ea02024557f68a0edc4ce85

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
002e10ed58bbf9bd3752664bb2623cf6

SHA1
e41f1d2dad644ec5b3e0132cfb89642a29454e40

SHA256
478f0b51ef2ae08755f4932b51d4938143a335d5a481c747db04a14de1caee09

SHA512
eb9ebb78cd3279f28b12081c7154506d5d7049a87ccb15e516b6a16f6c18a50051ca21d1f849ff5be06fc71128bfc836e13521774613f5db95a5db43359d3ff1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
1cdc3b3a5d4af78472c6b022d526fd46

SHA1
237160daca95c426c013f30a158ce64c6d0c01be

SHA256
e3f7b99243da2f9d1d619b6ed501e134b413d445ac50b891d99fbffb9b80f4f4

SHA512
42799b4d52f684d5b2e7e1f3265ddfd63575d15ba3270d00762d49d247cd42926b24dabf385be889aab41f319522c2bf34145c3719043a858cf65eb4afa35a9d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
19cebf0df7ca7ee50a7ab0adb0975831

SHA1
aa671a6f0fd513bb3f15a0de4d4e810e17977651

SHA256
65da41c0bc2abf8858885fa08551c6f237563565f0d25af2d868beadb508c02b

SHA512
48608d377d95808a66150ef87c46f3b6b2a0779d1ef3b3c1c4732a31b3172356e9bc7cf099c0800a57633ab0df2e9ffc0ea57e222433be9746aad481435636e7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
a840dcc33bf6b0bb9827c023eb1cb221

SHA1
94f97c503931fb571cef0fe9662363417236970e

SHA256
d3ed048e093db600d9c966f9d84df005c644a58dbcc45d72f290c387a32da961

SHA512
524e1dbeecce0058ecbf0926c9eca4eb8e24247660bfd7915256d53472370945df2be70caf5ddb8fb33b5347c0878feb4f2abdae7f2bae3cd3acfa276d1de275

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
89be0950eed7cdddcbe92da4af5ba467

SHA1
145fb998b280f9a6ed15e22c65deb39788ddd8db

SHA256
42eaea9146792f42a664c4eb09239ded757fc5dcba84509a7d2955deae16c08d

SHA512
b4bcfa6e21caa717ea16aebb3fb9281f0d607e2626415f0ec8f6e6aae1d6d8d637c7be5b60bd2d235fa8faf421edc1e25b8ad1c410082a823cd6858c16ee8b42

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9a4610cc3828c2377a5668c993759612

SHA1
c337375ec694a3e41a76d0e79f70147a255a9a4f

SHA256
c41ced3e7f3ced7b0aecb2841ec914e020298b19eb7db335e0b962494e01cc1e

SHA512
91a05b18e3c300c57b55346a652fc1ee43313e07d8bc3b5fd26be1ae3701ef692b019f0b9db9059a2d91db9b735da3deefa7fe3ee21e98de3d1877553e380cd4

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
e21917feacc1cca119f77641bc957329

SHA1
49978330ab5a370daf81c83f7311691a2a68be39

SHA256
b1c5ed724717d41e67522d6bd9511a9b684f07ff9369ed03c3ac07e59b3f9675

SHA512
a3438ebc7b427e56b80da51839517b5bc10ac63db8879662b5e465107cf91f98926006b4ddc84bff7e55291101fa3b2477abfd037e0d3e5519cda0e91a9edf76

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
bfb08cc0b3a2365aa2a9b5d3606fb5ef

SHA1
032a54290fcf69725820a01c5dabf12ec29e4d99

SHA256
5188392bc09adecb1fdb00c0d20965b6ec60262f06fd9c2d6c2d4fe972969145

SHA512
0e02df816613fb36a2b05ec2c1cbdbbeae990053ca220254b4cc93b81ecb4357b9e2ef9d3b1bc87b33709875a79039ecbeddc57393f1d2b2bc6d781cfc415e05

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9da512f7cdc9418db36e0410dcfd99b8

SHA1
c800fdeba1f3e44c3328049af164023c2c1b1f0c

SHA256
bbd492776f314e42f4fc326d0d92a27dbe12cb4733d49c926beb4c3a3e8bfc7c

SHA512
eafe45024c151e45a1ccc87fffb30e1222a41e1885c063f388a0ce07babda71add0731d9b438ae21e6023762c2ce4d430069a2ebb269c5dff7e885322b775f0d

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
b59fb6b92a297f89dcfe189466f0df64

SHA1
690458c9c1a4bd63ce7374739659ee96efcf1139

SHA256
478d2505b11b92ef2e9d5e2e3de467a484503c5f7eebbcfe8215e70e10f56ba0

SHA512
9d6e8c18bef2113c4fe4d444e4775d714c93acc8f71dd58c51ff3614ee14deffe2f247140a96b59d088e3ef26e428a7e879b73abbb1ce049c27de14ecc37e771

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
5706aac555df4f0fcc789327c2fb1439

SHA1
9413a38a38bc3385465bad7f1e63cc46dca2e0d7

SHA256
1516dac6c622b6258a32f518f24dfb54aecf496ca7debe987351a3cffce2695a

SHA512
fc2da7f4f8e4e3af9bb82293a51a01474103edb456234d4379374a35321ce5035a25fcc50f8e7f9a32f30fce794debdfd7245b5e4ceb232dd0ed9c977dcc2ab0

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
4edc2c41a9dd652622453a7cdaa9f391

SHA1
80ed95859270b9cba0d55001e54c86f4ab2da436

SHA256
05d400a2e86be70f07376a05afcd8f7ea9bb90fa993916e8733266934f4e6b0c

SHA512
b9d714620832eefcedfc9ae2f320f3e6fb0cfe20b91ab25a8590cbc8a900eeb61c9c03b7eb2f6bc437abbd727aa2662bcae46001310bf28e63ee03ae0f6b4097

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
048c605b2eac2932c43f801981458ac8

SHA1
acbbaf7600e929cc76c6f617ba834aa98b9e6000

SHA256
e1012d6f5240181fca2c5b549e43cc593a56e362c3ce356eb0b8027175ccd060

SHA512
6757f39b5798f4e187eeb0848fa2e5f53b172fe4d1c817f5db014c584636061da7a8bbf7aca96ef4aae4d910d850bd87ef054be8b20bbd1af2d1a493fc53c34d

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
22aaeb49a657891a2d00a96bcd0bd9ee

SHA1
84b906cf64838f8b175228b0bd96e696a7ede7de

SHA256
4dbfeb2b4077ccf8cea4d039803c831470d02bba9de73ebc19b4a232cfa5ab6a

SHA512
3f1887c099849f4592ddf4e7f1ac0c89e69120670dbae7e1b15ce92837ba70e71796c66092121b2f9ff83e513ba19fd337e52d46155a4dcb31db74e42ca0e877

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
89a3744c33930999f909148324faf228

SHA1
20b054c649a38a3da7cb21f93d9044c84a67417e

SHA256
5bcd90f5e9712d5bde79f90ee073f002d28233d021122f5e8167e113d7c9fc02

SHA512
af26d42c5b9b72333c28e78318b168c3c5162a8574d60c23fdf4a2aca1749c6987e25d4fd01345e265d4ceb27563532aa40566bd1bd2692cb65c6d876262e000

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
abfdfc33f7ea63e85035d57e8e36fe57

SHA1
7f37ac3a1be8b9db6882d13a42861ddbf10d1752

SHA256
9af578fe60d9a95a1576a876b6d5a0a6780d9e6c528da6362c39bea308382c16

SHA512
e86e2a3cc10e4ffd192f6718be47c599f7e0756704e5e62c03e1e7d65b69895b52ada463d933862cd201ce6a9e0103da1237c57c6037c74b027f89af08c74f78

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
2ce2e429299a150fc6b689424d96cf3d

SHA1
b70087243699221d2c621d4beb56944797a50853

SHA256
fa48420ef9ecfd7e80e7bdd02eb08fb7925b40d61b78db074b4d1136a3ec8960

SHA512
b0a326638fb7cba331153afdf79faeb4209ea5b491fe93a8ddd9aca9ff0c464985d694e916716666907ce618523cd6934affb0e7c0901533f2e5b74ba5c7d302

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
5e7b69184e7d191222ae9ae277f52b83

SHA1
9042c380967f1bbe7346da4c606c6a736e45105a

SHA256
b96b76978a7515fcbe8eea227139e62623b55237b27db19a7fe7f19c9de81588

SHA512
5c1ede4db45c3c4385ac92db7612bac0bd2021e350b8d76afb01c9e5a807b7bf494f71dfa9f72cd1146813fc77acc3b6dda754da2fc67e93ceb22c5ffaf77c7b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4e07f6a658cf242ef2d98935db23a2fb

SHA1
ab50b8b09405afcfbdef6ae4224ae8cea7186a5c

SHA256
cad7f2a1d789a50e79a75c21cc7657d4b8dee00cb98f6f3420d653035e7d293d

SHA512
d1e9961013643461eeeef5acb1c7b9b7650d8c12ea404ff5138eb6dafef2d25ba67cf8c94e59b5be682241085895b0124e6cd79cb42515a3bf5bc42777a1fee0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
4157205c7346435a07e2917c7c247d80

SHA1
c9a41cd5c871dbe2b335d3d4c2cd8a1f75eb26d8

SHA256
7135ff8b08df401ae65243deffe54ed5b7eb380ed2b87466ffd06feb29e361a5

SHA512
3f9dcb7a80237a4f98dcce5bc1ec95697c1b4e9133e38e072d3a0efe2d46862e7763ef3b410c633e7ba90510a15e5b28072d12d1df68ff7f9915980547c8e8f3

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
d6f786676e74311a6f6f28be545ff4b8

SHA1
702f823d46913322d22d4fc900bed9979c82a3bd

SHA256
07b6ebdf17f6cb033d6b05a9bcb9f5860963416f57b6206d25c04e5cf459361a

SHA512
9cbffda3b0028e6277907db7b8e57f781e60f97b5263a764bf7d6595bde28a9e9df645248f4cab9083489d55aa31aaeb2cc517fc03645273b230b72bcb0668b9

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
9c9a68b2d98bd431c5deff90cf9a8c3c

SHA1
699f8c45132101249e52b9a2758865dbcf32154d

SHA256
7af3b1ec0e95c4f14b0013717f89e9e18a6fde6c6be83d48d5cbfb9cdda921c1

SHA512
8403203ea5ed263bbd34b97672c6a4551a88b6d6b61d9113ba57dee5b8cc4a215e23dea3a0edd441ebb8e889bf389adb5737dc5757f00b8902892abf0ab92e56

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
20b37d1ea18f66cec11100d60dbc2075

SHA1
eba82b36234f73feb06b0246857143b13ef8aebe

SHA256
447ff877c1ea78d4f3907c089a87072286556decd4911c5d217fad9807464978

SHA512
542d030f38f7297964e836d3060538fe9e9d667bc47bf6b6b1beae173c3bae1638351c77c164624a45081de3fbaffe900e2ebc8f8e8ac7703bb4c88504613031

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
e59f2307d4458d51f2b7d0958b4f3fe9

SHA1
768ca16793db2b1241c4ee2383320b0768acc76a

SHA256
461f7c4354482cab5dc39bd30895b13342b00d725e77d2766ac3ea779c71fb24

SHA512
8b338b3b728f66da33bafb2c44e417084dfe8358a3b7c8e0ae4bd2fdf98deac6884e703a95d37d1f60a110251180de71536b10222162dd6701e85818b4be2c18

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
340df536b20467eed29e91794b29f996

SHA1
979d251dd8e688be96897790764caa1c13d82f25

SHA256
85b2fc379174e3141b1badf0129bf93a84b42d01bf178c6c73d1d62b3a238989

SHA512
17e7360e40afdd46d2a3b50478e888cc4a6d70975afc0f25055c45150f6d43355db97ab4e7c97667ba5660ca97856dcffdc48c6aa187810c1ded870649de9bee

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
79bfd3c76ba3ded635672297f24961e0

SHA1
432912cd6694e147666d18f1671a8e95ae4e7339

SHA256
44336ddeeeb56ef42b617d4ef98ade5366d5152a99478adcd11f2e5d4749f9b0

SHA512
9c117c79297dc5486cdb4bb2639fbb3571cb149941a5900a3dc03cbf8e194e8d25de0acc81af9f43a46947ea85f8c73435b9f3761291b9632771fdc88da6a860

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
6a40187685a02847ad1ed3bcc1230651

SHA1
48637604571092bd18b6ccef77be23140608cfb1

SHA256
c63bde43a593fd6253aaf96b664080ed055d10a91712bb2fb8d000745185c21a

SHA512
a83a12460028e1961f00ef729627aa41f4ff9e64d3b7be6be745e03444c534a7b443bf66a89a8b44a8605c19a67623c77171e8d408452dc186b34d1aec655f39

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
c9682b817fd18216382ebe7153888ca8

SHA1
f23014eaee4699123d8283a10b2d7ac42bbd2d41

SHA256
1a516948b139edfa1f9d513420449de86e38ae5f066717cc45e89660d65bb21e

SHA512
e962862c6db93696c51c7facbf70547e6797d9312433665485b71d13eae3a8fa4b8c065b4baff31833912fbe70e242a1fc81cfe3eb7ba4469df14bb6678fe7b8

Download Submit
C:\b84a4a1a3334ff917a\eula.1031.txt

Filesize
17KB

MD5
9147a93f43d8e58218ebcb15fda888c9

SHA1
8277c722ba478be8606d8429de3772b5de4e5f09

SHA256
a75019ac38e0d3570633fa282f3d95d20763657f4a2fe851fae52a3185d1eded

SHA512
cc9176027621a590a1d4f6e17942012023e3fabc3316bc62c4b17cd61ce76bf5cf270bd32da95dba7ddf3163e84114be1103a6f810ca1a05d914712895f09705

Download Submit
C:\b84a4a1a3334ff917a\install.exe

Filesize
549KB

MD5
520a6d1cbcc9cf642c625fe814c93c58

SHA1
fb517abb38e9ccc67de411d4f18a9446c11c0923

SHA256
08966ce743aa1cbed0874933e104ef7b913188ecd8f0c679f7d8378516c51da2

SHA512
b92a32b27d6e6187c30d8018d7e0a35bde98dc524eabcd7709420b499778159e2872db04a3f2dfacf016d0e6d97b8175920e83fa28804609786828e52f058ff0

Download Submit
C:\b84a4a1a3334ff917a\install.res.1033.dll

Filesize
89KB

MD5
9edeb8b1c5c0a4cd3a3016b85108127d

SHA1
9ec25485a7ff52d1211a28cca095950901669b34

SHA256
9bf7026a47daab7bb2948fd23e8cf42c06dd2e19ef8cdea0af7367453674a8f9

SHA512
aa2f6dde0aa6d804bcadc169b6d48aad6b485b8e669f1b0c3624848b27bcd37bd3dd9073bddc6bde5c0dd3bc565fd851e161edb0efe9fcaa4636cdcaaec966db

Download Submit
\??\c:\b84a4a1a3334ff917a\eula.1033.txt

Filesize
9KB

MD5
99c22d4a31f4ead4351b71d6f4e5f6a1

SHA1
73207ebe59f6e1073c0d76c8835a312c367b6104

SHA256
93a3c629fecfd10c1cf614714efd69b10e89cfcaf94c2609d688b27754e4ab41

SHA512
47b7ec5fed06d6c789935e9e95ea245c7c498b859e2c0165a437a7bf0006e447c4df4beeb97484c56446f1dae547a01387bea4e884970380f37432825eb16e94

Download Submit
\??\c:\b84a4a1a3334ff917a\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\b84a4a1a3334ff917a\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\b84a4a1a3334ff917a\vc_red.msi

Filesize
227KB

MD5
e0951d3cb1038eb2d2b2b2f336e1ab32

SHA1
500f832b1fcd869e390457ff3dc005ba5b8cca96

SHA256
507ac60e145057764f13cf1ad5366a7e15ddc0da5cc22216f69e3482697d5e88

SHA512
34b9c5ed9dd8f384ecf7589e824c3acc824f5f70a36517d35f6d79b0296fbccb699c3ec1e86e749d34643934bf2e20a9c384a5586d368af9887b7c2cede9bfb8

Download Submit
\??\c:\b84a4a1a3334ff917a\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
memory/664-79-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/664-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/664-78-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/664-62-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/664-72-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1160-561-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1160-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1160-34-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1160-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/1840-248-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/1848-564-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1848-94-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1848-97-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1848-88-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1944-1-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/1944-0-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/1944-6-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/1944-7-0x0000000000B60000-0x0000000000BC7000-memory.dmp

Filesize
412KB

Download
memory/1944-340-0x0000000001000000-0x0000000001260000-memory.dmp

Filesize
2.4MB

Download
memory/2264-558-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2264-249-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2428-341-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2428-568-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2492-246-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/2520-247-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2816-250-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/2860-567-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2860-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/2864-124-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2864-244-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/2900-107-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2900-99-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2900-565-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2900-106-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3192-13-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3192-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3192-523-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/3192-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/3348-335-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3536-566-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3536-338-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3908-337-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3940-245-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4448-251-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4500-334-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/4516-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4840-336-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4960-116-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4960-120-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4960-122-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/4960-110-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download