ffdroider | e83bc1de2907898b48b90bc84a692568cab2213a852453cca76bc40c7313b60e

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Size

4.3MB
MD5

3aa667aff44754cd87a6eb4cb347a91b
SHA1

1013d521a4b5f6a5e1a39773c0cdb9364a0ae618
SHA256

dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba
SHA512

a392b44659e052edf0b027648eea2b69a6043c1eb4bdc4f38c1310dfb86c0f8e950329a7e89ace02f1c331189786c0adb0eec328dba4ac62aca595922c3e6238
SSDEEP

98304:iL5LNYSnH/qy3N5MFRa1wR+ByBQJTWCsizJHaDi6FkEXV9D527BWG:iLxLHI21wR3BQTWdaJHPyfDVQBWG

Score

10^/10

ffdroider discovery evasion spyware stealer trojan

Malware Config

Extracted

Family

ffdroider

http://186.2.171.17

Signatures

FFDroider
Stealer targeting social media platform users first seen in April 2022.
stealer ffdroider

FFDroider payload 6 IoCs

resource	yara_rule
behavioral2/memory/2376-47-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider
behavioral2/memory/2376-51-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider
behavioral2/memory/2376-49-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider
behavioral2/memory/2376-63-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider
behavioral2/memory/2376-61-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider
behavioral2/memory/2376-1055-0x0000000000400000-0x0000000000AE3000-memory.dmp	family_ffdroider

Ffdroider family
ffdroider

Executes dropped EXE 22 IoCs

pid	Process
4076	alg.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
4948	fxssvc.exe
4680	elevation_service.exe
3060	elevation_service.exe
4964	maintenanceservice.exe
1052	msdtc.exe
4368	OSE.EXE
2616	PerceptionSimulationService.exe
1216	perfhost.exe
1720	locator.exe
4588	SensorDataService.exe
5060	snmptrap.exe
1840	spectrum.exe
3192	ssh-agent.exe
4360	TieringEngineService.exe
3640	AgentService.exe
4568	vds.exe
1368	vssvc.exe
1880	wbengine.exe
1712	WmiApSrv.exe
452	SearchIndexer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\vssvc.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\System32\msdtc.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\msiexec.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\AgentService.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\spectrum.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\wbengine.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\7380e55699262766.bin	alg.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\locator.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_87484\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f6fe18487156db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004facff467156db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000798ae4477156db01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000111d34477156db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000004ba31477156db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000012ca7f3d7156db01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe
2000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
664	Process not Found
664	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeAuditPrivilege	4948	fxssvc.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeRestorePrivilege	4360	TieringEngineService.exe
Token: SeManageVolumePrivilege	4360	TieringEngineService.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeAssignPrimaryTokenPrivilege	3640	AgentService.exe
Token: SeBackupPrivilege	1368	vssvc.exe
Token: SeRestorePrivilege	1368	vssvc.exe
Token: SeAuditPrivilege	1368	vssvc.exe
Token: SeBackupPrivilege	1880	wbengine.exe
Token: SeRestorePrivilege	1880	wbengine.exe
Token: SeSecurityPrivilege	1880	wbengine.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: 33	452	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	452	SearchIndexer.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeManageVolumePrivilege	2376	dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
Token: SeDebugPrivilege	4076	alg.exe
Token: SeDebugPrivilege	4076	alg.exe
Token: SeDebugPrivilege	4076	alg.exe
Token: SeDebugPrivilege	2000	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 636	452	SearchIndexer.exe	108
PID 452 wrote to memory of 636	452	SearchIndexer.exe	108
PID 452 wrote to memory of 1496	452	SearchIndexer.exe	109
PID 452 wrote to memory of 1496	452	SearchIndexer.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe
"C:\Users\Admin\AppData\Local\Temp\dcd0da0e2a4791de9578d997e9022710e9c88414c4421a95988897b61e4841ba.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4076

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2408

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4948

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3060

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1052

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4368

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2616

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1216

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4588

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:5060

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1840

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1308

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1368

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1880

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:636
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b9189dc9aacd602caa6e89ff90cf9f06

SHA1
f63233ab31003e7d862aac01819115cdc6774038

SHA256
b5c9094682e1738a8e3f48015a40e0576662e461e9f58e44083a40be8788bff4

SHA512
47d55820c59a10741607ab9dba8578788732de6e21773a9d2d1072be1ee50d05a3d9dd2f98fb19d45cd48408d5d22eb87763ee6093d6ac97da708560750a3f5b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
c7d0dea4c5d16737183a15a4c24a12e3

SHA1
3ad62411dc39438b666d29afc4dd41529feb57fa

SHA256
8718e600fd940bf9a6e4c61fae0b5b1877f703523f7355a4d0dcbcd12b280d33

SHA512
e487de982df8f0a8a597a62e3e234659d5eea13e46264c4c1e78fccd89b383e57035f54e543c96d7bf1e07f86843ae992135e63c48ad55a4bfb6d538c02cadaa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
dacb83bce5ea574c88b4108d9e6677de

SHA1
434c0e6e6b25b8ce7acaac1d60ccfffaa5bc7b59

SHA256
2b0013d6bdd1b9d10329a290fee04f1018c7e975a42b6d93af23a8d761302649

SHA512
eeec4baffc831c394cc99ada838df37b9bcbb2071592786fb12594bcb78196501fccb07f04fe61499e56447e746df9d6d9d5d8620855198b93f8808d08b4b6ff

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
17f15aa19299c8a3cebfecfba4cf9dc3

SHA1
52291771e2f347ae2e41f6a61997b536598bab0a

SHA256
daf66a918c009dd48c613aead2c65df85ab17f8c0a9787e50a8d5559c94d8c62

SHA512
de75e9c739ea7b475fa7a0d5f73a27d4d4520c18792f7d64eace742d1c87bbc95c0325d098d64e67043a834de441d5b423ed7a4e1b949acccf7ce98b05a58f67

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
35d4c638efc66f316af6095f6313526d

SHA1
bc7101998ff22e83d1821c31b027731a698f1c0c

SHA256
480eb035f91024f04c269d30c81e21bd6f4f8e553dbdfe6ec810dd87c85d8b2e

SHA512
773d45521af6fc750a640693d5998fce5c0b44a4dbe915f5f32312ca61e9aebec6d76e4aab930588d97e57498fe82cbdca25f6c772966e4d76a747085cf65e05

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
81f20c5cf5250c176fcd1fa96bb2cfea

SHA1
918c9acf73fa4619bd9bff47f58d36e330aa14bd

SHA256
0701eb39d5af7047c44a111efd6a6e79f3f4fab09cdedba6bf5357a9dd3c880a

SHA512
df4c69b52c9c0d6338918063558d609a4ecd3b4f20ac9d4516961a37f26ca6c57d361865e1e839b1af2e27cbe3c9a29c6b8371f93b4b14df0506e9f7e65a3a7a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
128ce30813de4d17c665ef44f3171d73

SHA1
5d03cbb4b679c00a3890508a1dcab52ead9ce44c

SHA256
839e7e5dfe9e5013082836cae53401c4738943c01527d8f3ef8a425bfc35fd14

SHA512
a7002e78a6c6f7578a3a8296dbe5fddf2e5102f7be96269ca00c3373107062eb4870294ef1124b406310828fd8ac180ce49a7f4f006d2bd4f33991fff1a10ed4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
a2c1de6ddeca03b413a21fcad7c9b8c7

SHA1
d6a418c544cc28c540c315d11a4cd1453779b56c

SHA256
c3d00bd7db4f5d3cdd17ef1b1b7beac70a54af804b35913d5d858009c948bb6e

SHA512
baaab156a4add07d4bf365e21d20dc919772a5c07f2eb6b7bfc34267bc74367001c47b683770ed19cd3ff54224887e049babd81ab2aacaf2c0aa26ebf9eb4943

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
70a652b93cf40e8657d30500efcdf8ab

SHA1
b9035dd43e908f8a3e37a636727022091352a02b

SHA256
7265f9e9dc234b64aab32a02cc8c597d5216a4455631dcf5e5680720f1de16e9

SHA512
485ce70f14f1d6aad586a401d4e0ae641a6cf6c671233381c4980b181a8c321f1cef6b94eb66983097a42287266d0f09e2c4a1a8142553e5e42244c822f1aab1

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
c78a533f79dbb3b710c06f57a9af3375

SHA1
1a5f33ea4b4c17d8b698a20252671c47d44b92ff

SHA256
a81f584efc72c2cc41ad939c4d63a37f8f0161c7375bacd4083dbb2030150ed9

SHA512
f093a72a94e6f5f19f4e578348227bdfd0cefb43e78d787b2d5d56ebdcb2222d575d4a802434713d1c7b5ac301217d87e76328b99033a001d9fe786234ac52b6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
ad1c35b056a3af5442e6aa2d8610a225

SHA1
2be8336947c8266c52798dd7a4f5b56e0d9133f0

SHA256
011d8ffdcdc35f2d773f117b346ac102bc5079921324fbd76446ec96d20261f6

SHA512
e5cf95847e9e0afb71a382541c05a2c79de92268ed7e7aae761380c03303e96f392581a2c41308e9899ab03a2972c8ad096744a0f56e600ba2f21e7aa596df8b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
2df36c62d0882e4f3d4bc50de9f6416a

SHA1
2028950d604bbdb3f331aad466fb85e0472d7ac6

SHA256
ffe30864b561cc4efc136ac9f0a9e2c227e00fae5636d3ca2ffd957f7f8abeec

SHA512
9f616a337ea358f4722e2958759bd68498fb7f09940fda4167d9d97b179723a8338184c4411f8e5e499f04ed2589a605df9bc8eba485c066e98700e578d6e231

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
21e1b612158d27c5ecde8f28c525f035

SHA1
887f8ef138e43f9776daefbdc17a8d97b124bca4

SHA256
807ac8c6b26a26da8c2837e0f0ffa9723057cf793c759db112875bdd4ba75b2d

SHA512
901ebaa10a4c01fdafbfa4574f25fba1fc6b28e47f4c641466425628c61575ce369544800316ff638753cb8cbfdbe1ccea07304b0a75da29c4d87f6fb5142b31

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
61de94b10d49d0ca6be6790ec441226f

SHA1
ff4be2e3aa26046fe033fa13b9fa175c1d82b42d

SHA256
106b705e0457ba788800efe070bc91232217eae291f4cf023fa2b95bd9af2319

SHA512
aecc7933397c6bae61d845fb5d6ae7f58ca70eec20ef955145965ada477fe95cac2c98d7b60b33d00cbc739b8007bed3b538f612e693c7cc6474c1deaa5277b7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
d278f9a45e0bf5866cfcc3d26c7e5b02

SHA1
7021e8f2cda526f55dc515e348d04e46f6c7700d

SHA256
f33f928c30e1b8602ce04ff4efe690356ec277a3fdeac60654203852a2329427

SHA512
60cd2c2cc57fd2fc4734f130379ab0a54a3b7b1f336ad7b7107a5c7e577c36adf5a30ff5e3ec0667300f1b998d40d3ef258cb7d202a0a4e0ce7250b8b0119de5

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
3a90cef9ae3f0b225756cc8340c4c7be

SHA1
a34c865154534ac09c9c5ee6b546b709a0aa70da

SHA256
424943afe4958b34d4ef9cbfa1f62d2ffc8e9c226141cd235b8b86dafa1ede11

SHA512
546309f5f24bcc0ab7aa5dfbb6faede4be95a6b4697acc5bc104dcfaf1d47b37a5dba1ec56cb8be6ce401f4374d038e31d56f3d2153d14c320d0cd8faccd47a0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
ecae7a6da6de30e5511b5e84f0be6d22

SHA1
3ac8886aa98b9c24f5818776fcad0c9c33d8267b

SHA256
51e4e0af548cbe49e06ed7dbee042c45bb44cac08b37b1cc9dc18a5d5102214b

SHA512
efb60c1da89738f9121d0b08b5dc0069282bc00e7dc9cc9dfd77cd6cbd6d514431f8e03ba2c6dc6dfb4fed4a62e8330867f30d4b821c22c0880006e85708ab94

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
1076d28e9362b14b6cd7096e43589a72

SHA1
26bb15583b39ead6a1f50124ca14c28ade7fc597

SHA256
f5765de4d2fef5d98539ce1e2a17312c703107ecd944d23e6e08a97669c58f1f

SHA512
54519c22b5732d51d5951eca50ae880f1ac925ba5c771aca7ea868afe9a81684f9d0c71d9d24a21a41c2ffccab78ba33f2a2af0e6c94bbb496463eca3f2ccc3d

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
5409de4c25a2b1e9d9d8e316ebdb7554

SHA1
3af96f2d7449c9f7a44775dbe9901e4b5e84a02c

SHA256
0272f3f8b8e7d2f91e7641ceaf4860ac84f1aad357ae15869637957b29cec3b0

SHA512
f20c5b8b4d7a573afc77b34a6b612b6b843bec8e50e394c6fee5010a6fcbadccea73ef377dab5eb29d1d226ea9e4aa705d36c61ac0bae31018d2f738c72fa301

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
bfb5a950c6f1ba95e1b8c4b90c4f270d

SHA1
d2dde068f1f1d9bf8f1e0a056fcae43052af2932

SHA256
4428a4b5d39ccfa77789aa3c153446260404a2630d4c967cb558ee2537beae5e

SHA512
3b25bd8b98d08211fb2c7b6ba939d32a09609d11c8c0fe502632e0f2c6e54c78e06d387b8dba57c68e807dd7655889d935bf2065f6417abbc8f9b2289eb760c6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
78e1debd3d6ad8c62d17c371c8222cdd

SHA1
8a04267abdba87efe445ff6ee6ea977112397f25

SHA256
868a550c204aa3ae7102bf444b5a6012aad02d51beb9d54b8d8025fea61e598b

SHA512
6a5a78f57d1341f4489d8fdd29f48ddd0fae337c283412bd86623d48239e6d6f069952d2c051b8ebc9fca8249b16545fc3ec411c411f5e5b94219e41eccae3b7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
a8865d2b5be70c6f03465488e7ef87d8

SHA1
7d521955ce69e387d684fc9a58b2fcf83affd2ca

SHA256
3e64a2daf385d5b37ed11965cf7895793b1b93ceabb956a22da893d67dd68e37

SHA512
bc00057c58276399698987b7000c4aeebc865ec118f3abd29854706c9d78c3976d95cacb49253f0b66468b6d7fd6fbfafe434b50e3db62153d50a40f1e36996c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
6e713ffe1c772379cce317d79027d29e

SHA1
e110c2b708d5a1821697a222d02f6df7f085ee96

SHA256
d5937946f3d3cf36ae9653b889d4000d370984e56fd7f712993049f3af249ba2

SHA512
85b04ff004c5e1814c5f9cae165c169239c6ccbfef1f0598c30efbd6af8c5bec20c5d737d2da9e65ffd7137bc898681f2b4308b99b9782096a337cc6beb23dcb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
792f55844cc7d9212f6311248ab19932

SHA1
5e58c7ac770f762cbc4cf48252621809a1b338ec

SHA256
66a3cadb06e83c5be654fa57e57bf7fc1f35be0bbbfabe5113008a3525323b11

SHA512
ce2d4927186453b3eaae8f24cc192ff521a2e62828c448edcb5a8b47dded5917a488aba7c887de91d21b993fdc9caf894a5dbf39b5a3f853e6156d7235664cc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
21b3743b7f91767f6a36bd037e4f6c01

SHA1
b2e373981ee0371ca1e76d0939a27d604e70efec

SHA256
da961d3c4f4c84e1138fb317c707763664c0d97ae2b944fd2badb842641dcc0f

SHA512
16c62be113184914a6bad96674f6bcdd3539e0976dbd02707a64c3f7ccaa30214b767013f72b97fec137d353a6fc80884908fd1712e6092dc72ca6926984f02b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
9ed8bfe4766d295b648c01eb3ad6063d

SHA1
1e063a0fc71dd4e7a9266809665ae896b57f41c3

SHA256
d9a3e4acc925d23594f096e71930137dbac310514e6415ff5ece32486ebe1848

SHA512
06d530771e5dd73b4473b93c9d45bbf11e834e4a9256d5b58e28a846d8c841417a1e545fdb57bad6b82aebcc6fa37086ce3af1f027f1333612aeba49dd73ee42

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
b27f61e4bd27abd94594f1b50aaf5983

SHA1
d6534a3e9d498938ab6f5be10057a7a25c224e66

SHA256
3da36a61677be5f0eff2ce015d93538d8eff5a57a4e610d1ebb69ba35f9d8cf8

SHA512
39483605977ed6121dc68ca22a2d8c2bd1f60c59a103cd080179b55a95a11f34f2732117022c7d2327146e6ce75d4adbcd7a7d469065f330b8446cc6499bf30e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
e4f31e324de2f197db2b7002b83cbb94

SHA1
7550eca4ebbd1355cfddb570f979883758b962ee

SHA256
32647e1717a2feb4cdef1528a71e720a907bcf676d11e3b2596210e37316aac2

SHA512
42ba7c75eb831ba1c808abd307b4ed28f3eac5c517864d1851ff0b7d26dacc8ff420f93bc8e579978f51218133dbd30ccaad01205aa50c058a1807714d207afb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
9837ae8ab73d49550a0427de1390c615

SHA1
3c32294c8513462f3acf675c986033b79b6c9fe1

SHA256
516208f267153b166d36d62d3dc60e1f6cc44bb44147ae0b284be03ccd4245f3

SHA512
068080b4950f3375b9faff28f36070bc85822ff1044f326baf06381c66d29a2330888a1bd53750f05fa2b21e375d2d99806ba704da755073ec36562078838c9c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d36e49e4c422cc6ad4bac1c789d6c90f

SHA1
6db7ac0a176c31800082b5515ab491762aeab10e

SHA256
6b73b0bfed6f17bccf4f7d2f046427563b877671e56894ef71392c3d098ed4cb

SHA512
c825a1af6212e88afa17b53e06ff330f71e97dc5ee628a51a70476bcd3cbe8a2a1e1884371b5c50bc5f43ed44ad08093f877feef9a950f79ec270e53336f5fcd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ef726bed47a99e782aa7e83269324fb9

SHA1
c8118ade2e351cd2336ffc30473ce8dfe5c2ece1

SHA256
883870278a5bc3260fb45f3278d75c899deb92e5ebbdea6bc61fc0e08801d0ab

SHA512
7c86b153b7c91dc6863ab2a84f0388563d52a6a057d38f4639d2c52f38bcac240ed89f1f05a5b6c85b755a61681d69ee9ab51ba0453882364c06a3aceabc218f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
c84dc728a02a9fea6a19a914d60fefab

SHA1
e99d842d6b9d39ecd6710c291ace0b10139f0bcd

SHA256
ac4869c1a93eca9d3ffaff1658bfe5a03ae6fbf7c1207904105bfcdacbf234d1

SHA512
64399e4c5f44a835adf63708920f3505ada8839d09fbf16f60377aad59b1298db56637a810e21fe4450dcc2c954fd09537f0a74ea1b5e0c1842af87fa7de3728

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
14c6d7447bf3426730f724a2730830cb

SHA1
2f6bfe38ee9eb76621c8b1dc84e5809a7e0fe003

SHA256
b62fe601744d377f629b3e8fc248a42b0820cdb48d8b4ace5c207ca18f6489fe

SHA512
cb0286ce42c67223049f6ad4daf5cec1aa247428c38fb80e2540812396ff58eb8d19002653fc1e94e89785ea223ccb246084a45f414360e6a846ebe0923e588d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
c805c58e1a601b47caf5340ab0d9d07f

SHA1
b7cd55d7f32d6dd139223a393faa5fc07f782c45

SHA256
8a4a76c96aa3716ae2db56ba9deb41d5af68f606b124354ebfd62a1812e1172f

SHA512
a4eb903b3629df252432a6122469539c409728c0eb6d209f2cc501b803f4ad8e238a32a1b0fff229d5bccc2b5f0d2e23fea280773f5fe521d83c30bc624bc192

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b4db8568c49d764e51a5ccef436d4296

SHA1
2de111c07ff6799868010f3470aeb1c7b73b7bf0

SHA256
2ebfd022c0317b184654ec51c9f426f5b32aa061f7a55255b8231fbf41d8f39d

SHA512
fe32a1ad9fd95d59bff0f423f3ab2f8f64311b2ec5729f140b1900a9849b72a04661a28edb1bd9738f8b490d6eef331d8bb84666c0f9c936e22406092e00e722

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
92a8d3cfcfff581c066959ddef27b71a

SHA1
e9b7bb97889f2a6fdeea12e725a19ffb2ca7254e

SHA256
f3eb8866b416ac4b2e71d68409fc416f332d3d500e549766b83661d263211cad

SHA512
4b97ebd3a35191008010a8da331cdc26ca6cd368e7a74f85f680de1cf125afb050d7ca78564c4babcae481fc72b5e022d3827d765ce3806f7c6048ad37e9c4d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
25aaf08d2899458cf53310c70793db1d

SHA1
90fcd2114f74b1eae519dbd31aca45cafff7b676

SHA256
13c818c00c20403e3f3198bda8083dbab728e410aabce292593672d0d193bb42

SHA512
c8f48fc6d37da20eec44119e036dc13f59a01bf23a6c3e26375abce662e80e251caabf1875f350ee1e117eed9fd023c0e641df0ed0ac275c7d8c8ef6a47daa96

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
bd98ca5fce3a565c1c2ed1b899f1dddb

SHA1
68cf58e679a618804185ba77c9c82ec0ee61f31f

SHA256
e0d585cc52501cbef653b79ce7e185f75cef4a9169461c3d49c9afb74ac1ffa5

SHA512
6a0109b78970a4132fdfcb26e9a9e125ed614e07f745ef1edcbc0ba4db3ebc2896a6bbaa90785327b02056bbf88caffaadc09e5b3d7989411bb44dec350a2ea0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
af8cb6c86d71ef68dac5e28ec8b10f62

SHA1
bf0333c505d9f27cc05b70be79a7f33d1f43befd

SHA256
b1438c5f395fe97f7d0a918bb2f1df993a5933128102e6be00dd3791e1e0eeea

SHA512
317bb39dcdbfe04e60e6316924c1013b571740894d30bda8a2cf8955ed3dd0c443b953d8d53bfcc5a40e63378117c493b39ef035c674292d43efda0f999c2e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
dac287558dddad04f9766c82c2dc2b7a

SHA1
067735aa5dcd7ba395b8b8cf294b03f7c7e2405a

SHA256
3d2d70348b9d7062b15bec0b69225c50f794f502ca4cc4fef69b68b933775583

SHA512
d6bb016aa8c18108f14541885fc4010e55787d5b1958fc37facae37e3f35a304619aaa8f1729514598008c252895fa572f341ff1f08ffef1b458cc39edd2fe31

Download Submit
C:\Users\Admin\AppData\Local\Temp\d

Filesize
14.0MB

MD5
0596205b41dc79e6fbc4e826e84a322b

SHA1
0e8818b128193d85c72432bfde43d423cb9a27f9

SHA256
99fccb073618d556147ce3cd15132329833cef946acffecdb8140a636b29b1aa

SHA512
68793e0a55697be0369e6cebda0d7c8ddd735992da4b5a2e0b3acea7e772c60a3d128d13416ed1d4a67121b33264b6ab1462a7534496aed18a39e39931219120

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.INTEG.RAW

Filesize
50KB

MD5
58310479601f9695680a11ca9931c602

SHA1
e12cc6d85029fdf48d4516e71eeeec3be5290661

SHA256
0ecee0d06fa136ddcb56d33229ecd1747b9ddf05c5424ec74462c5cb0ed0e34d

SHA512
b26ec562537ee950c50ebcac7fbc29f97a8c0daa57bbc4d6381b4c8e4f21e3d8f529f1dd07ca654998f4f7daf497392303737a042cf354030ef5d541e5e736c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
fac76c406b7c353638d7932e0a26362b

SHA1
5a5e7ead6d987e1fa1bd849611c5afcdb5b68c5f

SHA256
e9b6da66e750ea5d5fe2deed5d21a26cf46716c35a25d01a4aca7e8bba52cd91

SHA512
62acf2b25dd24c611954f0b99cc247a318269e3bfbc95904010c5fe2a257d8077295c68b7b0afd0bc28fbb7984654116819db5c658ec8a34dd9a093dd8bbf844

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f97faab9e9699bded2bb10671476673b

SHA1
7dedb3ab8253e832ccc02fd7b05cbfe950c44c8d

SHA256
b62fbcb45e4884baee66ff1e46a11ac64281427b40c2f9f13ee05298e59937f3

SHA512
57121c88abf3c4c7c44f054c12084bf9c33d4330224ddbc520efb79c4d45d80a1e76f2587b1156502e246e0fc916fde4f813cd6fd7b2d5efc837fdc6d8bd3cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e4935479135d43d15544f1cf7fb30f16

SHA1
6461bfe50de51fc94133d1bab4c2aa76ab7ce80b

SHA256
c66a7571a75af99296ef078d5c366f565d6125b0033a95b7b6990b1cc0c7e88d

SHA512
b21d5863616be0100b0628bb16d0e6c8bae5f3e5bc8460f3a273291eb02dea5360f631174909b645acbadde671b2316afa22c86ef83c014b014e1623378953a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
44b999e33e31da7d4a7e874f3893b2dd

SHA1
4e12821a6488b398429017ea87447e5d0c5a09e6

SHA256
3ac6e79e6011e1eef1fd11e5b29005736dd9182e0a5e78881923ecbd0d74338e

SHA512
3c7d8c00b82f0442bb321dc3217e4a1fecc9280fd499c9716fb285970797a873ff8bd349084518f7c8936936189558b4058a0a48252f75dea24196e7cd9bdd57

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0e7552835ea66d4275da9de3a54ff903

SHA1
058628a9d3970a85edbe3d1b24ead950f79ccc40

SHA256
207b158199ae92fd76deabf55dc1d192649be9661fb0accc6fd0d81514fb217e

SHA512
736f3735c3bc13c92def9aca7904795706da1db98c9cec6bbe7850a52964a82dfeebe275809ab254397c9de52fc1878dfb3db9b57d558bf2b1af0cabebe8b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
bc7b1be86d4a54f4a6e335934f00d7cb

SHA1
785f362b42ad1fbdee3f73b6c172e151276ab579

SHA256
750176a112440fdaaa54b6b6eb652f5172cacbbb04661354fd372055863922e1

SHA512
f15addbd9b61c8dbeb4695d8667078b085a3f0e4141fd58ef19c91f96c1770ea5adc80b4dcdc333c9463c06351e9b38208f82864ca622edaf98a4a8e3b66b7c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
1d37926cf6069e872dab33a4b13f3b60

SHA1
558551bd917b1fb386b04632e504f52177f72f80

SHA256
337fbd6ceeca464ad469c0d5f6db84d714c75e049072964853a69c19af81ec05

SHA512
b15966b6dd0039ccb61176c5408d8a07e394c6872dbeb55b73948e1fcfd6998f870dda791e08876e22086dfb2354841f111745d7950df7160775a3450da85429

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
2ca9e95eebdcd7e73f9189520c8a71ea

SHA1
faee54a36b698f3172f3c63ea7f027272f29e6ca

SHA256
a5f932c35723e65b8c5a0f9da5d97dbbb7fecef6655937ed9d0d754fb5a4189b

SHA512
12b11e0731ea96d10f72a3f0d4073e662a08815f5de0a3d0a6ac4e65d9a60cc7bb69fa843a080a160ea6c1e25508439d26a47bfeb2bba9a6d6ff566aed60e96a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
a26741222b057e4e8d3bb1073d501baf

SHA1
7ba54de5c46b2931b70484ebc47e50e898ddd715

SHA256
01b0645dfba82fdcb97262a921f7c21dcfe36d39c53e0cc06e48a0c35248f533

SHA512
b32524b9959f35fa68060a604f673d29a04261ad35e2cf8f844957fc8bbec40192bff8e69d9a865c6e61e456aa5363f7c317dff12febd3c90fc867df86149fce

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
0bbd911778bd69e40448d66d20c08dcf

SHA1
2e90ded3fb0bd919043923e9a3c9b188fd5f521d

SHA256
16ad1d24961a9fbeb3a07fb198d3f1600d896d23d7201f88f464216459628567

SHA512
c0ec356c317c00d6c8f548159b8c9e2e260b0691782ebcef6efc409e9afb74d990306044e88bc22bf592bc89115f6ce0b655ea7a815622a82bb37fccb319f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
cd2e09af5e0decb6ec454ff194e2bfa0

SHA1
5a263ac75b4193f696c9c219e94a6a8396887af7

SHA256
9772ba13b6c741dd598d0a18633cc3eebec60c39b1d89a2a8322946e7a446e7a

SHA512
3e17f03aa3dd1ba99b5879247cdd0a631fc28294739779d88980e48fa578c6d0aeb7251f76afe80f839ee161c9732b5e73e60c440d5fcc9e2673979baa3882bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e9c891ebbd53794bb08c88a3942bbf4d

SHA1
f7a18750dbdefb29bd0f2121928ca3a06a7a3d11

SHA256
eb0c6816c6353fbcee2ce93b40fee1718f099cd7ec8916874a431c411034d70a

SHA512
1d8b6860e5cb82e106f5a8b4f25124ac014881cba9b1534f637cb5cb063f2082a4df7f6635942cc66564ae2c6d85cc72a09d1ea7ba01c98e35383c9e61aec518

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
95c9d8b822f14d5509f8074930a0565d

SHA1
d635a9ba1b3b80da2b44f099de3f280c90ae5a82

SHA256
ff4ad51eeaf5e772507d1e2056aacd82bf6a7448deed03db1a82705c6ec0bc05

SHA512
8ee28834455f6050be6f613d071d4943bcd612890d80a4e09fbe16afb01e8bd5c5a2edeeb189ce9a4105ad54d722e9c1f2676308345db08d8d26317a69e9030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
675d14c381148099b53b11e9391a729c

SHA1
26cbc9ba6e852c68b8b06edbc8ee24940c769f32

SHA256
302583901a050caabcf4c839420d451e10d95f056123a94b6a4e6af5703482e4

SHA512
ce0f110fe44e7af3651aad0f8435f6d9f9574c52ba23967b37d8d6f5996c2a32cf81bb00ebeaa19db23794c9e7f60cda5573fc79bf33b0bffc2cebec00bbbedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
4c6e989f3d33e7848958c70a63be911c

SHA1
19cea29197568de67f6cb928f03a8511e817aca1

SHA256
d9ee588df7ffaa957f4bb580ef5a24a39fb6fdc2b22aed8b6903be239fa5ecd6

SHA512
9b5940ca5d8dcc5794b9edca7e7369107672033d3bc9ca3a906c50e94b1558cd4e992976b652ebe49c311cc1626c1fe1505a18d13d77e41ff38d36bb069d2e0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
86d7e975aa1b451d40e7a559cdf1c28d

SHA1
716caeee5f602fd595484e07ffabf33430833076

SHA256
797f82661c8ed241ed7af50beda127750259279b71282147c9bc591413122976

SHA512
87c2f8a0603b05c805f2f6793fa98fcded74cf9d3099c4bd9e96d7fce1ad78ccaceb021c1629f74d5a8a6b5507ad300ac271f3c37c3657798f3174d5d356b504

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
e6dad1bec8c3d05432419aec9fe44329

SHA1
612a890d30a99a0fe9831c3caf49b42bd75feba9

SHA256
5a2d29167a98999f69c1d71a269f7e57a06cb8fd9c7cd188be6861f2af64a408

SHA512
ad9bb5f923503ebe5925619cb5822b438f013242cc77760729bc4ce29f36d1807a7859cfafe2884a01a851d8a547ebcafc8cfeaab481788be7380adb499cebbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
f427ea97779edeed6fdc4850a814b58d

SHA1
a74135ecb3972d4a9d31b941f35ba67e186df127

SHA256
5f1e80958fe9e4d6b32d1aa85fcafae041290b7a674c789e282abb2e4901493c

SHA512
f2181ea7b6766aa88779c0b94bec87b05af2f9ccb2014ee8e3e9ef2c1ee0adbac50331ef5c85ea1f0321629409547ec8c081ff623540c1f49e75b7b0aa06edeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\d.jfm

Filesize
16KB

MD5
9375c0f9e2d5e49a193ea7f2615b5c69

SHA1
ea3c6eac81e797c1c19dc3caad5766ed4df4ede4

SHA256
eaee3d003fdac66882f510139ca96c95012038b218c54bb3162c37a87480f8cf

SHA512
1a8417c8d8707833524f9d27c52a93c5fe4f2b4d13788192a4f8b757aadd81e7720288cd2364a243734e044aac29e34a887fa30132c0ffbc9bb74c398f9a21f8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
0f67ae470dca950ba2389efd47170c01

SHA1
4ab94f147f249c297a6116b4d0385af1be2b8cee

SHA256
6494eef867bf8e976566b20e5096d3a8114ff5b6e3b7294d07deaffb0bf89a4a

SHA512
8c48f8cbdb5f168bdc92eb2a92a59f9c1931f0184fa97a47b5df38848dd7b6c9dc000f4608bf382edd3ff8cd6be5af27464a01bdaafe80bb04f29df1b37af55f

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
0f609e8b5e7b22103dcab40b1ad1af3f

SHA1
9a6af930c3ef6233d32c978740b532a5c5b9e9fd

SHA256
01d3e1ef5fdff23dc19d6fb834e02d240c943c625b31235337cebec80d1fb2b7

SHA512
0c9dde0a3a478199690c9d2d192fd8fd775ad11719011148f4873fe3081680d2a8c1529ec7bfeb19dff70dcbf97159f4f179723cc9a4e28070d5f9520fab8af1

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
c27270d993ace009687fc25c02c7dc6a

SHA1
05970591dbac2288befadb9ea626a0291ecc2e09

SHA256
b8b7af9efe3531ae572feeb6f5b59514701cc41eaa6384a5ae96110366015142

SHA512
7eeba4aa2e4493d2ce95e0f5d6deabb514f9a766ff33656df9f0695be5ef9953c57dce79b01812794fe1395e39f2b2d84243b84928c63ba64bc0d4b6ac45f7e0

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
2be1500668ee86b50bfd7176bdd60a3f

SHA1
f563112bfb3314fcbcdbbbfc6c46ad84b1222215

SHA256
a50f16c4d07fa5a9fde6e9d794de578c989a76a202409f10bb8083b3d3e17d84

SHA512
79890dacf3403e0e880a23f042849eb263f3e8c0d4d1d8b3b51b17735bb2fd4f553c10085abae1c262d9d63c8a7224e680cac6c36b44310aa999da52490802de

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
7352c79ee1f15b9ad129a8acf329934c

SHA1
78fec1e772a0ab89ac563a02c55105c14abb5a01

SHA256
918a2c8353462973e6a8fa0de0868ad9751138ed000e9d514460a506df8f4a6f

SHA512
18dc5b2a723358e29678769b10d7882663bfa6ef69e01cef08811552a11cc3a17d591eb07bacb0e913f50f7ca59cd39cba99ff1a2445f1c6c8c7dacc625279c3

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
3fc29ab6a90a1c211abe45fe4ee78058

SHA1
1ca69f798005c15d8cd4fc701eb6211fd933c624

SHA256
e72245a920271d9a02ca46e4fa98840ee0ad93b9eb865e415d5f2bec4d3f2c27

SHA512
8e7174c87d90fb48c2486cec5c62f5f2f82bb37e0e2df0235bd128e955ed50b056d1a0519e419eccb9ae0f0eac9808793616024440365455bdae40d4534ef496

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
037269e2f41815fb8835755880f51528

SHA1
f1369be8b04c5afff1d9b431f121410f3b9baa3b

SHA256
0d61acbeb66d566f4ed1ddd2f757a75b264c547506c71f9956a294c2b5d7495f

SHA512
0195847eeb4fa3dad3eab2b7d8c3d03ae2a12a8494f6b7fe4bfe5413df9435892c5518c416246b399e3cb7fdb9af1e1261ba188b76087e8d7f2049b608ab293f

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
34465e62cb7762b8e8c1f12d1cb44553

SHA1
7c6883e9111fa49ef297930508c35483bf2762bc

SHA256
a2f94b8a49768c350d8dbb790e3db101d1097c5df51027dc01f0c14cf581bbf7

SHA512
f1c9d886df484d032bf3b3c6579e2fa911816c02c9e0bb89462bd98a921725b243398f60e26ab11049c846356d7ddf47eef55fe85647c78c29d40c5b46d9a866

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
75d483590f6821e36fb056de4100963b

SHA1
706edce435b489a1704920bcdf371e9156c73cd2

SHA256
2818ce4d7a6f9b54de1668cc1bda6520fa4fe2f6c6012b254f69a203901e89ec

SHA512
3e26c3988a76b8ab8c333e22af5e9070c13306c03225462ea1da53e9fb70f39e7fcb30cb37a36d5b9c3bbc342f2d26c3197fe9ec6dcc28402933d4895d5362fd

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
1f50bd17a80b4c320748e9146f7e6391

SHA1
e20c9ed9c2101a308a51166e581e93ce0e5bedd3

SHA256
bff426f4fb0bef07dc67d4b58760db0b25460430b605ed84abe8386137cbd082

SHA512
3612b841bfecb0cdf0d4f2d297fe5f54830ccc165437e7e71791e2de0c5ef718dcb38121f6b97fe647ef83cdb564839bc847394c2b1b5ac692beaceb91e9e236

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
ad20a3895522a6f88a0d66cae0f2d842

SHA1
ec8435003a6037c8efe19c52a33a84796af1f0c2

SHA256
701a2b5c66aa492a028ac0a5bf094e1fdf44bed9fcfb018e13a33c267a13c7f2

SHA512
27634a9fecd26f215ebb5032746ce7511b85979862e5eb3d3609a3fd1266050ba4d85799549ab266d777c20955719901abc96f7a9a9d6d3c493cfda81f0ec07c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
cfc3cc85ef8ce73ef54ae121aede314e

SHA1
b430908da3c56e7d6df7a641befca8b461ba2716

SHA256
1f81ccf401216b7041f176f2daba91240b3b5f851785e670b599c16311bfab06

SHA512
e235ba6f0c8c95f282c140dee184c1473d75187b24cad4d2251e7965e0bb33002c4468c6cfc4606c9d174ba0b88872ddc477edca88aca0569b5e639efdc46969

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
101b679d011e6c59b4a59b066abce3bb

SHA1
9b8cdce73cf15c7519c83fbac253849e3e9e7d9c

SHA256
bb2f6ea593c3d55e7e94d9059f2a745560dcae1628874c2c70dc8b6a376e859c

SHA512
66f99e8d6da3983702e13b065a4a88a00cdf869ed625ccc1f46cd9931c8c9b58864b76fb4ddcbc1a6e3db4ae82ea48643677768bd4680e3cd45ff95d5b660fce

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
f5ad28527b78a6da8083a5bb3122268c

SHA1
6c49d78bc82b42b24d129547d7499b5f24ab1fb9

SHA256
5612a1c1d44e7f0d4d616632aaf57605926570d4fae89022190cb33a64eb40e4

SHA512
031353312f4ea29b4d7d459b56095f10ee454c1ecb2f3be146ea561d42560a840f58ff5c59fe598b21bb91e1a0ec648aec4ab640cbcc2e132e282951e770d1a3

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
0573969fe27da4a3098b76452de1cdf4

SHA1
8d85efd202d20e56970c1fc4949b3d6c60e768c6

SHA256
eaa161554649591a9df7c5e538b30aeceb4bd4175cf993f841076f53c48fc69b

SHA512
0be7c0d9568728d941097794c2113ce53525f374cab9b46c6f9bb2c43f6bd807b273ecb38cea8c387bd0f2968d1f51636d0b441afeb2691a654bb2340e71bb92

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ae0f159359ed386642f41c70d7a6d1bf

SHA1
b25e3bee443e0ccab44f0dee164facab0bff639b

SHA256
d2cbb8e3b4d122b9d04845f4c6797d68d12d922ad5f3db732a71c6e35d5e955b

SHA512
e0c552069a0a432321ddd1c3885977eee7f9f88ff238d4a7c7a35210b280d2cd28e5267e1476e85eef4bbd5aa5e3ab46c22532bd77b2fbd0977519fd9675c1ee

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
f29792b36725f7c478b14dffb66bc51b

SHA1
8c8550199678adc138d644b0f885b7742d0c72f5

SHA256
b665639a4eccea843722ff55e3bd42522ca7303404c8ab5f2e7ea19bbde09f2b

SHA512
e8c68739c5f72da6f80e2a64ef49ca7a7287649e87d1815df04cd921abf2b422fd0dd7775086fe0413508c4c1952a91791a0a2380cacc70938da6310be28f59e

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
45f8d64b1b438ee8578d3a83d0673486

SHA1
22710136cefd4f236de15742b84c3917fccafa5d

SHA256
06bbce0e97fd3f84445cbe30392e2b203e01fe0d76e87e7e916b063e514d1085

SHA512
a204931b2263f9b8094dafcd7684f5bf6f357c7f6ca97ebdcfbd7733fc954435be270afdd4602c51e7d9fc385bd39a4600636dc69d0506de814642dfff39602c

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
36401398bbb94109e63054d4f3201f05

SHA1
1633cceb891fec7e0f3a72354d1dc34495a0e0a9

SHA256
a3dc767e825b3188fdd2076325fec956d87aded0def398b2399dc7ca790b2994

SHA512
0c8986a5b1ed6d9a3edf77885ac1499357504ce3f228a9d34128903dad5ab0344eb06beb291c86a5c7e565091a4bb4aec9a8a9ed167b3f0614a460ab1ee3ebfd

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
5d7bf5924a1a39a21bddc36110b2e7c0

SHA1
345fa83a338324c4c6df47bf27f13152740f4f6d

SHA256
e45c3f236e2628bb58a776fa57cb115fa1f2aa381c163ee9694ce49edb923c7d

SHA512
20756b4aba83a5f5520f07ec9d676ab7f3adc86069ab9f79008cd21f65e0939eb0c1fbb931185f64a904c68d6418cf305c004794735244195e5fe3a6ff149623

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
6ea6b5fc424dce8d3284afb81271bb36

SHA1
74c2e3a33ccac2697678fe73915c15ac4727cf79

SHA256
b0b96ff435e40eca4846c1bdf12acb56f50453ab679eab15239ad2475dfc3fa9

SHA512
b1d175044bcbdcbd45d050b82c9266f234cfd25cb768c8d8d2b6f350fcf5d35cdb87d07eeeb810778b9ceb779181682ee80fbf980aa0b39d5ae9d6be11fa0f76

Download Submit
memory/452-1130-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/452-469-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1052-104-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1052-293-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1216-427-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1216-154-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1368-393-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1368-1110-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1712-429-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1712-1129-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1720-441-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1720-161-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/1840-706-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1840-230-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1880-428-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2000-34-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2000-35-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2000-26-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/2376-1-0x0000000000CC0000-0x0000000000D27000-memory.dmp

Filesize
412KB

Download
memory/2376-49-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-63-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-61-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-51-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-1055-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-47-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2376-8-0x0000000000CC0000-0x0000000000D27000-memory.dmp

Filesize
412KB

Download
memory/2376-0-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/2616-125-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2616-384-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/3060-229-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3060-66-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3060-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3060-74-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3192-289-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3192-921-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/3640-346-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3640-334-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4076-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4076-21-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4076-12-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4076-116-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4360-1003-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4360-302-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4368-117-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4368-333-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4568-350-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4568-1094-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4588-468-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-174-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4588-1097-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4680-58-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4680-60-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4680-52-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/4680-186-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4948-75-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4948-38-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4948-45-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4948-77-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4948-39-0x00000000008D0000-0x0000000000930000-memory.dmp

Filesize
384KB

Download
memory/4964-86-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4964-80-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4964-93-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4964-88-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/4964-91-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/5060-187-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/5060-609-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download