88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2023, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
Size

1.3MB
MD5

f2b36a3e89f242d6a7f8a3bd1de3bdaa
SHA1

6341350e2d249a18b6cd4748f10ad273ccff0e0d
SHA256

88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c
SHA512

88d3ccf63a875c3e0fe5e584ab3ee6ce746c41324c1671db53e884b3552c1ee7e7a0e9cad618217cbdafff6a59a484177764626891adc61bc25597c87bd7dde1
SSDEEP

24576:0WiBpl11tmlNQ2OnBdFQtP51llPup33kT:07j11tmlNQ2ayVup3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3428	alg.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
4924	elevation_service.exe
4232	elevation_service.exe
3288	maintenanceservice.exe
2820	OSE.EXE
3408	fxssvc.exe
1956	msdtc.exe
1720	PerceptionSimulationService.exe
4324	perfhost.exe
3452	locator.exe
4708	SensorDataService.exe
1456	snmptrap.exe
4516	spectrum.exe
1408	ssh-agent.exe
4496	TieringEngineService.exe
2372	AgentService.exe
2396	vds.exe
2648	vssvc.exe
4688	wbengine.exe
3876	WmiApSrv.exe
400	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 28 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\caf1a070cae432ce.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_125046\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_125046\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cead3c4e9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001a145b4c9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f89514c9610da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006727f54d9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000848d24c9610da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000476b554d9610da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d73be94d9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000775dc64c9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e2dbc74d9610da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a0aee24f9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dacb3b4f9610da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000007c6f24d9610da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe
1160	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4072	88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
Token: SeDebugPrivilege	1160	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4924	elevation_service.exe
Token: SeAuditPrivilege	3408	fxssvc.exe
Token: SeRestorePrivilege	4496	TieringEngineService.exe
Token: SeManageVolumePrivilege	4496	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2372	AgentService.exe
Token: SeBackupPrivilege	2648	vssvc.exe
Token: SeRestorePrivilege	2648	vssvc.exe
Token: SeAuditPrivilege	2648	vssvc.exe
Token: SeBackupPrivilege	4688	wbengine.exe
Token: SeRestorePrivilege	4688	wbengine.exe
Token: SeSecurityPrivilege	4688	wbengine.exe
Token: 33	400	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	400	SearchIndexer.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2460	400	SearchIndexer.exe	132
PID 400 wrote to memory of 2460	400	SearchIndexer.exe	132
PID 400 wrote to memory of 2928	400	SearchIndexer.exe	133
PID 400 wrote to memory of 2928	400	SearchIndexer.exe	133

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe
"C:\Users\Admin\AppData\Local\Temp\88e64ea8dac9ccdb06a9d8fbf7da797ba526056b494f5bce55881b388978470c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:3428

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3288

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2820

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3564

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3408

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1956

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4324

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3452

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4708

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1456

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4584

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4496

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2372

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2648

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4688

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3876

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2460
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
7aad8912a009779380962e78758e253a

SHA1
9fa7761017b942330fa012d7ebd3e3bc2343f5c5

SHA256
e0be252a9627b3d23e0ab45933e6b315f8bcd306437d0cd785270282a6d719b0

SHA512
719c6e7dac3809fca72d0d0d15c535cb7a9b1dcf6177f132f98448e2b67fa83030e0e7d3cf8a448233a16212c0d2b7e30124cfa02c669b8dbe5f8ef212255bb1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3e95278eb4a223723c2d9269bbbf5d97

SHA1
1c240839d6c212170f48f9df78dd5ae7076dbaea

SHA256
d5da0679e3fc57d7b6b53176a0bf81f98cce117fc41dff6f0d7113761b0ed339

SHA512
7ea271a4cb5c8807575e373b78e6cc1dabef1351d662796cd86db9fe8a4a177a45a13fe9b5d7b76509f1ae7708c2b83ee23ce2195762bf2095b622aa56f9a7d7

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
3e95278eb4a223723c2d9269bbbf5d97

SHA1
1c240839d6c212170f48f9df78dd5ae7076dbaea

SHA256
d5da0679e3fc57d7b6b53176a0bf81f98cce117fc41dff6f0d7113761b0ed339

SHA512
7ea271a4cb5c8807575e373b78e6cc1dabef1351d662796cd86db9fe8a4a177a45a13fe9b5d7b76509f1ae7708c2b83ee23ce2195762bf2095b622aa56f9a7d7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
ec5d2e1e2769c5c039bb68f3af46151e

SHA1
53bab2031f4545504e31d20850266a77daef7ce7

SHA256
2984c27f1448eec6f540ade5fa95345a242ba8317f414a0e940aed24b013bb0c

SHA512
c689e6e3ec6e9450ae149b1941e556e4df676239ac69e8f5355363a1e12aadd24e80589e676dfdab615bb64e8aff5076c07983d95d37a416867208674dabf4f3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
e4bb1c800ba8192e6594e3e53a5f8613

SHA1
388ea9e88951214011e76d9d4934dd90b035a172

SHA256
5a65e2a4b1ecfef458d0d26987c523097b9f7b4315d65dfde970847d338c1aec

SHA512
517dc7855c9164de0f132f48df899ea686bd3a043243d3494be1742d2a962717b68329c9bec0e70b0b3efe4b69690c8c1afdcefba270a0825069b0c73d4ccdc3

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
cbd88a64586d1eb72e3d19ef8ab3a83a

SHA1
2c3c19f51f006874f2d581d020bfc71f8c9e0dfc

SHA256
8295c78825721c6fa6cddd55637bccd9486642c7a50762b96052ed4236b767e4

SHA512
449d30654587ac51dc70b84180bdd94d4dd8faf5dcaf8bcb5cf20052fb46a320ce92f79ac7e440204601c3bd770303be74bf16ad1b3559b11d6c64c23dc2dbc7

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
bba90ac57b5684c55d8b8a5a84f79d75

SHA1
c041aabecab19d79ae19f3d32f8f7a4c538dd1d8

SHA256
1c4ffac0d1a1a7fbf72eb1fc3ebe91c42853b75b42b7024caf0f4c4b81bd44b3

SHA512
a6d4483c543603c6393a63ac8ad5e734a0d10d7fdcfbddfeb12050509bcfa96e3f7f87e80f16b8a47d069ceec19236df5f3bba316602ba9821eb99bf91bbcb8a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
f3682e79791600a9904d2fa625a40b5f

SHA1
f97f09b5c5fa05b0f3485392d29096a4fbe0dde4

SHA256
1c6a5992fb2b4d2013334ad19aef582dce51b9eee7ef51c5025579a9feec99b2

SHA512
c3f1a4cb7006f326f4a1b298afa4e03e9595297fa3906e2fb66964cd03c1b5897a5e2f10de5269224d66af001bf9120e3c7fcc54350776ee59eced2108f90ad0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
325b5aa8c57c40f3eaa77b2bf9bdba17

SHA1
3c97c025e19adae4f9ca454d66504f6efd398948

SHA256
3985873676c48b748aadd1a20f6c4019b732caba97541b6a930d1072f9b70f76

SHA512
d9f7a28680d81fa7a9b2fae42dc171f672223c1f85532445eb611b6ad016ef73be608ef842deb31279c3989868e1021c89fb9f161552e235d0611e55b8182a13

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
59c987a82149c07d3d9ba7175a3f67f0

SHA1
763dc12f031e0cc0312f48b4c915a05d48fa14db

SHA256
323240159e0608bc6191da2e4ba4ba6423d7e5c45b603dcde6c2b06fc286d26c

SHA512
940cbe9e22ca3f8d1fa96ec2044793bb01f176d16e190275d51658bba3c74d913875292fb4e8d437a9307466eb60a8eb1b0f0168676ec9e3bb0b418ca5fda56c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1646096586dcc7e1ba25be75dc6dd7c4

SHA1
9cbd6add71c7d6bb3f83e8d957c92efcbeb68248

SHA256
0881803f311e00cffce3f1349ee0b2601e27e7033dc93a1255f5312ebe11522e

SHA512
fe8a3fd30bae79df1aa4953826020f9c02044a2f2a5303e6e117a188b738e1c215046043da85c00b056d828ea1cb51a7f60b7748c2651df30f833cc25197b3e2

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
c0c052c5c6c4c982c2a5b56aaae7285e

SHA1
04efb08347e593c8a6c4a0e9a434eed9a480bb58

SHA256
bbee7adaff07a385429b9a548043c303593667446b7c38c71fb6471f56b9ddf0

SHA512
df681fe2b9dbe7b3b988717dea3fdb9486173893742a337fdd76ec3a9070edcfea7872a608fc4a26ce17332239cefc122ab7d1759d33d680d9898d74a2f93e97

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
25a969b32dd4a6979aeef9fdb75b831c

SHA1
39efcb730bf60939b58faf2de1bd78cbfe801d83

SHA256
232bb2f5347f6b208ece5aca1fb2e2e6b6055bf6d9d1b8b1a8404cee4c4171dd

SHA512
ccfefb3957a854c9df5e955dae822780cea4ad947caa688bdc02d3ff34da4c5d7d33c9971ed95331ccb84fa35dabe7148f16087f7e14468f2ec8dd8b3c2c859b

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
352b59dd7694d8a9bd22befd360ed0dc

SHA1
a4e3762fc503d30bb24d6eea6e1e970ef7ef41e3

SHA256
c579e1aa85afb50c2fe07840dab413c44b1def97a8ad17ede93fdf2ac2a5f396

SHA512
f3a5295483aa95cbde2e0bea926a8b72ae19e577687c23042ebeacdeef9f3c4c1d39a25c7eb71dad41b72fdcdc7d836ff477d7f818bb50511a47468f2ab9b88d

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
185efbe177a6f72137ce5aab0f0407c1

SHA1
367cba996863791ba44888f883c7e10612b8e40c

SHA256
3fb8308e9d0dc951719e9369d5981ab9f74a52d47318d320a03af42db6be2d04

SHA512
7ca4530aa4f2e59f2855cac8a60b11b5fee3c019033d675ce010b1fbd4d5a38ea7bbfd3cfabf3ccd1bcb5af4921a05828daab5e8765b30be6458791747be6377

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
a18dc7c7194d9b38da94bfe9d5eb7125

SHA1
87d75b582e57972d9c819f7f51cb6d6042822835

SHA256
f8304a5e0d68d95bf0561d7154240f98e78b75ca67abf5c4761d2a2f19a39bc9

SHA512
795d6290669ce5210cf60b2c16be7c16c858efb727906b905866414faaf8e0dd5b40e2a266b3f9b00a2a2e4edf2fe12367981fa52f35128eb291feca63056463

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
424f4c18b7d86551fc25864065e9b73f

SHA1
da1259e2700a0e1e02b5ee131113749852ef0a55

SHA256
cb3870689443508b456060d300efdba980594a6349ca207aaba9862f1cb3212e

SHA512
445aa25678f80fbd12fd264909fe4a303b87d4d7a95f9d3d4d09edd6f12ae16c64495054e7bc2319c90ae1071fbc134dcfb8199ab2f1301fa477c862b780e876

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
f29bf2db9b80cb66d86f566429221efe

SHA1
6b7c8202b3e0bccab7d5d9b48f6418423a3d1ac8

SHA256
7b39e99031a0ff94193377d7447ceb6fbf01ff98c2896e2ece570c6abed3e494

SHA512
183e08808c47b6b6a5b5f6b27a272e1a2f98a7f777f7e74e7581770954dd3ed9c138f62375544beb2eeb5c7a7fb03497080428b0e63ff5e7dc30af5a3ad580ff

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
9857a16368b4058ccbec6aae18099909

SHA1
0e62452bcf6e0a9061d0b59c79ca60b45ae3efbe

SHA256
c22a5a3fe7b831d37a69ebace91fd0bbdd8fbc24f5a8d9ffdb33e532cf8a42e9

SHA512
e2a8ba5dfafd3b3b315d6972515eafe27331827653952ad55264de071b372ead4e43c08bd3c8534d6bf4a98b4c385d83c1b96ac2998d089b5da4c03457f4419a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
02c4f4f3e5bf2b23fdb242d415bde7c0

SHA1
5c4bdd09d6f88f34008b5241dd52f1756cf26255

SHA256
b6ea4a2668b69b74023039a087b1833d184b99ebbb0c1a077ea14026947b8612

SHA512
81355437245d4df0d9f35b6c38a75a5f6b57156ec17825f52ac2d58471aa863b7a5db330b9e0bcf5a347b41bce8a7d7bce589d2e8807d7938b5e839362414df4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
87b6ef971901dec5866aaa0d0e9b0c8b

SHA1
49229333373a5ea5eb53b92f75ef59d17f959f1a

SHA256
157ee9e6fd16795818121bb215579f08a15c6320a4b2b256559962fe994bf96a

SHA512
75c11ab4dd96af2a600d98795a5a2f63648efebbfb480cff64e08a4361022d36304093a44e9fb90c88c9e41873158f0cc40b165f8c1f6c53ddbc2133c6ca870f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
42dcf81c7dfcb25ba2ee8a651ee85afc

SHA1
f9aafbfa76f22c27f383f38d4370c14f1eeb3075

SHA256
866c5d4b87183f5cdfcc5b180aaa711dd71dfdfdc18d8dc8cc172bb332b6b0ae

SHA512
75a81edc44471dbd2e076615d0d15345f18093067ce5782e006a9231251d3d22269036f6974d56e694be3c4471f558b8433144d993eae0843ff253fb8755975b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
9d2c72749fc4153f243cd025e5cfc8aa

SHA1
791b78cbdedfe7d3164ae254eda9c8a1328fbe8e

SHA256
58eb22ff3c3a26b96c5cd08f879fa4b2bf4feddfe9180a2bb140fde3b1162793

SHA512
1e19cca57e2b1fee7cfdabc2bee4b5f00a54d264cc81c0623f8eecaa2fef6ca01a31904a228ea66d2ddb04930f4ba940c018550f7603dcd031a31d3d95b6c89d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
153aa85816f72720cbdf8f43f84767f3

SHA1
6857f5110ccccbffc1fa9d87900b348e534edb6f

SHA256
91c229edae0f9762e13e1f676519995de8269ee0a8be9954a134374e7d64b806

SHA512
aab3d41f7e4075841b45b8118e4f82b8dbe93efa0782c0a7a0dc4bc9e3837f17b666c31d03e91c303ac345e29266dc3647633f4d2495bdacbc804c32c8c3ff3e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3044df8c3992cc6cd8dd8f0937a703bb

SHA1
af515d94cad4ec9a680b7260b03db18750be8737

SHA256
d964410e0092bc0630589beb8cdefbd82252d94b39b55d7cdb41b5eb1eab18ac

SHA512
28c1571be27ddea767777c3c3c1f4f3b2df1865c8a6dfcc92176a86fb7503fe0c2bb3bd995991313314bc4b62ee1382b066b421c42031e239fae1ce7192a1d18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
dee8c0d7d3a841f1cce01fc68dabf912

SHA1
517c52bd46b6339a3021234199ef33e8ac129198

SHA256
00d8820ac204e768e594d15add8a3b06ff3550bbb0894a7d195f09f5516ba2f7

SHA512
aaef28454d0fe0a815f70c8e68ff5ba30173bf2879bb0472d28455cd55f552c6a25932106212b3b01a5482f48ad76e2e9680650b09ad5f2fd2faeacfe1a89e50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
cc550e9cfe9fb9631e3d02626cfa42f3

SHA1
e8e44935f2c492ce9764e7d48c2dc1debed00b3c

SHA256
3b5ea1238f06b00b18b77c8a82802c9090e7ae6c82e7a1fcbf597e5dcdce4b36

SHA512
f443ac472ab8da171730d45aca479db7d3bb898bb102e129709fefb73a77afe50ed9afe186a16413abaabd51ea0f1311ce1ac0549ee35f1eb3de042f43b29991

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
cb0b7477def3a46758148ddba11bc858

SHA1
18f4d681eb96d811c216d2503b015be0179e0090

SHA256
ef5315d54357be661320ef4391b5976a7d267aee02ac76b9ea2535ffe1c88f9f

SHA512
966b08b8cf0737ceb1b451011542db0c219a2baf65afbee680ce5dcd5cee4f6dc27e6af9dbb96ab8cd9b6b3e7f1eda654efbf32eca480245179998cbd9cebd0e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
4030e4648ab022a5f14bacc067e1917a

SHA1
79a7d33c29ef95f7392f4ca054aa4e262cc801fd

SHA256
bff5d22c264eb89e063858cfb524bf0c59ea2b05518e49cc82fd5faf7d7e1825

SHA512
9c997ee65327dc1be9af2f37cada221c25f3bd1ef7f81a8b4c75464586d05b759db195167b9b0d8df7040fed89a78f36f6dac710f9d74ac4da5f03b60296a2c7

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
caf742b9716d6d3a7e8f762f3999c44e

SHA1
bfd92fd70d7aa3d2e1c850d8cf202d8fef8432c3

SHA256
027df9818db9883c5062fed014e839ed50c5ea4704dc2aa54717f2dbaae3f7b4

SHA512
72325de297ef0c2082732b8bf4903190d5c6acce79b3cbe078ecf54ac5f155421bdfe51df0ca60fc3167523cad6ead27b5df4929062a72df618267c7bbb732ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
d12b5c3e1e0f0cece681bc58892838cb

SHA1
84f58e44f1bf1a481b6d2e9cb3b68ff1f57b0637

SHA256
e51ae7704dff506d68adadc3cf942fd575f67ea5d9d0bdd00ef4dc2a5fec10df

SHA512
7354fc23a5fa7a84e59889289486bfc6f436552bff9b42d9a83e4fce174e9601a7cda1a8087105ecbca612f9ebd9276e86f231be6dbf17150c2a4d49c57c6276

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
11da700e6eac52181a4b53779efdb12e

SHA1
5df046fe4a32f2c3d5059744328923f1f0f742d3

SHA256
e1c22920bfa7f9e78e8b0694e25923000696df2ecae18116117c8d32724ff218

SHA512
71a18ca1764ada6c01f0ae3720506a32da00b48186e8a556c50152626277186df7a6b0dfe6649c143773c96879498636d95c7b5e9f3eec4602e9e19bc5199d7e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
170f1d10dece989895807fc976bc14ee

SHA1
968aaba89c7035d4474f5bdf9f84e3e78dfcbefd

SHA256
ce092a9ff27a9c6e31ad84b3eae7f057df9780057a2d115b02b5e8acac1569e3

SHA512
0fe7677d972d522ec26d5e07ef71d5ac4d72831ffb3c1afceaa945704a984f94fa9fa774f72a1fbebc78e5d1eca884619e78dfb4a41e7c50650efdc3ee77055b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
fbfb6d6db98bea64fb3302b37d8fb2b7

SHA1
3f9e5d1e4bcfd4f56dec848e2f1058f232688be2

SHA256
1cfe4c343c50d48d277ae276fa0beb1d8f77f26b5c156ed37a239c69b30d9933

SHA512
12c47b6abe33991bede63a35e091c88e16d61ed8a47e19d814645b210026112585c205367c8cf7809fd4989d2296047acba4db0f71db05e06d343d5ba071472a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
8242a01fc1a6e90f7b4bc75123b8cbfe

SHA1
eacc52f58783eb7c3c062482876f2b8919ddaa0f

SHA256
cb1903fa40b233c4d37fccf381e1ca6d532c89eb59a8cc54285f55cbb3ca61a7

SHA512
14945d66ba7389a3375fe8c2fce438b2b9b15423a44d41db4caa5a6da18579a648fe4b08a5574800fcf210d17b07b54ebe823a07b2a3b75139213ece1ae3b7a8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
5e6366dfb078e79393a3ab193ecdcb00

SHA1
fe2f3ffd929670b219d859935d2a2a4b857cd8f6

SHA256
e1bb9b3c44e61c94092c5215d245940f536464670f216fe90601a9eae1998ea1

SHA512
9ec69ef1bafda149ca542952510892cfb04acfb7c91be072e40b8185320d059f33c5a9491e06f03d3f03e0c0d1abfdecab0ecae412b8da570b4eb6808e2913fa

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
9a7e06794d0c562d58a4d317068bed0c

SHA1
81016e6d251a7dbbbc6ef7869ce841bdf3e9dd44

SHA256
18f19601ef09f7026605e38d1c0081ef69fc8ba7a0fd2a37dbfcecb5ccaf26b1

SHA512
266b54ac25741fbbf5ea77a9af4418a890aa0f66b04a0bbdaa5c00059044a876fa7a808334996ee956fda615822cc98ee75ccf3dc206ca8f783827bea0672730

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
7a59c0f07824dca701cf70dd1d6e5421

SHA1
54f96b4b25f2c4f95f30bf8329e217e0f8440664

SHA256
a95df31b0be46ea706e6b357ffd4e7aeb7f0bfc3c00d10c18de9da725303cf67

SHA512
47092271ed21c28720d5a5ecf81638384e8478e4997e82cfc29b25a10b324c6e1c4150e6337fcb09f90c180987fa59b87b135cc767cb4aff2cecfb60618d2b2f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
4135896a8f1b01d23c5d51d7de25af0d

SHA1
d986e754b3ea8931223fdc34d54647a6d20919be

SHA256
ff7065b6a7fc71008546fef299400323f2e38f7f7bc846b9c4dd0a761b155fbe

SHA512
e034eed8c77d8b32544e2708b6a3f8618ce35e3fdbdd9df58a333fd05600777ec7ad4c93c8c58de5972cc6a8b0eb76af48b9f224e6d7618677450e865229e156

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
53ea7e5721a8bfdce35c664264b5eff2

SHA1
df2123f6d6987c50423389635cc4581fac4c0905

SHA256
f2aad7714e674ed454183aadf2914a1b1df226ee74f5ab5fc8e65d2ddba49a32

SHA512
730c7aa473da1675a1c73c5c0a432e2b46747197e2bc8548651b493bf7a351d49e2014698d34907a273a56cdec1e947137a10d4a200893534b222b132eebf30f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
e6ac24f1f5b9ad9460170c5b54982b2c

SHA1
5447ca8fbf18e1fad77241df2b37ffedb7ca744c

SHA256
bd4a972b07df89dc211044a65516b7666ae84c49f0e525f66c9e0edc436bc819

SHA512
65eeb6bfe69c9911b0c90a0c829551ea7a608c62ed4466c7ade876ecb1ca8e66d3682e663528209982388b8690f1617b816f6a3b60ccf3e2a3bf8391c57f14f6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
9eb4fa4bbdc7b0f5aaeed92f666d7726

SHA1
11200579fc7039bda1e03530281a75be6e798e94

SHA256
a2db1000d4bb55e99c7225c2eb373b5989da0eaa3ea4f8728fc041e74121b9dd

SHA512
06266b72df3f98da983fa7e79eb5749eda1879b8eccf771744753645d30d1e04f7b2a496a566d5665f8be93437700b46b0550901cf4623969a42390675bed4fb

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
a3763a4c477e2d64293bd6e9c8f1fd18

SHA1
59bb98ff89d8f05ae31e813fb2af68f7e9ba1e23

SHA256
90b4afd51659c4bd63e992837045e3a260ea6ed78419ea68f7fdadb3e5ffb4df

SHA512
d176ec7cd050b156575cf1bef94421fbde9e497819b4fa3408cc654f1d67c2758256903f5fd1c92eed477cb80de7b13d642f475138630cc79d5f9b6f30b6d3ac

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
6852b025df16aff0a5cf548f23a01022

SHA1
5bbb1cbd8f61fbd642b954651074a67e9fdae20f

SHA256
c8ec3d7efcf7c117ab6a6d955ae62dec7914a328ee11ae936b5fac71e8323093

SHA512
926c7faf889d1f48065148192eaef5b315ea282e324fa7ad5bcb5b362ae91c98ec4e3f58cfc96a24dbea079d573f98e5c326e2c6ad052484520167f4496332e5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
27c021e2ff784656b12698461bf39a8c

SHA1
7d0513e3944502c4129b9bd622abff47b582bdff

SHA256
73d8033dcf8ca700200bcee98551c758ad5860c0002dd9fa05132b1919dda61b

SHA512
37d1ad75c3cd7f229a40d9be830b24d824fbe1814afe1f7c4e76a768f3e0b638461227c1838dd2d121f1a43823951813c3e18056abfaf60e8475bffed36a970f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
a4d8b1cdf9f35e7e33831e2340e505ef

SHA1
f4e829cd9a7ae61a9e1a37169089fd13d0e647f7

SHA256
1a7398a5cdd46a80ac616b1d0281b4c366c3fcb6efc00598079b1c441cd3856a

SHA512
59cca3324b29de7f37c5ef29940a844c3163b9121a205a11df664ca4220e24eb62f4cde5613fd5dca9ef26d09240d416a75235941eef85a50c20c2d9d549855f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
add62e52684727f5113b227871d60ac6

SHA1
4ae8a237b1d59348423804cdd0f0e216562cb6d5

SHA256
a0d57392f2ad4450394cd6ea7598402c137974ec7b703c6aa962b6952c3535b1

SHA512
28b030846794ae06aa7ffe690e67276c5701567b053e781defb7a6b051a729f4158198d38171bb57789e04f8e1985edef047f52b6b345d111b298e19ce944e0e

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b95674427e48e814ce49947fae0071cd

SHA1
4c5f7152545163e1b40c467b7b2dd7e54fcbeecd

SHA256
f16046f4c96d669a2074413bcf46200b40288199fd355310d5bdbf3c961da86e

SHA512
604c4fb67e98eb99b36a20eebb299342cb547c74893b70421c5235a7e1ce16ae0be93de596f036ab6deee8f42cc8b38c7d9a4fc10b841f39f5634e970c2d1ee4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
b95674427e48e814ce49947fae0071cd

SHA1
4c5f7152545163e1b40c467b7b2dd7e54fcbeecd

SHA256
f16046f4c96d669a2074413bcf46200b40288199fd355310d5bdbf3c961da86e

SHA512
604c4fb67e98eb99b36a20eebb299342cb547c74893b70421c5235a7e1ce16ae0be93de596f036ab6deee8f42cc8b38c7d9a4fc10b841f39f5634e970c2d1ee4

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
dbe00716c7c1390a0fa13bfecc8f5720

SHA1
3b745ae0b32ff1abe98edbe015a19662d4ce6a3c

SHA256
14f7190a42f972ca285e91f6a7ae70cb523ed1e3d28128a7460edc0e88cc5e56

SHA512
34a036297c9b04a11473c163582bf0a157abac97375cd1af00e873248e9f246e1b1d3c458bf8588f4f6cb37d61bfc1a07856639686b518b3bb86fa6f3d026a3a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
cecf6cbb952913b69afc065f9c03cd51

SHA1
99f9bfd58f95c8bde768759d82010019b97cf4ea

SHA256
012349c5e91a8ca0d33f82bc69b23eb57f9f950a47d24855a0fb5c4d5069383e

SHA512
575e88a9e0a76ef5df601493c768dde1c2e3682d18ef2f23d18445220c781edf78f6e57e6060f78b34bdce5005cda1ec67c45c20017d0ca32d72c7f4796aafa0

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
619092b80a5bc3d571a13b150a9f74b8

SHA1
07bfbc4ffa5d81cfbe83a4f6cf228725c617a57d

SHA256
ade613ef63cccef3699bdafa8f2c99d2f101bc64bad69a9cc67eef6b5f5eb4ab

SHA512
41b5f01201b2bd8de1015ab08b331f2784cb3fcc828013d49fc542250faa5fb2c0006fb4a1e7c263087f447509c1319031a76c9aa71511bcd420307f50b304f1

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
3726b1ac61774eefc4f562e378ba2a14

SHA1
96778795b06ba90b0e2fc3102aa2b39b7e245465

SHA256
8856a62d1e3287b56d71b685f5c71a3b9f18d0c95878b821f5ef023d6b60922f

SHA512
9f8a75eb38b42121e6f24772c77a0d7ac9e00d4bf94bf34fdd2d0268eb48619ba8e106927b8dd283e0de20d99c9786399e12e00999c1b686a637d5c22ad7e2d0

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
caa15ab03cac09fc815ac13eb7c4e41a

SHA1
c3a7f048c56120a316f25a97050b462751df8b49

SHA256
dbfcfcb0e95e2ac7105315f2381f7711b9625f5f1672018f4058e2edbc3fd2c8

SHA512
1c05646f2a98b30afac0506cec38175130a6005c0541ad54da4ae7a1d66a978f5a5d17416faa3eb182aa2ae81d5fa5ffc466c5b661d7ec13521719e525c50d78

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f002e1d298e548568edb6e7c69d6e25e

SHA1
9dcccaeed0d9afa3269aa78d8d825406fe9a503e

SHA256
50cf268762f1e473e62d94ccd4c4f0aeaa2a613c34443c15eaf2151c40d6b0d8

SHA512
ab448eb0e244b6bffb55d2c76ef752ebf2ab4240c209a2aaca35c1a6dea3ab6dedfe698e34a6cb67d842d242ff23100c430dd40711cee6c806d6fdbe8c245b73

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
dcd4c25a5f0dc32c2d027f2a39dc59f7

SHA1
7c8b6a5aca4ad377daf7e90b0bc9585c86a3d4ab

SHA256
83bcece65263f1c0d17a84a1acea0c0eda780e41ebd544e4156f19a937a066e1

SHA512
912b2f991f0b5b02ea21b4ffa534d304251d9534dcfca4d86a9144f3ad49aa655af3967c1816029c89a6f67c91e79f64e7e7c4b6b7e0d30c428f0d71a72dbc95

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
d782249e9f16fb71e7281da0491aaa2f

SHA1
b50f2100b82e0092a69fbc6394ba3c5773fe19ca

SHA256
cbf5969e7f503b52a4a646907f09caf73bf419f6ad0fcf7509a5e352baf32b75

SHA512
48c4d460013b470c5bbd6dcebd47f2c5a4a8127a87adeee9be8d2208b3c9702d562ce7b90177eab80192ae2f0777b2858f00126bcdc2a37fd9db6f84d6764648

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
7e99226655f506ff5160fe3da44a37ea

SHA1
a2dc375ac396e2adee76721095e5372f1aa7b790

SHA256
90f41246594dfae5dcc8c889b269fcebd6da22215d3ede1035f4bac491a00dc0

SHA512
e37adc8c4f8411530323aa35550665b85ce72a3c2d4404f9d091dd5de37c9bc49fb7c98c5d5a45c991c83acc5cc8c05c1805890d30d5e5aa041cfff88cae6c37

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
885624d8649e8957a8fd31eab029f4fa

SHA1
752e8c3dca585391aea9b2aefcc25b4e0712bde8

SHA256
bec09c54a102d3f25e79732d9f3ce08b7d95b4ab042742d790918bb499f0f753

SHA512
c565d162f356925e931a5d316edd85e6cb9c608d5f3c2a1d8e885589477cc002fb5ac9a92bf2bbc33524d77a52f690ba0d61a2350385a08547cffcecfe9127b6

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
cbae908e64391164f39a5f50fc4dc401

SHA1
927c81fd0e083749a043cc00603562543f573951

SHA256
39d416c348d6101a1e20eadca16a303c698b2301ce3bd4dd62ab12af21260f11

SHA512
36b144fb2f0b62c400aa51abc047804704856e5d911e0995254604637ee5c9eed5fb8532170fc81add6c11e055c48d05e2669e881a85199d033289e5255e74c2

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
9949542bdf9bc04d4040e3a021b4918c

SHA1
eb2e5567f429f61bbe7cd245ac94db70ef1a803b

SHA256
e2036228f81df31adb753c0c06cef54b73bc50f8fe557616b1babb43a7afb10b

SHA512
aa8bcb57c7584e67636a5c64e190967ce599906a527d7e7ed591ddb4d63c962d40b622032fb81703081aae4859a01acecfffd462338eb29ca6cbba158417667e

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
39222df8ca58fb9724c79a47d6dcf3dc

SHA1
ae7769b7f3daf2ce3f3fc9309d80d7307b1a18c2

SHA256
4cb028e3181231cb02da59aebb41140831307ad483f31f8d5943879076a233ad

SHA512
b1fb007437ec8765f59bfb3f011f656742c348d4b49ca2785f12bbf50c285a2e8d9d2f4fcf3b7543174f44ac0b1e6a5e51e9d679d43a9c9f4aa7e22f406c3257

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
0d3eb9fe832a8d1bb2a211a20f7bb0a4

SHA1
e46e6015d0fe930775b87d8edcc989eb133070c3

SHA256
5a5ac7b138045bc3959ae92b2f1e27c8c08a1b6a52a849be9f4abfc54b8e3592

SHA512
8b609c8893c0c7f7e01ea86da3aa1117a31510157fa1f6cabe26df84592279e27a98fce91d55bde8760a065c76e110f2e1edc0c63ceae25315a634b9e078dc35

Download Submit
memory/400-358-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/400-432-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1160-27-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1160-19-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1160-18-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/1160-74-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1408-320-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/1408-310-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1408-423-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/1456-293-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1456-342-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1720-318-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1720-268-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1720-260-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1720-261-0x0000000000760000-0x00000000007C0000-memory.dmp

Filesize
384KB

Download
memory/1956-309-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/1956-255-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2372-327-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2372-329-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2396-428-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2396-331-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2648-335-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2648-429-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2820-82-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2820-76-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2820-219-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2820-73-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/2928-439-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/2928-434-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/2928-446-0x0000010BCD690000-0x0000010BCD6A0000-memory.dmp

Filesize
64KB

Download
memory/2928-441-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/2928-435-0x0000010BCD680000-0x0000010BCD690000-memory.dmp

Filesize
64KB

Download
memory/2928-437-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/2928-445-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/2928-443-0x0000010BCD670000-0x0000010BCD680000-memory.dmp

Filesize
64KB

Download
memory/3288-57-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3288-64-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3288-71-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3288-69-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/3288-58-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/3408-251-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3408-256-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3428-65-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3428-12-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3452-334-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3452-286-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/3876-346-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3876-431-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/4072-1-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4072-6-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4072-21-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/4072-0-0x0000000000400000-0x00000000005F4000-memory.dmp

Filesize
2.0MB

Download
memory/4072-7-0x0000000002460000-0x00000000024C7000-memory.dmp

Filesize
412KB

Download
memory/4232-46-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-53-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4232-189-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4232-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4324-275-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4324-276-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4324-283-0x0000000000940000-0x00000000009A7000-memory.dmp

Filesize
412KB

Download
memory/4324-326-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/4496-425-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4496-323-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4516-304-0x00000000007F0000-0x0000000000850000-memory.dmp

Filesize
384KB

Download
memory/4516-348-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4516-296-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4688-339-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4688-430-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4708-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4708-424-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4708-289-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4924-34-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4924-33-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4924-41-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4924-139-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download