a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
Size

1.8MB
MD5

70c6971dece93378992d19050af772a6
SHA1

9258c52541efa035914e970a1c7341d7af3f28f7
SHA256

a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd
SHA512

0756cffdd4876547c6d98b0c294ac2806b2b88b6a6a41e24722b0f7bdf36773a05d5fb4f49235b43680d02c8b868f03167a49845dd9f5f93c5e7cbd21694ea05
SSDEEP

49152:MKJ0WR7AFPyyiSruXKpk3WFDL9zxnSSP4suIRbDv:MKlBAFPydSS6W6X9lnlPHn3

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4380	alg.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2356	fxssvc.exe
2380	elevation_service.exe
4724	elevation_service.exe
2828	maintenanceservice.exe
4864	msdtc.exe
3968	OSE.EXE
3412	PerceptionSimulationService.exe
1260	perfhost.exe
400	locator.exe
1076	SensorDataService.exe
768	snmptrap.exe
1312	spectrum.exe
3804	ssh-agent.exe
4656	TieringEngineService.exe
2800	AgentService.exe
4184	vds.exe
4200	vssvc.exe
2760	wbengine.exe
4068	WmiApSrv.exe
3944	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\locator.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\alg.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\spectrum.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\vds.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\msdtc.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\6df713807d34635.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\AgentService.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\vssvc.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\GoogleUpdateSetup.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdateres_sk.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdateres_nl.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdateres_iw.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdate.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdateres_sw.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3652.tmp\goopdateres_ja.dll	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000099290993d192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001d9b1e8bd192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c134d693d192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c312f68ad192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d94c108bd192da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000068fd208bd192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000144ef18ad192da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000515f238bd192da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dd25098bd192da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2692	DiagnosticsHub.StandardCollector.Service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe
2380	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	956	a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
Token: SeAuditPrivilege	2356	fxssvc.exe
Token: SeRestorePrivilege	4656	TieringEngineService.exe
Token: SeManageVolumePrivilege	4656	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2800	AgentService.exe
Token: SeBackupPrivilege	4200	vssvc.exe
Token: SeRestorePrivilege	4200	vssvc.exe
Token: SeAuditPrivilege	4200	vssvc.exe
Token: SeBackupPrivilege	2760	wbengine.exe
Token: SeRestorePrivilege	2760	wbengine.exe
Token: SeSecurityPrivilege	2760	wbengine.exe
Token: 33	3944	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3944	SearchIndexer.exe
Token: SeDebugPrivilege	2692	DiagnosticsHub.StandardCollector.Service.exe
Token: SeDebugPrivilege	2380	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 3648	3944	SearchIndexer.exe	114
PID 3944 wrote to memory of 3648	3944	SearchIndexer.exe	114
PID 3944 wrote to memory of 1592	3944	SearchIndexer.exe	115
PID 3944 wrote to memory of 1592	3944	SearchIndexer.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe
"C:\Users\Admin\AppData\Local\Temp\a9c11188d22b8520cdda913a69553e599359421cd7d6d6c51998254163c32cbd.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:4380

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:364

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2356

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4724

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2828

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4864

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3968

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3412

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1260

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:400

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1076

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1312

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4716

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4184

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4068

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3648
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
296229009e1b24fc2de5020c31c540a6

SHA1
1fd8556099a1d44ae8b52a87e575b6276a22834f

SHA256
6d699e3fb71499fa81a4c83e33957e83634972461740cfd0840a2cf88f00734d

SHA512
04307421a39372139431a30df908a7ed5b1ca0134b0a786ce48eb5f086c798279b0fb9ee1084eb187f211ae4f5bf2acacbccccb18505560501412b3f9d550bc2

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
797KB

MD5
0e1b81569747dbac626ac1fbf36c1ad3

SHA1
f501fe7bf9d9251554aba9855a67ded0ad7713fd

SHA256
01416dd554fcdd16d3c49c807398049c93e44aa5c67304fdb80587ecfa09a607

SHA512
bbf6a794aa5a986c37aa05707a0fb0868caa240249e6661ff6d57a1a732bcaabde72b45ff2180927577425ab83bceeb21d6a178c15013338e6f9234a3cb31efb

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.1MB

MD5
dc407edecf2516f53470f36c8a4e1c95

SHA1
b3cc1206465017722a9c45cb8d93fd7d98b1f142

SHA256
4c999613587a3b1ecfd1a54a7f9cea8848fd10cdd62a1f3b9814f325f7ae2f33

SHA512
0a198063afda9f2bc1973f5e3374cfdc169937356e584a6ef088c7c38a91997909e01ee13f3918e44f7fb937e82dbac6a7ff32be716d5ba68005ad2c25a17137

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
af54401bbcafd17e6a96717336b2afe3

SHA1
051eaa6d2d8ce6c9a07ea9710a175b45fd5f4df8

SHA256
6d2d1da666149ad18767dabd73b97f25bb5024a8b853fcd274459d98a0dd5331

SHA512
744f11736efa351e7d1ebdb744bda8881b6df220b8f17f00cd012580e643e0ea4a977d9672e9d3179aa692f77d5135bf85f8500bbf8ce8c8e315987fb69faad4

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
d62eb72734d0e656f81ba45b99583d9f

SHA1
c8596a8232e7c98f27da5b96b2e9bbddd24bb44d

SHA256
8930d641754b64bada8ea01a09d9ed9bc6d76f41e91cd8aa75edcfbb573e7e54

SHA512
2ce2a420f82d7cab11a8ebebe0d76f3a49040bbb0b17133b9f00eb039bb70e2ceb855d60ebfb6550ed5e894e8427671b20a7e962724a3520e4c7c32244ab939a

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
582KB

MD5
761f358f01e17fe0136c8717f0fbdb39

SHA1
c19cc5d29e223b174242c18711bd250bb8f523a6

SHA256
b0d47a76bb18169fccba0a8981da39cc12caf50798f2d915c2eabfbecdaf3892

SHA512
32598528c4ee445a414bc686c730018f17a9b895e1aa383ee6761549df84830e5750ea96a91857821ab35d2f93ceab2e841d17cfd387b6f938041410faf38ad7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
840KB

MD5
8401cba2dfd5bbd2518dd70cf53e64ff

SHA1
523815f2c7bbc658b51286441f904d3c26df471e

SHA256
9631f9feb22148030fa95fe796cf274c19b09e11d1f363dfb399f3f5e21c610d

SHA512
5c7c84e76eee362d096bcf1523bfb4822ad7cb04070efc64de5486a4e3abdb5da7ed541066c9cc2c407829f15018cc73a5272662a40fab00ded005853f4721f8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
964c9f41f76c12dae381e03b40524a0e

SHA1
1024ae3e08c14ff7c258d13d5093724bc3b29697

SHA256
e248438dbf5c690f5295f21bd26d247d54898663d0ad4607cd8c2c1ffcfeb37f

SHA512
524e010823ceab93d66fd1e9f0a20a2152f557046018f8e6360a6544d5000b69788293557a5309db0b790e41cef4c2ae41c926f59ae4129d41c9d5ee8534b411

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
910KB

MD5
a3f3eefa5b44ecfc397eb8adb8fae68c

SHA1
80f718ffbc97d61eb0966175cdf18490658c9774

SHA256
86be583669e5f00f3018de1bb0794f23b5a0bed24e92aa1ad7ec6e98b8985368

SHA512
1c4d0c16ebc8fff4375aed567cb1d20aa70e9f768d58ce17ca2b5bdfabff4c1c824f971370f7865d3516d0b16daa7ff6c8d5b6b651b6561329e02a98027e2d7b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
384df53366cbb7203f8ce564d04d3986

SHA1
22792e64b7a5fa6960280fd2ddf2ffa2d5bf7c10

SHA256
e23538a585b5f9f37ff82648a931a971e71b7a68704d43c3555ad6c7ed44a40a

SHA512
8fa26dd3a2540362617e1996d05b0ff03e50ccf54c38d4914f101e7492db224440e11f98a359a9a2bda72356f5cbca5d67c90cbe38e8069c54ce417d35dc0640

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
07bc0fdd6d496dc71324acaa39ff8028

SHA1
c9bbd8a97656052e4a3fdb9f054ccc132284abb9

SHA256
86ffaa8155b857f4eeeb6a25beb4ee7e1f7d12dc997aa8a4c89c9b98d68a7b6d

SHA512
2beab94735f8bfaea4d2d6c094c3df328ed6d936b50e60562b38a95d431f406e77007b463476415f73bcc42776f942442b61d6ce55c5235d05641c771cbfed7a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
1c44c232f2f0a0448fdfccf1cdb854ce

SHA1
98d15363e86f1da57bc77fdd6ab570e9b550910f

SHA256
78c64e2121eef3a9abb2e8ba4b412ca2bdd79289b7516ae9a4a8270cc88f0cba

SHA512
9127fd592b2c98392574b0cae492a17f70094105b09e906c351faf8f02a88b11586a8943c26f60950c3c7889f64a87f340d62350ed524ebe1d08980765aa1ea9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
867219f5958d774c2ba31a05780d4f36

SHA1
180bb2e61c4dcb72355a24b3d6bbf21cb7c29dd4

SHA256
7403f1878778488ffb07fb457a6ae296a366ef53e2a2316a8719accdae0d979f

SHA512
14bb181959a6f6293797e682d5757e6d63a8962ed4f18c60a9b71a2e5d44c1c8820fbe534d0736dff300f581987561d5ce205b2bdb678cc8221b2cbdb1b9eb4b

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
656KB

MD5
98ac359539c2aa33c1966ef82ed3f679

SHA1
ba8ad639535ada68e33d5d392c1804f376642e94

SHA256
0310bcfd7d57b2fb766e449f284ae3d879d8d4ba0067053e738ee10e72f31da1

SHA512
58d21387b9d8b20892af31892cf2e852428470a91ab0dad65aaaaf776689f8db25575ce30facae4d480f39bcf8950ab80884b496c531f99744666acee96b7ecf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
c20839d3fb7d051bc683d22d08807a3f

SHA1
1513172847f4ebd4d57455d52d54e99d598e4662

SHA256
38668d40944d3a87fd300d079908f22301c4e7eceb89418e68db8eaf8123a1cf

SHA512
e080d0c73d63a2741813012245bb59eef6dbda5554cfeae07105784caba31628c3826720eba0dfad6130f892bf68c8361ecf2d9001baac82973295b11ee8f2d6

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
3e6ef2060c6a64bbb59ec3d7387399b7

SHA1
3a698c265afb70f84beecd7bf54b89c3ff202b81

SHA256
31cedc8c8b2921c5a4d3a914895dd5bee6a480efc9da61c850febaf9a2bd363a

SHA512
57da552ecfe1c65ca6db111a596d660328510d27217c5883ff9fdef52a8aaad8c28da5b7691abfd3861fcb9edfbfe7201f200c36133d17014c092ce0c4df3809

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
3575bc1fa257330d9eae5836c3fa782b

SHA1
2ae5588f73ea53a439e3b96a35ea73757d8d32e6

SHA256
010961400a48b0fca3614edcc1b996a9a135dad368ec4ff807f79fbbf19e4f24

SHA512
f0ee05f78ca01d5a44bd664101ae19b1e8af0ca880a555ea6593433b6780973bc5a0a6e1fc31de976a3f77f61b86e7d6b0f28d751b9ebb21ed70c40eb1ee725f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0d1ebe1138b6f0856baef31192d8e009

SHA1
40c5e3c941ee7e85a069e100b81786922b8aab3d

SHA256
c36a4d18b6405505d3f2b0aaa9e8dc83fd032a6f00d94af170b097731617e6a5

SHA512
f982994b9248395b22911ebd66f2ef5859370c55543ad5dd69d6197c62ae0907114cc175a47fd91c995d7086eb9fa3080e51b51d7a22be967a7f8d9efc50e48e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bffd592751e3b8668f7ed01eff769636

SHA1
008225dfd83228e002c3fb9df2481148b49f1249

SHA256
36cd5c4593281d94ff52e363dcb5545cd6f39c6edd4e82ced99797f44e86b453

SHA512
2a5fc86f08699090acc2bd3cc269940e7542447a67ef719233578fded11c0ab4ae6522588055c4fa4c36fb1a996771751ae55293b7a372490f662064bfe76f85

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ddc9969a975817dbe29d902a9d5fc27a

SHA1
41c5344e412348f7740055c3d937ad897748d5fc

SHA256
18422021f5791e61224359d5f18fb1790b26c6e206a4d464b474533224950020

SHA512
1a2c34da675b81f74f7cf2dac57d1f098fbef52d80ec0032c113faec216edc1f016cc04246df4f39885cef8f479f6ed9c635cee564a593b3bc32d83b90465bfc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
581KB

MD5
a751c73e6425a876d807335ad62f54db

SHA1
5176a8b0a9235a19f715fc04d1f31a2b097b6851

SHA256
8c71a649a66b7519fc0da20a6fb56652856a5e80321fd3b7fdd887152f4c9246

SHA512
d910437926d2aa06b49e37e95bfcee4b42909243704f850a704499905992fecdb96d2d87e34c4ce4eb2cfcc1ca6f5b2e0328663fc881165f8d9a016ed7190f8e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
581KB

MD5
e04927cff0402741c6d2ee5639cc2ad5

SHA1
6c3d93357ef1624230be15d9573a842e82d90919

SHA256
0a52e6ce298dd0895d58c6baf3f49853f7328f0a00858a0aa7c7c6e398d17580

SHA512
656d89668e87232b2aadc7308f6e2fcaa8e10c24678462a753f52aff942cd1536208cd709d8438524f57fd02d549d8bd5dd967b3398834636101f997f5cb2fc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
581KB

MD5
9a0b35584f73ea7fbaa54303e2aa9686

SHA1
638a58682cb682299cd7bbe71e0138f5b0e1b51d

SHA256
ba4d4fe06265fde110a5d2af58d515752fc637b88940a62758b016a15e1a5da1

SHA512
c45b81a6b9ac4991324464b6df0326cba23647ff37b16fb06476b3d917e7a68791c587460be284b75371c90bb03c6f51987e7b959b4695604abd3ce782fa6e0c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
601KB

MD5
2b36bb85ec18bfbc3d35f7bb182a337d

SHA1
45220cb179efdd5f060e7ef0429b17d34c59e262

SHA256
97f9165d9db3bb263cc5c8b3608bd44747112d7b1abf0d186383f646b0519fe6

SHA512
bfede3cc4867febbc894e83574e7936611ed30c215caeee4d530e44cd29f021a98ed5380ee2a9dbb4d3da617664d17aa7ed5de2a21ac9b0c1ce28f22980d1cf0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
581KB

MD5
67677dcad65d4e780664d732f6e30f2c

SHA1
386d50618733207a3fe015c19c89e82b7e63fd58

SHA256
747dc7d3cd66122ebc06e3055650a3cb564f703849d5c1c92a2145cddde8d8e0

SHA512
496aa42d225afdfbe18282775870e4be5cf3c4a9c4adecaa6ef89bef6d5a5f4479a85bedc538425d876052922b2f089c08977b658462638d3ad84933c50f2a35

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
581KB

MD5
d164d7571f8f750d64811c87eb0976d7

SHA1
ea62f07473567886a90a1ec74fe6eed28f1c11c7

SHA256
7e7c509ba0855ef52fa7168953ed3a1419427df924774d1d8db1c84256ae52b6

SHA512
605e98b36eab22b18bd80d47a1f163d802c7312e61bc6d5f5362838112b0bcd351794c59aee6d5bb53ef4862a0f924d09e18c24ed93fe8836440de5486f602f2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
581KB

MD5
39fd19e83527db547fe8ff0136b238a1

SHA1
94a3b02b03cad4a34de4ad6b98b4b858f981b3cb

SHA256
824f0f65987d65847d32cce5d01aef8c644c9bf301973a0f9fc93f1a26e8c200

SHA512
bfe4d54aa0036b5c73b2a89d370151fea146fd0a6aa96a845e44f5b87c5e1ce85b906ba35bc815d3d5bea0f70d201f773d32d923d886cc147350013c4efdb1ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
841KB

MD5
8c459c56a3fdecb895e0ac476973f88a

SHA1
699c8836af389a558d7bfe2851dda55a15bfec19

SHA256
cde9430d7918edda6bcd2829d9872940989cfd7d8a116d71ab8a80b73ab6c239

SHA512
42129f79d90163d30499fec58a9b7fd73de6b35860d136c65c97e2a6f96f1f7fdda17f72bb9a0f6f7344b5c56f0d2607ee94ad88c427ea49b22ed5e459eb3130

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
581KB

MD5
1ac582b390938937968a95807468e927

SHA1
98fa4bc1335983a1e887613c41383c10fc671465

SHA256
e0327118cda5d2e91abe05837d4a62fd7cf8a029e898aa89ca15fdc2d88424c8

SHA512
1d88381e5803bf9741ef95b77146170383c4113e0fdc58db60931b7657705c537dc42b527cdff195f2c6185973e9e3c3652cf3522779e9290d79f8af6bb533dd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
581KB

MD5
36046404cc44cc3ee45a87646df3d08a

SHA1
db72aadfd00c406766965e8cd4ca067c8f4ad323

SHA256
eb153d422ec8886b4d4240c712e31e99eefc151ac2fadcc68d5b8913a3e27276

SHA512
6533533c221bfda0e1fbe8a5e7b73ba3c6bd7c2e87dd0768ead11fbec6987f52b6b8cc77441666bd594e71b4ed7d3d18a512b59c8c67d91f2993802cb8c38e18

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
717KB

MD5
6d09d3ef1d1d8fbeda40959ff5b22ab3

SHA1
4a5cfa617671ad8b9ef008790cd43707fa3e3811

SHA256
c30e8c4f8466a1813c60c0866858644d2c96f4bdd295ab17fedafc8b23de4476

SHA512
b2596de16e6d047af2831774319b42a36244e562a492821c6cc13c754012f32ff2688b9550755a1864a4f5ba1ef361fc23331eb0b0f5c8dad71346dd47bb86e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
581KB

MD5
fa3be7a621504ca16e1df032cb0c782a

SHA1
d1e9cdb2d595144d19273e8980c0a80eb75ef456

SHA256
241eedcde7e303f989005d8cd85cc20c4ab500f986f10b0dc5e89291fa58987e

SHA512
d4bcbbf281cd3d012a172bc3aa76e23862cf22f21564dd8c90b6c4e142e3f232f820178a4538898eeb45e09646115e59e377174f8b93e2c747a8ee486ab04e6b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
581KB

MD5
dda67e29b6675672ab01ffcbb4cc2280

SHA1
1c22410ec5ab1f5749fc28a64af0ff00c5b5b0c6

SHA256
98e98e2102b59813b037089813192b6881236a919366f6cb3864fee2f6f2556d

SHA512
e1686333186b972f1faff6fab1bc57d027338e10eb04a55184bdd43c0926893dd955481b2aaf00e09290f62c9af776737c79c95ba3197e55ce21d31dacdeb599

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
717KB

MD5
7e9baf7a0b1c77527643c97f1fb5f72c

SHA1
f03ee00b76d2b3a228fe584e4c67145939c01a42

SHA256
3f42982a2281e5f8cc870ba9799239afb123338ee1dafa1a424891fc656ebdaa

SHA512
9d245e15dbf235858c41a0510413966a9bd8024e711e26d70678e21838704d406047acf07233ddac8897bf68098f50250d6913b31ad9d2875c7ca22cf1b4b02c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
841KB

MD5
a3f88e4bb4aed261449e3056bf1fd977

SHA1
f244d45002943c358d4ddc1f471616d6cfd5f2d8

SHA256
169d794806349d5fd277a67b5f47148ba4213430150806368b9b56fca4af6c1e

SHA512
80cd4b81fb4d68880ab4a4de4113cdbc0a3baa6a1f0979db206269e72b7327afe49f601181d9d6f5a1429c67a35e5602cc9b2cbd2f4fdc1316f4b28e455496bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1020KB

MD5
5447f42199128f074db987bdf75db648

SHA1
6fd5f403c098bb45cece1d4f1259b12bd8ac3e8c

SHA256
ad3e3ad15e66365316eb39954710dfc8853d2cc3f343db8773c8a4bb44345591

SHA512
4341b825237a833e4d9f05dd25803d9f11096bd7ff55003ce018c56b9be5e14e09ed48f80e8b54aeeaa835b84ce504998aab04bbdeecc63295d47edb0c9d66a1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
581KB

MD5
d7c5a9979689519f1a519d6beb6c3543

SHA1
86264715d9a9b0aa44ad1356e3c8a573df48e870

SHA256
832a22eb4e1721a65d3469e14941c8d5502e8a65b832b40f8df9b921e4e05d4a

SHA512
1aab5328b4026bdb40c6e9886ad238f059ca637f496855617b5c79abe90b8202e9be4f6fa8e701fbc7a2b885aa62cb697e83abec1c785d89027c1d323b24ccdd

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
32f96b2f381cdea6138a8c27503a2c8f

SHA1
2789a0faa0fe0f13fff22565f8ba6f20d3a64a48

SHA256
586a333b5a9c1d564da5f1191105981e07d722fa04ea400e4765921bbfbca764

SHA512
9bd300b25466c52c33a8ba000bb6ac9cbbc0f48eba5b8416be6671a21ebeeec113ff67f8adc52686bcc91c9c0cb2d40ca6a4128614d89faf4a62c7f6b6c41908

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
701KB

MD5
51be23eaeb7ff87fa4ea52a61a9a92b4

SHA1
32c71a82f3e06f76b87cd4ac834158447dfdfe43

SHA256
594d8c1c4d332f46351d6977cf9d64134bb9324046c1365bdbc4757420625ee1

SHA512
91ab207ff9bcd2393cf77fb3a9778bb0157b552e87bafe4a26d0a08163018846f457e011357b629d955b2010443cbc6d0582f4c8ea38523d3ea0b8cdca5e50d8

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
1cbfc60fa00b6e1a461b136241086410

SHA1
f2026543705f0ea3ba58358c61fa0a985b93303a

SHA256
c57811d14b535d77a68540ff9ce8443ede24975f61b7d99f490a2363f1616234

SHA512
64138b76bf6ba2616571e5e8857cbcd5562548961b8cc9936077a4e04f649fd897d1efc6cc4f74437b038078bf76050666d2243cf27c209045dc0776a84efa14

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
9cf3bbb22ae61db570552ea828cf1a21

SHA1
cdef5f7c70aca0c3423cf7555de729e722e7a262

SHA256
6ced86e4b01b87ee2a8565628795948de29b93267a007efbfddd733ae26ebc86

SHA512
3755b26e38145a8b464193b2009ae6c430d702545c426fa8d95a2fc2b820c5efd1820784298436053a6cee43ac59a89fc477b24bababe6260dc4fddaab4b3bd8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c32eaa14f47121237936d6d954044753

SHA1
b058ae26f5c059889b1ddfcc5a31905f07f98f1a

SHA256
fd5d7941cd4309c89a1e3318e7d350ce316d4bd5097d0f81df069754fd1b9507

SHA512
85c3798f89b952ebd9c06fe783caac20ac8a6580f2269ce42c62efba9699aa724bcdae1622164a58c8b3eddaeac49482203293981edf62a8cc17a8ed0fd4fd4f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
393b376263233da7f4472cb30849d09f

SHA1
88f5255957fb66d3049ac610652a4e8eba2c5b4d

SHA256
acc2d4792626b333a8ce8d5f195b0f2f22a1e5fd61ad2023942d397af284b080

SHA512
1a58071ca2c6ceadcb59e1965e8be1e988fbb5b0239211e4c3756b68524afbfe9fa757562961524d906b3d03bcc7c1ae9d7391266e2897ec5504e612df78d300

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
08b96f4cbe4117f8af5051a092e43020

SHA1
625f974bd88d5f65c0b7b67fc64b9cee44789707

SHA256
ba0eb0256656d99741244939b9344dd9733c79fc5389b5c7fa374d8286d0fca0

SHA512
8b023a8972ebfc9439ef8dd633e696a6e98a00fa72627d7cfe97e2729d40c762adb025046dd6e56eef2036c51e1cbd96c4eeacd26ba45310e8c7dd65c88a4608

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
2e27b1a8a5fe03966dd11891911443ec

SHA1
9c9b826b8e460ba83c6f4d5b985fb144373f733d

SHA256
e0d69d30c74569cd5a3dd1df5dfaaf6037a97bcfc64bec63cc8e1f10b87af619

SHA512
324e2f74bea623ca879820c2782e38397ed79e4c47de76894ea0b6d2184b991dd422ead6988d7365b30c263aed8ecdcaaa6cc28d4065c30521ee34755eeec2df

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3f448bb53547b206b0e97bd18e402d4f

SHA1
e7fdfbf748039f30cf870750b5af9c2d4f222585

SHA256
40d7979c1c762cbfa6352b2a12ccae8c36f2971c32aa22bd81747831f55f444b

SHA512
c108ee4268e492146c2a6539184ae1d595420ee80414213589d7768e27340bff3240b3e5dc64073896e501ff5c242010722350e43c0c1963ed8f8aea0659cda7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
fad2d55b8dab14fb9a04b23fb1989aa5

SHA1
73de7b59cf290218a42826b7bcdb29065229281f

SHA256
37d3d50966f1f015315ad3b36685b02c0ae64b319a88f66ba3762096e1e28414

SHA512
5d9e26422364441dd77500da745632ebbb43d9a9c14943020bce4e7e5b3fd1ba31d00096d0dfd8c538764abc615d916bcb675d4047294700e6952ce556391d40

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
c3c6d575cccf0ab12b88cfd8256581d4

SHA1
d67924251be01b2193cf7aa8e3c280ccb34c81ba

SHA256
f2c12434b20a8364bf3adc750fc9b62a18b35f7e690b1ab7eba3cc78a47729a0

SHA512
8dc59c13c1e80f5dce6294614dfd7437f0bd7be2ae6757775f68f018a3ced7ac5ed3d09d61463b70c088b453a53f52f1e9ddf977889f8b22edf46c1ba0f5e357

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
e4dc59ce29d465613428db5cdeecbd3d

SHA1
720b0ff10cbad5d287e2165e719fa97f9b32aab0

SHA256
b3a0c68db91639133491330bc096e0c99c01ef7767bcb0470d39f339a1d9c615

SHA512
f295e7e68b459145195595cc2c736fdc75a8e485ec5b3bcd51b6b2678841798db054500ab5547755d9e8b85f17a3b81d24aba3578d191c2fd383585ceb1fec42

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
0d5b1ab6467a891c73df1100e57a8047

SHA1
92947d4a5c957fd49d0a716bf077dba317ba9801

SHA256
6dd8aecec9ca5dc221346b5c46b2699ff7fd0bfa8fb758e4839866506fab5415

SHA512
4ccbe450d1705c337a38d0663d18da34b510d902929376934e8a19578177046f171a6b709ee840a5ff4234bb09159735e622b36a582860518095ab07ef2472f7

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7cb5fd68598f32e40a52589a0c988f34

SHA1
8f3f33a147994576b91f27027cc7de05de9e9cc8

SHA256
667eeb1cde8a334c3bcb9ba2dc13a9b8b6afcccddcb5d1c4ace9f86ce4c0416c

SHA512
4c456f544cce4563855f0819b70c442c3c432355de6ba7db937b2e9957c5221eb6674f79367588430324057cb1ecd785980c5c83696fe1b7ca59734648e4a9f2

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
cd6588188a8ec76be26870534f96103d

SHA1
feb31a2aa416d4d392063005ac15feaad3c73e6a

SHA256
e4c5ab84a56aa80051b387ced08dc184fcbab4ed6d4ada470aabcfc0cba71eb2

SHA512
71d9100314f205ac025a91aa2be17b6b4be762cf75f8957c4ca8b33fcdf2799d6bc2b0b48a571cac101d3a96d27aceac34d6baaf9020eac925dc938934e878d0

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
89554875049498b3f12240767aabfc6c

SHA1
565cbcdb2cabc0a5eae49bbedd7cbe50f44908aa

SHA256
6dc719b2bc68ad2fb5086eff2a77d42e8570eeb4316706e0227ffe0c6c67246f

SHA512
bda7e879544a12ae7bc45ddc8ca82762582934d657d9cbe10004f363e753bec1383baa3c9f22dbcbef1b2a12ee3b9a14908a97e7b8bbaf5119249885d5378159

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
254f0bdcab881cdc69e6a5810680339f

SHA1
0bba137a738418e5c5d37b816ee412949d755e1b

SHA256
79f8bce6728c8d56c021d21e66716ed6761269ef7ed98e6b7195164e32f8de82

SHA512
ff5d61f0daea1e207b8220895f970f98b9a5098419ed322eec9d6363c5ea79a48d74b3f3ee8cf39add1d298a09a619ff565177816aa3253378c2cc22e724f76e

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
7e616c113e465ae45e471576d9c19be8

SHA1
77f64f9fc992e321a1606fc71e69fa377ccedb40

SHA256
75ddde85d7b703d7312ed6dd169c0e3b5b0ccf3f324bcd5daa7940b5e9e8ce5c

SHA512
b4ec8f4c4ed4300bc33346bf652cda3756bc08c96c5a7e79a6407613783d313ad2f109bc101b612e45c193b2db6834ee99fd973e42a351d555cd63268670c37e

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
772KB

MD5
26aca3024a4d610ef7b0f2ed3130e204

SHA1
5530ea9d867824e3fd2b8d6ecdf779dde7237dc5

SHA256
98001e65587b45d0fa119a0e6e12114d09e75216ddfdadf50a6b2f019c896648

SHA512
c81e51098268485def69e44f95c4e35924cabdbeb817183cad8e26181413c0c9fc98c2b37754bdf0491140104c7652678e41a6595c78d7defafdc8a3d2137d78

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
524a19af278649b4d5b97b2f7bd02c68

SHA1
284809efd552b36ad72d327558e7cf5c23438a91

SHA256
930c1e82a013c57223738b8659d871b735391747f264565a337d1dd584e78e1e

SHA512
41330deafa16ee3da1c12b4a2ff8e088a04735a068841d0c05cca262fcbbc9c14670edec0a1e24ef97b0e06fb34dc9f1a000a5d140cf838de42a1e13ee9a9be5

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
189030d6f673679a2bb08cc5512dcf7c

SHA1
2583a99edd6a5d2e893af32ae50471fe7e0290de

SHA256
7c800725cc4bb17ead568f88ffda85a4edfd72e4620d9dd466b56c28272aeb12

SHA512
f17907f20ad6992800def472a5d536e4f57c1c0cb4e59a29a7fa6759863c1b1f34ab65fd45bf9f3d42f94ab33b15363806d9bf44dda652f62752db03f90deaff

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
877KB

MD5
a471f916695972514a09d2191a4e994c

SHA1
4f7503cc5a0e2e1451e7c7c395af2d06e8e365de

SHA256
ac6438c5d07016a7bedf52ecc373982ca253cdc1fd0a52d538abd8276cdbf44d

SHA512
5b84707334c1404327a0971a8a9f2078b31a3d0f19f7f17a2beb2220a661c811023b929373eddc6ff123c58f3cadabff6e662e7ec06ba5ce6c17b99f51b3573f

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
635KB

MD5
1741bbd90053e2a45743c9104117bbc1

SHA1
cd1d6670f93f57bffe16bd18af51a866934fe660

SHA256
afa5a74ee8502ecfb9139cf432eb959c0accfa3e8e06a2d7545865cbe8d3dc33

SHA512
18c9b58e7cb59ee372ba7f159b667eeab3a364b8789043205d328698d82cdd74b68c83aadf9f55145941af3d5585f65ebe0342689173ab19900655ca619dc1aa

Download Submit
memory/400-185-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/768-192-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/768-245-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/956-1-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/956-499-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/956-125-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/956-7-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/956-0-0x0000000000400000-0x00000000005DB000-memory.dmp

Filesize
1.9MB

Download
memory/956-6-0x00000000007A0000-0x0000000000807000-memory.dmp

Filesize
412KB

Download
memory/1076-188-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1076-576-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1076-239-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1260-174-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1260-175-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/1260-180-0x00000000007C0000-0x0000000000827000-memory.dmp

Filesize
412KB

Download
memory/1260-226-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/1312-197-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1312-416-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1312-206-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/1592-609-0x000001A05BDE0000-0x000001A05BDF0000-memory.dmp

Filesize
64KB

Download
memory/1592-599-0x000001A05BDE0000-0x000001A05BDF0000-memory.dmp

Filesize
64KB

Download
memory/1592-555-0x000001A05BB50000-0x000001A05BB60000-memory.dmp

Filesize
64KB

Download
memory/1592-554-0x000001A05BB30000-0x000001A05BB31000-memory.dmp

Filesize
4KB

Download
memory/1592-596-0x000001A05BB10000-0x000001A05BB20000-memory.dmp

Filesize
64KB

Download
memory/1592-598-0x000001A05BDE0000-0x000001A05BDF0000-memory.dmp

Filesize
64KB

Download
memory/1592-552-0x000001A05BB10000-0x000001A05BB20000-memory.dmp

Filesize
64KB

Download
memory/1592-608-0x000001A05BB10000-0x000001A05BB20000-memory.dmp

Filesize
64KB

Download
memory/1592-597-0x000001A05BDE0000-0x000001A05BDF0000-memory.dmp

Filesize
64KB

Download
memory/1592-553-0x000001A05BB20000-0x000001A05BB30000-memory.dmp

Filesize
64KB

Download
memory/1592-584-0x000001A05BB10000-0x000001A05BB20000-memory.dmp

Filesize
64KB

Download
memory/2356-97-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2356-101-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2380-170-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2380-100-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2380-102-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2380-109-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/2692-17-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2692-92-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2692-149-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/2692-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/2760-242-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2800-227-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2800-229-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2828-137-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2828-128-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2828-134-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/2828-140-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/2828-126-0x0000000002260000-0x00000000022C0000-memory.dmp

Filesize
384KB

Download
memory/3412-163-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3412-218-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3412-169-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3412-162-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3804-220-0x0000000000D50000-0x0000000000DB0000-memory.dmp

Filesize
384KB

Download
memory/3804-211-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3804-575-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/3944-249-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3944-616-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3968-147-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/3968-151-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3968-205-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3968-158-0x00000000007D0000-0x0000000000830000-memory.dmp

Filesize
384KB

Download
memory/4068-607-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4068-243-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/4184-583-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4184-231-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4200-600-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4200-234-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4380-142-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4380-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4656-577-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4656-223-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/4724-181-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4724-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4724-113-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4724-121-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4864-143-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/4864-195-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download