19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
24-04-2024 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
Size

1.8MB
MD5

f1d3eee513b88ba7182e8d8750b5d572
SHA1

019448c83c9ca8822177a1cf5f42aeef09f97a65
SHA256

19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830
SHA512

c5b9070ced0e30595d44ffd9c1cbcfe98aa1e124ece9734768fff7bf1c2e515d0beede30024597765e9291c466ad9f8351e8c83d3b7fd66846043d188a068d25
SSDEEP

49152:ux5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAvtCPlUcKDQFAu283r:uvbjVkjjCAzJSCtXK0FAB

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2324	alg.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4724	fxssvc.exe
4796	elevation_service.exe
3288	elevation_service.exe
4412	maintenanceservice.exe
4916	msdtc.exe
2884	OSE.EXE
3396	PerceptionSimulationService.exe
4396	perfhost.exe
3972	locator.exe
4904	SensorDataService.exe
1528	snmptrap.exe
3916	spectrum.exe
3896	ssh-agent.exe
2504	TieringEngineService.exe
1560	AgentService.exe
4356	vds.exe
3804	vssvc.exe
3204	wbengine.exe
4824	WmiApSrv.exe
4316	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\dllhost.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\System32\vds.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\System32\msdtc.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\locator.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\AgentService.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\vssvc.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\msiexec.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\spectrum.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\wbengine.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\18b3f3d02b574d51.bin	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_zh-CN.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_id.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\GoogleCrashHandler64.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_da.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_am.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_fi.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_zh-TW.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_cs.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_gu.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_is.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM4249.tmp\goopdateres_ml.dll	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c8acc52c5b96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007f15f22d5b96da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007c330d2d5b96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ce312c2d5b96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e36cf2c5b96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc23bc2c5b96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007bc39a2c5b96da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000017a6602d5b96da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe
4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2464	19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
Token: SeAuditPrivilege	4724	fxssvc.exe
Token: SeRestorePrivilege	2504	TieringEngineService.exe
Token: SeManageVolumePrivilege	2504	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1560	AgentService.exe
Token: SeBackupPrivilege	3804	vssvc.exe
Token: SeRestorePrivilege	3804	vssvc.exe
Token: SeAuditPrivilege	3804	vssvc.exe
Token: SeBackupPrivilege	3204	wbengine.exe
Token: SeRestorePrivilege	3204	wbengine.exe
Token: SeSecurityPrivilege	3204	wbengine.exe
Token: 33	4316	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4316	SearchIndexer.exe
Token: SeDebugPrivilege	2324	alg.exe
Token: SeDebugPrivilege	2324	alg.exe
Token: SeDebugPrivilege	2324	alg.exe
Token: SeDebugPrivilege	4408	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 5948	4316	SearchIndexer.exe	118
PID 4316 wrote to memory of 5948	4316	SearchIndexer.exe	118
PID 4316 wrote to memory of 5988	4316	SearchIndexer.exe	119
PID 4316 wrote to memory of 5988	4316	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe
"C:\Users\Admin\AppData\Local\Temp\19fdec1bb969f57ef71a72eecb36b022602675580b314e1c6dfe08f162784830.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2464

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1872

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4724

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4796

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3288

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4412

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3396

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:4396

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3972

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4904

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1528

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3916

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4920

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3204

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4824

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5948
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:5988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
3c61062faee811fcfae84b3a7e97f138

SHA1
46e8c3192486415d0f0bd8d8f852b3152a8612b9

SHA256
cf2ccae1b032db5630f768c131309d11232a92ea82559af8e2b9c72ad9592f16

SHA512
191059ce849940927a3144a8f5ad55c64eb1a8dd5ea06686e2b994d9a1369496a3944ba9770e1a6257a719c73281be59d3b241c6a9491d34ca84e5d79490c363

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
5d7869ad038b767b36386bb434900331

SHA1
13cbdadd1d268c9a9c833cc71b2e644d5da31662

SHA256
f6b94e80d546a73fc664826ddfefc90c5426bc5d90a4396203e1ba5895441245

SHA512
b5ebe7de27451d7c5ee561d8f8843f4c40b96a7789cd3a30a7fe491ba8c660cea943c99b2b30f98ebddc84dc255c902d0e0d8334f43ab652dbcb33e08e31469c

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e1a5c6916a23a050a3b327c2d7054dc4

SHA1
9dd3966598a0eec30a27a324db91d496051d3cc0

SHA256
a4b658d814c3d57fe58e72414f86389ecacbe1454e72e048013e37e3248900f1

SHA512
077bacc1538b15d73821818cdda9a86a771a2eafe18ab0b9603f5bb51a509f88f2bf507a7253a8a4c78b4ce65396c57d55b683a39f7c38e6216baafe32d2f9b6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
2b5a88c01664f8f3430f9fc3e47a241a

SHA1
5198f1ca7484b6aaac7f2637ca134a87b70c246d

SHA256
f3c8b531fb73842f3c7d4447986ef65e83702ff5773ac2dea84588a631fb8d7c

SHA512
d611787a9d17d1421c863d6fa1326f8924facb3276fcb98a99a1b6c6631cb873fe55a3c6a5f7bb34c814fd05354cd06ce9b42218242784d2705d8fda40ebf5fb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
9615ce81f488ce1abfbe3441030d4d5a

SHA1
dac45594274d65b01c15a94dba3ca6c62644d40e

SHA256
a946fd4d0b0904487107475dd7e1dfae6a71ab3d122a88395b954fe3239c7d25

SHA512
014f23ea6125a806bd6300c50238eeb9ee5aba6c82379711d9ecb391d59159f1aacf7456ccc03fdcce391a0bb44374f7d4b417880476bb09544833e62444db18

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
0bff59892ea62d66e9717f6b2fce0367

SHA1
4ab2817446465788426807c42b62ee84afa17856

SHA256
2a98b8652170375322a110a0705a27d059b53b6228da6563a9872714a2841258

SHA512
7b1c633035ce221eac03fb58ac04697888040b658495712970e095735ca141a3963b52234c12ba6aac37c98d93d9b226a9dbd411a281603a3b11311f2dd2dee7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
d6e681eea88f322e8129d8191cb2211d

SHA1
1e38a176952ae92039d5f06d9bca3003db69bf46

SHA256
7427a8d10424d11064d83074e1df01e0e0aa873ccd8b5789464f07d4a121f565

SHA512
aa20198c0f4b043891df30b8b1bdec98aef4bfb24dcbdf1e4f1644b5c9e2912e741db1c5930da4da47e8d2749d2b689ff5d3fe5ad8c68a8aa84b5d6b5eb8c30a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
07f1f3bc381057049822effd2c32e1ca

SHA1
17f45f8cc0f6a435c0a6b729263a5e6996de804f

SHA256
0d33f140a584d5283042f349ca1a64e84f2c6115d1e6c190b5bd40e03cec7e11

SHA512
dbee765249931e7dc7b3395c0defbc23b5f8aed75528ed8b3b783962ca1e80537b06776158cf77634748a5e5292f238ae44f6d46d5e45909a2dc1761661e2be3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
c87248bd4041f95b8a73fc964d5524e2

SHA1
6ae7bbd06d58a2a8e512757092bd24fbe937c763

SHA256
7a9fc6c50106637b176c8b8a4015f9709151a293d793fa774aa740abe2b1e971

SHA512
f44fb206610d012852d3aa02865eac532a890c77e64b50ec02783dc22b3b398aec712dc95dd2fa793f85407163d998f4310fed00de42d9eb7c30fcdf6dc23db7

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
8f3fde5cbae6934091db1165c143c4c5

SHA1
2ee5d001e5dddf0a9d8a8d7355aaae5fe35062c0

SHA256
0ed2fc784e8d682123482744a786058c5ebac671b61fa59459ae38d4f21c0bba

SHA512
1527b1c3890679ceed11af22809558218b6c0ff7f2cd00c23eeb3a22f6100ae9cf324d0637f93fd409425ac4ab3bc8389f205d9cca00c31960435924575e5f4c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
af17169605b5aa75d0daddc127b76b67

SHA1
168ce96eb10ef8a3250c52d6819ef12d9104cbb0

SHA256
b2e9710561b0574ea03ea953d3b15d814232ee3eca54978c9c7e033f55a0f8d4

SHA512
563e369edeedb4fe580d5c59471bf5f96ae65669dedb52712172a9eeea67a94c39dd2ee2b9f8667f88ae214b891bfa6925b13463c9dca76e815a543f56817bd5

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
aa8c29731a1a2ad56920c5a558fe6643

SHA1
e739f539ee0ca79ec94c11fe940871a8b6b430d3

SHA256
7e2a5fbc2ce34ce2e0b1d2cdc889b1132a994dd22dc8cd0ccfc1df4291ca7663

SHA512
c0659fb115743f6b174477b6e89d73e98a37d2a4214bf13b1dc6127549af9c8a181d44e8a4abebd4744196e31973c1d1259422499966431a4508cc78143b08f8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
d5b0cbca883402030f04b93f56005b3c

SHA1
1fc442a500eaf0fbb7d4115d3bb9497e3f8dcf00

SHA256
a7d9ff88498bca448097f12b440f80d8c3458152a603d169106dca0bd8dcd235

SHA512
605c447a7de37dd2a2969d119690bfb03b38a5fd7244f7bc3e19d5fbf65739c24204256e89ece6d101702b41db725208c104a3fe614a4d39b445a432d9a63dcf

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
7d83108fba24cc666e1c1b67c482a9cd

SHA1
e4895c876f867c694c3f23c94cb7977d102ca051

SHA256
60c744245810ed4cb4792677f98a40cedf4427bfa8b363164e7690faa3f3435f

SHA512
83fd9c7dc87d1f805516a3ccd9d87ff1d5ac66482991d3149a49704917def758c3b158423ab8a41a1fa48b799a5e4dc45abadbc2168e66d9323d61bd87bf9363

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
bd7d55c950d9be9c90aee66930d4798d

SHA1
1b27783e87c29e188d71c77e6ada84c93e8ee613

SHA256
4eb67a63210122a4054af2bf7e7c02a2e7f74e8bb07bc6e43181fb036d05b530

SHA512
49c09196f8c73afcf8f4be437df6e33d4e075739ae41d2fdd9ca0c2f547d20fadc1d75b5454c7f22bb98146e287176c7a316f3a89dc247a275a0d25d450f2d24

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
12807ec12b8fdd56499e8ed92f122140

SHA1
899618558ede45606f94554013544e469acf764d

SHA256
a57245db9fe25b28a1112cb1511ac25313d0f366e622cf376454d14b2706246e

SHA512
81711b9d2dc1948eacf822fae4851105aca483548b767ffd078619802bcb8240c7f620c921ff172e741152cad7acb93436390ef3a00f641f0b8d79376cab5b47

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e94711fe98bb732d76d46de18371a463

SHA1
6c5cdc81abea09b9d469f006e78e2aad2228ea8c

SHA256
e9364a4211905fe920bdf8c32036ba9434dae0f35595d9c634cc9e127b502d2c

SHA512
4a868151cdf0c556bbd1a1ac3805e79ac1ed5a7d39930cef76ac26ef647e6ac26dbb46d077a72cf77698b58b79524f2a49260847097dd18ee47acbe0646e6c8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
0702ca3316cd6a23e654e99ab9b2dc22

SHA1
847b650d6abf6de29ecaef6a49efcfa06ca52815

SHA256
d52f123fc9904e14347afa069763fcdc0b61aa3cf0dfb9afbbafece0b74cad78

SHA512
8d3da0f829493327b2445e34e24a8184e5780ca9cdcb1a3ba1ed0baef590f58e3c65954b35535839ecebdb67def2c5f940f463743de8eef936fc6a38288c503a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
0e8062664dc9ca62306850f1504a050a

SHA1
feb3da1be84a2f22a14d892f3dfb32cf4163927d

SHA256
72660bee26980452450f4a3620ba259fa5b2cca6623531f60af7a125b5d37f52

SHA512
c80e185fc293e09c8011dcb5e450377013f8d2c3d231b5dd9db0ecac11762789f09ad08d1cc5d99a3544e5cd63de41156a38b72d89152917275a69bfe2982929

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
718295716e5a371a6c4b43f4a0ecff02

SHA1
c4b286714eef678e2745d0b8dcb494ce9e478cb4

SHA256
c587c7595a9e895e36c4e4d5a3814d24af111d78f9e90f6c3d8371166884550f

SHA512
14a8d48fa8a6df68d9379e58ac55e86f7ff8c50749a9891649731fe0d6daf749bfb91ba9c527e253247ef33b055976585e329ff47a5fdb59ba0176dbd437057a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
71ab95978c7c597b26e537c077061e23

SHA1
562c43fdbf87a264080a6883ec6affb50eeae9cf

SHA256
2b8b0b3d08e2ba1a9dbe1bb63d412733fd8ade5054aa68507045265cd1a7269b

SHA512
112fa93419acfb352f06c4fb5ee450071091fb77ff2dc4d2f8674ed94f133b00c613203b7f44d4c630f14f46478b687354d9198ba13fe065b0054f93fd5fa6ed

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
1a25a38eed871eba3e58e44d4d184c56

SHA1
4d158368b34d48790bf743e9400d5ccae383bec0

SHA256
1e298a4354821e645559ad47810024eff1200a1317e317844bb831e1fece2694

SHA512
72f95f3e17429518f6374ccae7d76b3a3702b9ae63ff22bb8f6a3eb2f8377cde13b996702d16f96f6dafde3cc0783ece21ba41491f96369adf3ae877dedf0a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
46677c0954a9f53ba67514b4a0fb0b7f

SHA1
a7eb1edc5459215eb13ad5ea5a397bf0550886e1

SHA256
5c592d0578dec734ef297d71bdb907ff7574fde6d9af0444df37d99fa77fb814

SHA512
7f203421cda5ead893c496719c57f9eea625e030386fe67441895a0581e3d1c0ac0865973b82e5422e9d5fbbc02f12b8fc7cca3511d278fd4b220a2ab3d2ac1c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
133261c02e36cb2920483ef8208f91b3

SHA1
f3c482646493373300dba20fa270761aabd4139d

SHA256
5c5918875a8b3c96c2fde25f15760485292e786ab766459ad68b55f0378c63c5

SHA512
abf431c412f54c73894cbdbf4419be94f89a0e81f95aa5cca117e53455431f347fe28ab22bf7a9728716b532bd447608c73530d4eaabbee4d64a1c0cd076ffce

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
da0be491d49bbdf7c830490b17d8ff8f

SHA1
ab062e65dd38e7bec421cd7db45f750a43277209

SHA256
7500d8ef2b6701b6aba7ba35c291dd74dc6ffa009e26ac77155862ce568f10d9

SHA512
6c5ac43f5ec6bdec905033bd26124f438486472f199f3ada299afb31e2249511eb9c3763ea47aae78d7024f043fc0c1617653aa65958f87fb6f6fc48e778f823

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
11b7053659c3ca14442915d1751f117b

SHA1
ac62e2c22afc78d3309608a54e225905387d074d

SHA256
519baa2b9062e0159a4f38f2b462a91c343603a85a99261c45f96605fb2130cb

SHA512
992c452ad185f0fd7b29119843254be052534715cab76506be4b29cb847e29a9405ce63c74d8b7c0263960aace0c22a1981ba9b95832d4d92dbcb5d6fbecebc4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
0c199f124020189d8f8cb3120ccef813

SHA1
7ae4c5ef0a8a5fed25e36a75182c7276bf6c0ff2

SHA256
a4e6318471e2c0138ca3999e9d774762d14076c7f0ef33ccd5b8b45180f156e8

SHA512
da77cbcff0ef07d0b2f91be3d712a7ef5e60f20c98f3616d2fcdc714cdf66dcb9629dd71fce65f861767b35fb0a31e055aa3df74c6c1cee2fd06ad9be1bda00c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
1471053dbe9388c98628a6660f198de7

SHA1
0ff39fa3465699c33a063cb281390ec88bb1f1c1

SHA256
f8f090c8e05a637e167c39229eaa8395b7ad022e09fc231d28a36e08bb458d92

SHA512
7c51b6e96edc507af8facc9a06b850c99d6e22957884100193eba9b13e2491a82418caf1c3b10c3d3aa7073a89dfc57dfd0b356b0582f9fcf929c6960fb2103f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
250b9367b863f9741f9ba3ab4993f611

SHA1
86d2311db9ef27e3407e7da62f9175d37944dbd0

SHA256
33062e6c91bd1a09d5f12a9685d4a69f7f780f698fc173ff0a8d352067ffe4ca

SHA512
0c230a938b11e6e5ab5e5a71e2f02e9f9308c05e5ad54a35cf6b4957f53e2ec1d79b216ec51212f7413a24db59f21b879a1be79b2d35199f7b77a0f3e910019b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
b00d47844f35e3dc1ca4f4919b392f49

SHA1
f114eb6989a49595b95de45bfab9283c0ffe99c3

SHA256
b1a4ec37fd2403ec398b28d4d9dfb9a553d44675a1c2c4fbcc07a880a4c743a1

SHA512
f9b7250d5cd6b36230a320fd7bc150b3dae25af432ffb49c3c5b3150d82eb35e84e874a0841767cbdb7cfdd8b13e291cbbc7ed780b4c7c91fc53fc32f83c00c5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
6532122ba326858f9277ac531aaf8b88

SHA1
787e1562ca4b81254e610270df06898f0807d9f4

SHA256
b67a94b8e3a11c1d448720d8c2f8cb5d0195fb7be2f6a809f18f407154bf305a

SHA512
4c1e4de005f0c08e705e1475b5b4bb9a41073c3cfb13d05b48fa9c5d37fe1ef74f040bf5ac732902a19ae14ca4288741a0551fd371136dcfb9187bd41419b7f0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
dc55f8a4846b183f420d3bc21f5be145

SHA1
2fc7abaddd46a962f6d0f2d7ed9dbb56b763c974

SHA256
d139a2c1639345806d59c24c0cbadf6b800150adfa7cede6e05d778ed77615a1

SHA512
ecc71733ae5b735f0cb06d4ef06e8285b7c543191ad2742a86ea45f562d8ce245b226c2f30a28041e21acceed2a899dbea5e681eb50c6c85bda768e39a1c91f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
08da6dd2cabf575cea8a5d6224fbf4cc

SHA1
cbdbf9c6217f640c0003f55a763e696a879bada6

SHA256
43bc9186f2c44e0ffede8bd85bd8537f46123e49ea6c6e1c850edcca56899503

SHA512
799b5c795be5b06563bfabda8023abcb62ca8f3418b6e7fbb604984d39b85cd5b8d83ebb0ed4bab676852a605d3878c0432a1435bc44a52d9ed9508db9134b4c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
3a6bf302a8b8fe8c57a341ad0dd6c52a

SHA1
e7fbe66a00cb244cb4912242bc7a85987494b2fc

SHA256
40926b5f8fefd35e750d20bcafe9d2fc604ca79f13dfc9a1b0bfcf6ca8fb8077

SHA512
741c187ed37ceadf2cb1d6a1a13ecba7ccf3f22b5d2297eb73a0a62438d483615bd36b1e5df219f82aa3368e2b00ad737c436111dd1c11c064b1da561808e6d8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
30b2e4af37597d5d00ca85fab34da74f

SHA1
de0c58b01d41c7691499609ce6d05eebbd69cc7f

SHA256
e0c9edb65746ca912bb651b617893c62f22444dbc95331dd1e87ed10baefa308

SHA512
dc77933e815e80b9e73034bc1c1e24efce66f35c1fbfc7dda5144d86d87fc2b9e59c6d76a8efc3e02e5185a707465c2a645b0355eaca50a9be8c8bfd84f08281

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
154ffd52792c02ded3186455efc66a06

SHA1
04709d9cbc8564c7e2b4990038425023cce2a5d8

SHA256
8ded95772733ae74369f954c185f39dd1a90398766482f84d5886fe621049c3e

SHA512
9a87ad7613d705e555d1b91858c4ffe7b756bee35de153490fbd95685014e5ae6911ed4d2566125ab7451d51700dd1b99bbfa23b432b349fd59f2fad124bfff6

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
e929fb8239687807bcdf7756bb23fe82

SHA1
ee90514f274cfc2c4b403984505a0a39e4831651

SHA256
28719c8a26c624e1089b9168f0394f18c0c82c1f2fcd767cece59870120e71b0

SHA512
052ef3ba191f3c0242b7e2a017c933e80c683fa829306c7e53d209b58431557314a6ea066ddae3686bf5687911580c499ff23e99c8b7490f7a22b2d56d236e4c

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
e33d93ff4b1b084f99111ea8140c097d

SHA1
0e723081a87dd6538b8e8c3439bbada6c11fc375

SHA256
cc3ced79cd25a0fc8d288fa39ee24de46aac6a04b0964bdf14efcacd52f3b06e

SHA512
8567ff039c71b086bdf5b71a4779f2c6974d1ee210bc93e6301be1318fdd5cc076ac795aa5434f4b038c265ee904b50b6d0241e4ec5b2b35a8c3fcf2b8cc2506

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.4MB

MD5
1fe730d632a6b6780d8fffeab541fcb9

SHA1
eae8a6a83c39fd9db4e5865ac104e20638d5c54a

SHA256
3a985ef925e7350acdaeb6c030d088fd87373010fe97c3020f160f5719fea7b0

SHA512
a51a818b62e17c60b17b84e23f0e20ad72d385395ca71c1238f4f24ef4cfc79363befe00e5a2d2271f714bab1d0eb692c1a7f1d92c8bc592cab9c9596c134cb4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
5b3edd1151461fbfef8e5664bcbcbfe8

SHA1
11aaac40235ac0f8e717341a0c674bd4be31026c

SHA256
ff5802f9d3d56f7e38f6dc2357d5801cf687886dc25b4959f7af2d6bf949b40c

SHA512
69d6b9ce8ab019f9a78f270034978d991ba8d7b69f300dccb7ea78c076907f6c2a2b1b3b43fff3518d8907f5b27cc2e6bfcba7182ec3fec5776fb7037883a3e9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
fa0bdaf0ad9b62981e22e67605e53879

SHA1
97eccecd50413e16cf8b9dde09d35f8f85171c31

SHA256
25d8072c03bafbdd3533d42291d7702a8efee5db996e6036bc299c05897db0fc

SHA512
52f2143562e74ff19f879f9e3eabe2038274207f0b4f118886a412c801801c1b5ef050e4597bec504eac947d812374edc9bde8cefc65913da8a2c4470448efec

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
f3c78cb78420c17eff2261245feaa265

SHA1
78270ed93f0161ea29d729e770251febec730ed5

SHA256
77c61e4acf46f31ba572100176bfb1a53037dfb818a002ff16297d6fb4dcf19c

SHA512
57848181f2696f6d9463180fa8a79acde32e2dcdb444a28a61520c466205797f54bb0a2c0a57fac91a8fa3e523e6d65ca501926980969fecf0517739ed91de3f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
fa9cde31a949308d78600d55a750b96b

SHA1
c66e171b8ea85694abdbd1812ef36f48cf1d6792

SHA256
b93b91dfdcd45ae75ed4a59863f11b1a70ba776ec58ade1fe988dfa42536988d

SHA512
633dc39b28c299a0ca36c9e72dd96e0416a6be1b03873e40eb59dc0844919896300dba47c47792c69ad2012b4f4af9a4d03a1d0dcc3a4ed2e15589ba0cb160a2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
3c6848b52369fd5fa43e12eee9a4a533

SHA1
794852af719d59bdcd350a728c71c56447c4d93c

SHA256
b9ad6db2c8d709b38b494ae57a1d0a639e894942d92d78c66765e530745617ab

SHA512
2a9bc0b6f98caa73dff74c1f00012c85bb9408360ec868439e7a11d6843457799bc1766f6c1b6e710494efb7bcbd534976d7798c1e3387e2d61009e541c53ccb

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
61a9dab241b3384423d574582ff0997e

SHA1
6f34d77199e452157ccebfac825a0216d2f4e13e

SHA256
f2a380fb579b004b5dd2f9e7e65ddbc41af6ba42cc8f212470e0c2f8f36894c5

SHA512
2b901cf9ebaf37c2085230ffcf12bfb8170c3c0334529336c330c6dfa93006943bc9ac29bc03e20ded076b3d401fcec8f09bb0f860bf5ae4e4d8b17508b0dbb8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
798d9f684bfb94d5bb2841eae9240fda

SHA1
7b8f2ba329714ff51fd7787e8e3978f9cb64372c

SHA256
14955c610ba98c57e44384c1f3858f61ed55e59d9766c0b090eff2b864b197ab

SHA512
98eb35c72df9b5592cec802f33fc9ec6f95997f7905a7f1e0ea50188867d9fa81723fe020954c79ff5aa773bd3ca317e2a0ad4d8dccd98f899dde54855c9b021

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
8f68a8b5a1cfee6df39e293e49327ca5

SHA1
346a15b07b8a7e0c59c190b1bacdd966166846dd

SHA256
fdcea30fa5763a57a4079af8ace0b5e7e3092594b701bcf9faf112828a80efa6

SHA512
75e9d97afd70445afddc0c48096a7f2da0f6cab0a5812b8406b875bc6fff8db8adf6448eb30f09416a3da587b52fb3561fccf94366dceca9187df15ae6f1dfdc

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c33da9edd1e5fc06861f32c031680869

SHA1
4863c392e5de968ded2db885f1fa9cd7db8ab1d8

SHA256
ecbc26271f6a1f7f373a5f6690ed08476f017b930f6cd6de34a8891a885c882d

SHA512
85bfae67f8192528a7ca4cf32b8cf05e14c95e2a43d8184b6e70623d728fbf67343be615ca36cea4ebb09769a5872b54dab3f630eaa018e4196a717129dfe615

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
661df3f73887ab32872050ba81c96a8c

SHA1
77ed6cfe187f22946196673dc572488f7fb5fa78

SHA256
79c84c8e5423d12c2fcc7d6ef374e4a49533c68cc491e117cdf2e4330f8a6b0e

SHA512
3d0792de589333e1a7d6a71cf7cfb211d4546f60ea10c8cc2559013d1a10df1460ec59ec942de5e2f18dedb6f59bf1f5eac77244554f57ea68017f49bfb2b7b1

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
96a3500d2b00c13d11782595feea0a87

SHA1
aba3ca1b8db14477de7af067f376479ec66f52da

SHA256
b3ff80b8384e81b79adf6d60ea827ba02b9203bb3e796359149f8aef7a602e12

SHA512
9bcbe1ce850f125c5f6e0abbc4d6832f3c120f2cf7d7ebb7277d2aaea79b78ec116c53c45085c3db06dd170e5d3efb520c51d9a14ef8aadd50686c33b11fcce0

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
e768ab1b5b48c04f59f9726888b92b90

SHA1
df82fee1b6039c5a7a210f437737c8b8a777cf83

SHA256
9976a3a36c11ca311fd671f351ca10182d6ec04988c033ef192e127efa211cf5

SHA512
188caf4aa2f1a2469279b3020e85605b9854bc9eb59ab2e3f96afc994b1cba81ab9ba34bcfa5c6db60e38914177d0dca71cf2df0f60213f360bb92c000157a84

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
b101befc90192327176f858be84ae68a

SHA1
3e92c5f740451017e249bb1917070e6b69a9798d

SHA256
06c9a7805faac3b3fa76f2eb505ff7b579a75202a449d6ea751f00767396fada

SHA512
a851566a22ce1c5cd8dc1a317054fac6992a5693d2f1861011f5af00474ea266dd377561bf52989e1a8b3674722f37edccb2983b59006d22c646a6cc7415085e

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
30c4e55465e699dd9d087c60562810e6

SHA1
86e6dffa81912ae88c75fe816904b3bd0b89065f

SHA256
0ffed6a853cff5fa87f2c6fdcbb732a15be660aa48668dbd27d4802e2e69d8a3

SHA512
8904ea45e45e215e84f993e91f4096ba4fc413a992777ebdf198ee4dab64e775a7a4bd91d0d965e0f1a59067339d344e17a09b2f636a4a44caef72a1f4f2aae4

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
74d9165b6535bf72291df49b52ef5966

SHA1
0bd565e6611dcb1704e6bc3d15127541871c485c

SHA256
ba7523e644142d44f8fc2c163fd942f65f37be47db15294364004080d1caf482

SHA512
cb3e620c5ffb2c9224cf42ab86a05886791d2ac7749f45df80e217c112477783c9ac692b8e8e05d269885d0a7fc32d4c9d361265133f8bfc5eec2a0e48571673

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
73fe8be55252f3740e13eb26fd3c33e0

SHA1
733b3d95f38284d1cfbb35129cdc425371ce3d03

SHA256
16ba84fd36d6e9b5dbb4ec81a8dc7904ee9a30402ed3016382a0cf0e79e77623

SHA512
b4f9b3834e95061f527b2d8906c12da5a46ca0adeb196633838616954e4e22d3155f289809139200a18cf9d6eebf7909bc325c3c58e46fccd137e30322849373

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
3a007ad79bd588d4261fca91f8bbb2d8

SHA1
cc21ae1b31e8bff5c49dff675b52b6ca1976902a

SHA256
f2e221817a14fdebe5fe0c8117c532b831f9908e416cbffcaccfc2f3e99b10e7

SHA512
3bad1b08e978d7e27f86d8e8fa73afabb5c9bf8e3dd1142de1c991d6622d54c5678037f0e839de871238583a753aecfe0e04a70b3c76de5636a6d3e3b137cf7f

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7315dc2bd74577bc587afdff1594dc62

SHA1
4adea186a7883c62a820a76ae62e6665f6bbfc75

SHA256
35970edc9e03339e19dcf34d311bb2e3ae2259ea88c8f6782f3fe94accf97816

SHA512
88e656fb31f627323d1257112d1170f826de2ede07f294c52a0056a2dccfcda6023fdd46b0720b1f776d9a950b53a26502892218e01327b02c42874b66b5d58b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
d83688479645d9ec5e87d444ff29c367

SHA1
6341b8897edc1973e38b9b86551b61721c71ae76

SHA256
60c26bd01b235add1d147ab2bd743bd624d5e1272df540574a78b57ae4ddd898

SHA512
e5dc5c5aae18b2389fe112a76ef7ccafe36cf7142de71115bdb5a1e2d76af683d70b8cc056b5cf570404b6450b8c0ebc5661f1617334c25cc7a9101c35bdfe79

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
a700a66e3df30ec01da2565fe61848c2

SHA1
c87ca0aa2ec9670ecbd07406b7a55200334fbca8

SHA256
45e0fdaf5188c5d412aac9f6e24589c20e2486e546124e0964899661171ed4ea

SHA512
1e4f3fb80d8a7958fa6a92af80c5115ec6fb300bed1650b9f021c16d82f6a1e97eb7e2de0efed793eb2ad15291e3c50a063c30c04bb25684a2d6f4d4d6058493

Download Submit
memory/1528-299-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1528-241-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/1528-232-0x0000000140000000-0x0000000140255000-memory.dmp

Filesize
2.3MB

Download
memory/1560-301-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1560-298-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1560-291-0x0000000000C60000-0x0000000000CC0000-memory.dmp

Filesize
384KB

Download
memory/1560-286-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2324-11-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2324-12-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2324-143-0x0000000140000000-0x0000000140269000-memory.dmp

Filesize
2.4MB

Download
memory/2324-86-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2464-131-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2464-6-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2464-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2464-434-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2464-1-0x0000000000730000-0x0000000000797000-memory.dmp

Filesize
412KB

Download
memory/2504-280-0x00000000008C0000-0x0000000000920000-memory.dmp

Filesize
384KB

Download
memory/2504-272-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2504-340-0x0000000140000000-0x00000001402A1000-memory.dmp

Filesize
2.6MB

Download
memory/2884-177-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2884-239-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/2884-184-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/3204-328-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3204-336-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/3288-133-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3288-201-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3288-139-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3288-132-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3396-198-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/3396-191-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3396-252-0x0000000140000000-0x000000014026A000-memory.dmp

Filesize
2.4MB

Download
memory/3804-323-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/3804-314-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3804-639-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3896-326-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3896-267-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3896-259-0x0000000140000000-0x00000001402C1000-memory.dmp

Filesize
2.8MB

Download
memory/3916-313-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3916-254-0x00000000004D0000-0x0000000000530000-memory.dmp

Filesize
384KB

Download
memory/3916-244-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3972-205-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/3972-213-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3972-270-0x0000000140000000-0x0000000140254000-memory.dmp

Filesize
2.3MB

Download
memory/4316-354-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4316-448-0x00000000007B0000-0x0000000000810000-memory.dmp

Filesize
384KB

Download
memory/4356-614-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4356-310-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/4356-302-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4396-203-0x0000000000400000-0x0000000000656000-memory.dmp

Filesize
2.3MB

Download
memory/4408-99-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4408-100-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4408-92-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4408-159-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4408-93-0x0000000140000000-0x0000000140268000-memory.dmp

Filesize
2.4MB

Download
memory/4412-145-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4412-144-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4412-151-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4412-155-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4412-157-0x0000000140000000-0x000000014028E000-memory.dmp

Filesize
2.6MB

Download
memory/4724-118-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-115-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4724-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4724-105-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4724-112-0x00000000009F0000-0x0000000000A50000-memory.dmp

Filesize
384KB

Download
memory/4796-120-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4796-127-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4796-119-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4796-189-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4824-348-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/4824-342-0x0000000140000000-0x0000000140285000-memory.dmp

Filesize
2.5MB

Download
memory/4904-283-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4904-227-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4904-218-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4916-160-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/4916-161-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4916-168-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/4916-225-0x0000000140000000-0x0000000140278000-memory.dmp

Filesize
2.5MB

Download
memory/5988-640-0x0000015CE7AF0000-0x0000015CE7B00000-memory.dmp

Filesize
64KB

Download
memory/5988-642-0x0000015CE7B00000-0x0000015CE7B10000-memory.dmp

Filesize
64KB

Download