4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38

Analysis

max time kernel
149s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
Size

1.8MB
MD5

dc1866ab87f2bc660b60fe54f5cbab91
SHA1

b725f4d6ea68b5529a94f1b8677d02626b536123
SHA256

4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38
SHA512

aa2bbec1bbc16a651e7c505ab32472278f76faa457d485a190e9e7ce23275f167c08f7a4c9f0d66fa9ea97d8bbb2498b756405c74b9636415f72dbe636015feb
SSDEEP

49152:Cx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAy/snji6attJM:CvbjVkjjCAzJ3EnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
5080	alg.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
2132	fxssvc.exe
1012	elevation_service.exe
4464	elevation_service.exe
4740	maintenanceservice.exe
2440	msdtc.exe
4372	OSE.EXE
1848	PerceptionSimulationService.exe
2164	perfhost.exe
772	locator.exe
3480	SensorDataService.exe
2916	snmptrap.exe
4780	spectrum.exe
2284	ssh-agent.exe
744	TieringEngineService.exe
5020	AgentService.exe
4016	vds.exe
1052	vssvc.exe
2232	wbengine.exe
1496	WmiApSrv.exe
4872	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\wbengine.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\b3a416c91ed82f9f.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\locator.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\spectrum.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\System32\vds.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\vssvc.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\System32\msdtc.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{38ACDD0D-FF02-4A34-B36C-7A103582B8C1}\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_en.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_sw.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_ur.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_hr.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_en-GB.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\goopdateres_es-419.dll	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\GoogleUpdate.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM51E9.tmp\GoogleUpdateSetup.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cd463bc573a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061df5ac773a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061df5ac773a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb7312c873a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fb952ac573a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000852523c873a1da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f369ebc873a1da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ec84ac973a1da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe
4716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2384	4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
Token: SeAuditPrivilege	2132	fxssvc.exe
Token: SeRestorePrivilege	744	TieringEngineService.exe
Token: SeManageVolumePrivilege	744	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5020	AgentService.exe
Token: SeBackupPrivilege	1052	vssvc.exe
Token: SeRestorePrivilege	1052	vssvc.exe
Token: SeAuditPrivilege	1052	vssvc.exe
Token: SeBackupPrivilege	2232	wbengine.exe
Token: SeRestorePrivilege	2232	wbengine.exe
Token: SeSecurityPrivilege	2232	wbengine.exe
Token: 33	4872	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4872	SearchIndexer.exe
Token: SeDebugPrivilege	5080	alg.exe
Token: SeDebugPrivilege	5080	alg.exe
Token: SeDebugPrivilege	5080	alg.exe
Token: SeDebugPrivilege	4716	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 1076	4872	SearchIndexer.exe	113
PID 4872 wrote to memory of 1076	4872	SearchIndexer.exe	113
PID 4872 wrote to memory of 3920	4872	SearchIndexer.exe	114
PID 4872 wrote to memory of 3920	4872	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe
"C:\Users\Admin\AppData\Local\Temp\4ff58b4627cf9a7149fa0b8dbd364d91ed4142f6d5e2b985fef25408c0436c38.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5080

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3068

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2132

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1012

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4464

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4740

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2440

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4372

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1848

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2164

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:772

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3480

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2916

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4780

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4776

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1496

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1076
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
38b2db8ab1139af9f5c55840d38ddb52

SHA1
490e50308dae9b2fdfe5150c8b842164bcae1f99

SHA256
f378924dbb2a28a5b30dab1f29593d4b68b467d6abc0d5d0c2a588ca2fc9a864

SHA512
8986e6e7b4d658bd6aba29eb64eda48cfd981a732b64d55ba5daba67d41e6d665e84e4ee284d0b131b23bf762a23061732221c7837d46c254effa53e7d01127c

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
451f98ff8abe633ce3ff939f7955cc78

SHA1
f9c9822b0fe3c131392ada34c11494e712019a15

SHA256
db236f053db0d4b410ea1b9e4343420a9091ce3da8b36649f9ab1e7f62d1a1c3

SHA512
b67045c45805b4a4f1af63d9e98db607298f44fe1bf777f680ac8855fa6ad889977e52bb88ccacc7f0ceaa40a12282ec471855056a535d5b0d9fb32a2fd25cde

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
e5392855f587a52ce5879f0298dffee3

SHA1
b11025f55002ce8daa2ff1596bd34da1119f9de9

SHA256
50ab38101a0ac183d2deb727e1f6498b5c9d5cc93a881e5496374f8f456d0f1c

SHA512
6851610ce4a58a6ff91ff33437e91dc7bf7d2d33e329a1d962745040da2a3f79824eec46c003ed129d0526bccb315ea806dbcdfaa208f62209b348c239a73ff4

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
9d7c78a18590c7eddce9e710735dea61

SHA1
6849a3868413a0b87c93ee8ab42d9230833548df

SHA256
fb226882f1c941e3dbac56a26a040828e1e03da645d6c33e79f9e2b3a0c3e2e3

SHA512
b24b96a7d70b33e90a7aa7ce492cc99025d9ae6c4f6860d09ecac8ffa0888b0da99e419aaef6a6a692096fb5632f977595893fce509917a0bd286b69342a47cd

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
abc9658a67381acd1d70f805f6b02bd9

SHA1
c082f56ce6c1579519f4022c7af0002d27625fd4

SHA256
07e9ee96357505d0ff662650e5626e608740f81fdf93667b43eb6a2eda36971d

SHA512
008072d100936ba64ac1afc62d3c545c4eba48bc34b9030db2a6c377163cf81eebc4d060cf86446b4966781280ae2c6aa58eec19e830dd5e45c15d7fcd563f3c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
d1ee3bcd7f6675f13f9f230f8c680b6d

SHA1
5dfb9629a6d02d5346e1c30e0f0028d0d80f7999

SHA256
8fc5f18fada417fa19555646c936710272bb9a79d4310f0cada83e9fd0d13c76

SHA512
b0eda1cf0833840edc132aa26385e9bed232ebc57ce6b064b7c5fd219812bea4b0bd48a8457dcfb655b79522c01f4df9a9269bae48760757ef144fd254f45901

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
5ec32b35e2df7de48c815ede35258448

SHA1
a6c8d41dec3df066c86dfdfd7c28fbf479388e16

SHA256
215e32fac6133ded39717176159a835218d1e5d0aa1bed6ebb0a9540f8bba361

SHA512
389f3de13421258f0e7ca4478a5f1389bd960f426ebb45f65567c18ae39b17fea65a05e3bd90cdb1f951ee81fccda6d8a5c6a3923d30ae9dc4ecc282633a4fb6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c600c514790cdfd36d4a2efb415bb508

SHA1
d3a912af3914982de4ffd8373909d890196f4f0e

SHA256
cdfb1f44854a3612a2470b68fa4508d53171374b0a0a49ede298855ee8dbd18d

SHA512
d84bcad35120af75bf18e9cb1fbb80f54491003d1e00ccc40344c2fc2fb92d582107e63a38439bbc147073018fe792b8fcc840f119216af339bdb760d87c1194

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
e3b12dff59d6c857e3a92d8b9f62f56f

SHA1
2503c97ad46d7e3a54f7f4a8bee69bb94d276c1b

SHA256
e983ba39de08d4de01ddd12c81b94c684e7877e5cba6231e6bd1436953f6d57d

SHA512
1c6b1070d395511742a528582c94e12082e7e9bc6a95da7d5a5dcb6b4c075a4ac9f2820bbb83000ad4198dee58936865c6c62176a04a4ff13b334e2130986689

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
2ab49a84ba9c7eda404ef6e4fd459a51

SHA1
c48c0950d35b153395d52dca6556f15e4fed3d06

SHA256
bee7bdd8f3bdc1e35bed2f47b2554f04a37c262d4338081b79c2fb09644c9db7

SHA512
72ddf47271026b4177c11297417d3812bba37d095ba74920352f8f7c6a970f2ceee7be8421157b9ef17abd5e0941a7961ee9e0bb358fd38356ca75db62bd0dd0

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
0bcdd543c1861e80b840e5fd5a455a17

SHA1
268be1d52cf30c51b03730c28d4a0d0b8c341d89

SHA256
fa17161a66a439b2a46f092c07c8cb1b2eff063739e5ceabc90f17c3d2f03acf

SHA512
1e74fa19afcf148e1a1a0585172417962a929fdf53ceb7f39d4f4a9564f8f8029bd1ce3d8c3a8100b2d6715cf5ae806e68a75fbc2e7ad5e0ba3a22bc630c6897

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
5e8481b4c085a730b0ba0132df75accd

SHA1
69a82670ae4bbd030299053accccc7cce6064e6b

SHA256
da0d8cabb89206f38a226a631e8a82a5c7132f19866da76a1d6f67c314455291

SHA512
dfe8005a7164945843b77347454fda482525292b10fc2b9b8630fb7bd15883ae63d39cd8e335e17f5e77634eb4231fc11e8129424ac68302dc013505615c53cc

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
7aa94d389964b38056765cc816919cda

SHA1
712bae180aa19bca00c161274e8c1ffee2fb6c5c

SHA256
78e2ae39f74974ede18b025c19e2af36cd5cb4b1f7d217015fb41f2ad398aee1

SHA512
e0d61bd696a5d58edc061a87ef46ad3706f57fd31cc5eb82f9f43666300b3babaa50a101cfa0048e0225f68b24841b70855135f01fe1c826dc1e335444f27247

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
a19f62378dfa6c7d6ecdcfeac8d860c0

SHA1
2680a293fa7fa2a3b76b6509a942e6cc9b79a6a9

SHA256
43cdf0e927c46d826b28091dd01d4cbb5e8eca0fbfb39380ded26c192b96cc9c

SHA512
e88c65b3c172ad80b5052e9c112138c80e1a137d3328d050781d15392673b1e72f6eae138145288f445149fc4383a30b1e33d44db57442cf02d497cb6165fa84

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
f752de916cd59b83a92391659c7d48c0

SHA1
1bc65d84e191ea8ae6cfed2d9996fcf8aede08b4

SHA256
2a473cf15e28ffa0b9f2079c1803b7356d79210eeb85bca76b6aebc375af562f

SHA512
a13baff8c32a7911347829b1ffbb6f2fc5869b9ab6b153d8cca9bfe40ac2d3c928a49b43fd8348335ad27d7af2e0485e6934bbe57c2beef9f7849cea6731e60f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8cd49b7baec8a66bc1c0c4648ea4c30f

SHA1
f9c7959da14e863c0a6b609e9bf0dedb21a7930f

SHA256
b859748ae21560b4776c109db3b10a96091851f8a54db57cba03a95e342dfe4d

SHA512
ddd6b74e1620454cbcfd5332d626c1b398aa480ee25f6fee589b4ca501bdf43dac6f3a122620222a59f1e1ed093d83308a009f7448a1017541f9e0dbef270cd9

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
fee16646242f8fb6964b6dd12e165d8d

SHA1
bcd33dd1b7eb544c77fe9b2ff4eb03ff67543c75

SHA256
929215770b09bda9e358f00d746a346e307c623eed1c54cad2be9725ad788fe3

SHA512
3ed5bba1542d0489bc0d5b41c39b75a79f8587d486b40a84a9764870d985eafd98a18a6137c3238eb60608d22a9cf79487b286e7cc51c52b76772593bd0c1f08

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
85b71eb91596ea5798718d481801aac9

SHA1
36b9b4b15ef1ed0696f16459b67c988177223f88

SHA256
9a401fb505995fb03618451575ba40d6c014b2a6ddafd534c55bda186e58bef7

SHA512
2ca609e961007e8f7fb219985ff99ed1124adcf86dd098468b4b1ee1f6f126d69dcf5420134fae0be4fa1387e78a856062f36b762efdd0f53c3c97b68c8cb3e1

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
bc4bcd25eb799eb6372abafa0bc7e697

SHA1
815886b075883f24d473b4c19bfa7bd10b0cdc24

SHA256
4684db3dbf3f2161c7721b8c4c72a9424369a5473e39c86092ae33b4176b3690

SHA512
a6d165af83468e83dd58a2dec14e1325eacccc3dd058a28f8a1db71a32cf0d9088dc084172ca835c61345a668901fb016758ec8f58eed17e4e5d58a57e901d18

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
ade8be5f45ae9180ca1db547a3d7ac9e

SHA1
db9540f2150b0f9f36660c3a710937c38525b89d

SHA256
fbdd50abc74accc1c4fcf941b403e196183e2e6d75a7b4d4aff160135ee688d8

SHA512
feaee29481c19c5470784c5226b758ab2011223b70ea224e134b48e46f44902897943dfc86dd45cf1ff52732db4fbb266ba63f7b8fa201339908526177afe22b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
5e13e581f9ba41df6fd91da719bdd8b1

SHA1
9c500dc35160b0ba5f1c43300dc6f524163b91d1

SHA256
cde08468bac1bd29772cbfbaf4990937fa780e77176d836ca0144d197e9d7372

SHA512
18660313fb3e57d72a6b9d066c7f177e4603774d5b542bd45fc5f14e87b0c24b09d423849a74549dd710df059054256392f7bac8fb8d2e86b30c649820ec2a37

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
7554d4d13a6319f9f49dc879c9eef64c

SHA1
088037cab9ec8a414595fe57b1c6d7e73d7fa200

SHA256
601c71920a99a0e04a3ed9d13adb6b126114a7c9b2f4a9adfc831c9329c89437

SHA512
b68bad50bbc6eca8433732a47a1efc8b3fe3d564bf886593e48e41b43b136ca32feef75eb68d5d7650310af21f1db5a4df76d15be029cc443683993922a306c8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
f6b26ec98f28ae797ee1aaaef37674e5

SHA1
6e4edde6e77e62c224ed6650416cc871b30e8a96

SHA256
8167981be919b16052910b9bb584140a1709d931815adf1de8224262c9604e20

SHA512
176f3b2a3aac257d6cc25cf3924d05d8e340b5258f42ced9d32eca1b0e370c553480f8a472b0f770a3a327103a8cef76eff718ded0e57bcd132df9ddd6444ce8

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
d35c58f3a34f7336d14b4a0e223ff63b

SHA1
2af434656a4f6c7cc5c05bdff0f8a56076639b04

SHA256
419691fe375350ff3e36710abea6a4d3dd26b8f97fc7052bd7123ca4a1749d14

SHA512
514c0d81d4c8b92c26422ced7aa683054c65e1847b0c13c2dfcbd82c7c988d72a6f0c4cfd68b7862ae2d4895305933de513773d6657513a32058b48c9810ad40

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
2664609fad636483b4a1d81dd7325ad1

SHA1
9a3e2a855782d26fc464439926847b7cd4223560

SHA256
4ee6f7c32962d432c8018d54d232fb358d73ac82581c6b95ceedd09b8e5f6f37

SHA512
8d905268ebe60a157949e7abdc8992a488061ab46d2704f999cb1ec1adf826d7204769cf682d6d93987997f49cd65faf0c547535b2f1182cffe5d1edbc7a06a5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
05a8a21b884f7a7404535ecf740dede0

SHA1
6101407409d0e59b22d6627514e430fac0174293

SHA256
f78a77791a524aa52662354e8295e997357fb247a44025977532bd035c6f4748

SHA512
9e2308e122d2fee7928f202f1b232a842af73b8a08496ea78783259504fc10d27a9858a98a0f3482fe9f0169f68825925b9e3edf58bb1eda85e00acd7d26fa57

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
97f3559b9abd9f38beb9365aab6cebb6

SHA1
7f7ffd3deb5f175eb6154c1be2d7c7946301717d

SHA256
ebd3e7038fdf010ff5276e14724724ab87e137715f5dacf2035bee235211a494

SHA512
244908a58c3518ddf04ba8914b889c769b9eb4278409eeb013b14780b9b26abe78497d9ac701a5254f6895724cda68e001187caf2e023af3267ceefe3096be69

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
e9c795c47710df122c47e618b96dff96

SHA1
89367356d3dc8fe398d1cbf540eff81c4543d446

SHA256
b307f6b3338d4fe73c316be55b9f01f925e1ab8bd5001ab5665458fea95b6750

SHA512
f249db219f8c16e3b03b7b128c4f5b71457a75a22d14f99762033157151686094d6542a61612872396ada6e5e9e313ee758e13922f3640d4b3460164e0a836b4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
5b7fd875b95e9ecbb09103a521b0d496

SHA1
55ada2ba61549f9db7c26b43767e09390120f4d4

SHA256
d7551f6f71b7ed27bd154b06cd095f64f4f7285a5e22b4dd5e6ed302cf4af14a

SHA512
0a6e5df76d618195d10f9b8506bb81e33294f3ec888c91e5b0665a630632cc1ba138b355f4c9bb68751d3bbd94b9beab4c03a20f85878bd7080ea4baa3df551f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
5b49e544edfc1704587b07a3acfc08bb

SHA1
6f1b4e9f1d0359725759117736feb3e639a5a946

SHA256
84c959c5774f681845626863ba563c755a09aca582e325332580e2e0dfe25f6f

SHA512
b441f32305ee0b8d8f2d938813cd4178ce00fb556978e4a1becd3224ecc50eaf544c191cc29e7b6ce24873b28ab49d9fd98167332c5ae13d73941be05371d07f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
7e6f05dc304b9d44fd31f85417767c3f

SHA1
7dd2c1345d5a48cc361feffac57154b4fbb8cbaf

SHA256
95378347af3b5c30b11b05c9342ee349cf4d0d6b546b1a95eb2dde58de1179e3

SHA512
6e6b023e3ac4f87d1ec3dc10ea25f4672883b447a3363d7ae8a0fd7eaa7a06bc333c9caaaf48ec6a994932fbf50d5dd9987fb034372779977814ab3a99514c05

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
8733a8ea30638e908a68f95055194382

SHA1
0a5b36031bb60fa7692781bf1321f14b1b5c5fbc

SHA256
0762a6a3e03a3a69df81096e1d5c491a6694b65a6a701dddfc6dd4b3642ae050

SHA512
9d9916456167f6e653ad7c3f010254140e97c7fc75c26a4973f19cde0a3135fdffe4af46c46aeb5e4aefd1f0498d5a8cf088357f5af2d4c2a86e84960e3c8cf2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
9eafbe84e4ee441fe77169e4c6542614

SHA1
447bc95608a60ba55f8455953822ca6e14b1b666

SHA256
147f16fd84c7cc1eb98bb965bfab82401bf61f47476f4eacb3e17b31f0b205ba

SHA512
39b9ba05201af1ce6737549500e915bc2bd9af3448299d7c41c3d7aafb0d0409cf3c2ccf910e7938208e2066cb2684081af299e81d743aa686b4741bf7f37581

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
5541f00afd9bb0895d6b55e191a9a2a0

SHA1
97e2a8ef752915e390e1fcbb1bfb4c24c0773876

SHA256
388310b0171198fcb0f5cff7ee0bd54d4b5e939ad3d543285c09f9d0d90d348a

SHA512
5bab866eefb6a079b3ac16a0e96ed6c25979c07ac6a3de17b8657b49f0474d71280c3109a07a6e7d330abd55e796a03bbe2453bc82ea7ec4d215f47421123590

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
f6b9cc0dd23e6096919e1d7fa82d67a0

SHA1
208c76f6db291ccd9bb08d51b5c0c858e54b6d51

SHA256
fdc009e623dce4dc6d42e483cc829d66104ae32d06085933e38043b4a6b712c4

SHA512
e44af44a0b4df3b75cf2092f290f24e8d4bfce7a4602cee3d61dcff81e491fa6de913aa55e59657e6f4b71c9acdc7aaed1972b5bf3dcc0d2b2f34738e63ce4df

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
fd3366dc6a8619e3576d660582c98e32

SHA1
3ced849deaea87fb79ea8cdeeeb18875ae9c5083

SHA256
ee0d7748645af4a4ba81970393cdeab27d6a92a2f7a45e543544314a06f903c3

SHA512
aa35949936ad50b0b916d427c663acdfb843a963a57f10c5d27df481ff4b369f2be08e7c6f0ed04cdf313e341ac4785faff3e1adf5484bb78e48d385333eb2d4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
dd1b8609d3ce19e2300f2304f5d6c78f

SHA1
db33b512aa86b324d31cc6cedf3d76edf8a2d0cd

SHA256
386c4715a51aced94fc5199db1d38f822023e1bc08a980fc9718725d6d0332f3

SHA512
adfdc365e8c63e76df70c80487e1ce7f5dc800409285f7393000ccf0dc6f95df288a61e500862892322b2ae6f2ef92b68e42a31af157aa039115db5bc7840c19

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9126d370d4b4d4202b998c01f15c3b14

SHA1
0c0623160f3f33a579e8d300fb483ad96f88e381

SHA256
dafbe77491481f1a09c44acb01d2b2da745404f559d95afb34c0d21662ec4d01

SHA512
44af5806757a0bc20bf6913164d96778e8141ebafa5d58bd0398308dbf9dfff6b51d981e7d240f50eeb69c2b95f21f9580f810064de7b4679fa5e582b97606e1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
8079a96d1a3c010ed4bc7372b463eaf9

SHA1
07b59fd06d38d99bdc31553f66bd0d0657882ef4

SHA256
7cf7f051e435003fd913a000dcd90443b129677ba70db2e53fd0e75cc1c918f2

SHA512
8d160d9cb5225c1aac90e293a233e7ead70e4342b6480a184150fc19c8bf081e24b12fb69c3334259fad56690e993ee777db5e4389f259a8cf9d1ebd99ad472b

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
0527ee9b603e7d1291fd5b4cb6bfd1e8

SHA1
901dca4998217195facfbf78883f0f67d7c12ecd

SHA256
eea1e8bde9b4827389eb7cafbea856e84aa68bf207b9889b1eaca5bf9e6e1ddc

SHA512
41eb9a881f2fb67d284d17305e9cdd498d834fc9d5461523c9cdc580deaa94a5a5624fc92e35c8063db3857acebc7accd4dcea63b638e19123f7a6c523ee1b8b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
b480cc5899a60abc2179c98816ff1e65

SHA1
37a8e37fda38121f0034a123e717b83831300486

SHA256
a429dae9bfedda680f1b11989305293dec5ceeeaecf165b51f847a32c4ef27f7

SHA512
5217ae059fb0485915b833320ccdb23d5056c38943343c25e7be7f9dd24833307aa8449ed5d2a71ca3f23506407c5a71dad940a96cf2ef720fb3d780b7861a3c

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
27ca4a9f5fd36c4beb2482c6ec5499fb

SHA1
f095eab487d86298c9c508d5fb7980bd9a58341d

SHA256
05409de3982eb5f3d44c87896ab420aaeb7a6d8cdf3b4b26fe79b0cc1164dd02

SHA512
c439a171e135d5306f502baba97e63b1123543774dfd4004a7cceeeb6f8b917412d4fd8228a59fa4371c630cd7c545f140aaa837b6a621e1785b345b1c14472f

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
cf4f85b48058c20da3045b67e8b3890c

SHA1
32dd26480edf5910c327e05edbcace9942c98655

SHA256
e99710bed36b8ca574b505aaade3e438d0e6a0502bf7a8e648218d403c6cb373

SHA512
4c6e2602ff04925ffda4b18bf2d074743f02551b961829ffdcc78e9e05e6cc45ef737973f09907590dc38e812a59c2c30e4e7cadb21558c832e0406acf932639

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
b158038b448c820fede7d9fff4bee58f

SHA1
af144b7434f26e69693e1798836c87543b763b8f

SHA256
5db92f6d7a0a242f0dcdc7b8b8a35cf707c8af95784d038ac28107bf028fb54f

SHA512
5e0902c618d8c52786a04aa12f77ca44ee63ff3de57ab3f9ff8b46cb54211a3de6d12e69f175085495cbfc6a8e991d9b6a680fd6dae9d655491c8f834c94963f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
eaa821f6db68a2ad1e86325bde73bdad

SHA1
b2c60acf405d038a9a7737249ed96093102cad6d

SHA256
6817f629b55d9d012c2c59b3c111bd4ae99231238d26a63905fb3064ed7b81ed

SHA512
e8c0310b96a68cf0df4be1ace5d13d0278df1ffeb132636d0999392f785d7cd278c9538589793a13f3d8b04d5d1f5b93193cb9db41de9d8c478f006208314822

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
d604def25c237acf4bc33f1c055fa372

SHA1
178f253dce6a5a55601afab973aa95a9e93f6521

SHA256
6f2b74b48ce8a141cdff7161a879383d59e7a2ecec02e52a70c586bdcffacf61

SHA512
54ae2653eb0a8ab76bebd62f5e93753ac18832ac73d709f1ca2a7861efa412c967cd8bdd7c18444e285aa5b67fdf11bbef39d1652a3b58507fc67efe417739a7

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
68b8823b779c17b5bb89f6b9d20bdc9f

SHA1
94d83682771e9c0729a460e75fa6030009ab926f

SHA256
9dbdaaa4ad9a428d887daed4c42834ded543ee3d67ce206ff6be28ccab4f6230

SHA512
0b13d5d515d31e96e879df7da81f6a42d17cbf67f901615f8faecf024128ecfb40aba0174a9346439420c1e11436e8a597f321bef8ac25eca4afc309775d0faf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
23c1feb25f95224ca467213f4a8db403

SHA1
7bcfd1fdfc906007aa11616546ad53ccf46bcbd0

SHA256
841c2475725323c9ada04e5754ec19bb82eee7722b60bc398d8cff61549a2fcf

SHA512
53767b9ca1f3f7664d69ce40c2f9c66ed59b5318fe8d1d2056bec70555e44edffe5d6ad7637ef857f35a526d67cf18873fc6fa814b5aaaa11568fae09f885ca8

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
14c51a0a331dbfdacaf7b2ddddc46e29

SHA1
b410422c3f0a36e7d99d620a38ed60d929e25d7b

SHA256
f4a791e1c1b3e3b913cec3ee652e42ebd6e65f49e8fa870df80d3352f9f68a20

SHA512
c393525c66b1ea7c4a6f315a529f1e9f900bc3104c797fea1c66f921413ea3383287738ad180bd14a2a18faf7b56a226124958f6f81d2fc8d30f718ac698e21d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
d4e68ae52e05f9bdd15bad5694246e3e

SHA1
f4c51f8b997c224f610b7d7f99bfda25c841f221

SHA256
e1dd97f53aa27b8452fbee5ed94d5fe3deb45d5e3cd0e9d9f6c61ac3402fcbf4

SHA512
a86c9f9587cdda5152ac77ab9d7debbca931cf95742fe6df5f4a50186117c8d8834febd9cf3b3b59c4d70838ee9df6dcd65a8eeae00cf903acf7ebabc5ae43db

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
e0f0db0869a4ba9417f1c5ba30c22cca

SHA1
fc69ad39a3de4bc3a3e50a02d6c5118c5ee52c08

SHA256
7870bdcea785deedaec97f2833df0a51fe1ca838a1d247414e2aad771afaa109

SHA512
b43e2142ca4c4b53dfa21846564510c0ec08b03bbcb8bbb237e3cb7a3dd73dab4ef9aafc2c746fb2c2f62c09b06c940216d4c6c422fdaacf5c8d93b071172eef

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
ea65b27d581c9c5d6e18b2b17d57f9e3

SHA1
82efbf8e702a95418936f7f5463cf742bebe1098

SHA256
c0685df3b4cf6d02c37df21f5f82097da6a431b6249c931b64322ea65ca31934

SHA512
f496b028edfe9df97b1bdefba2bdf4186b8c84527cb57bb4055f970f07471c030f52a8b2cc4140ed1acd26c7b8b1ca8ae43b831ebeae64b6de248082246d2151

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
eb6f9912e7dda0ad71a18d7b9d665f65

SHA1
a89dd9789e5691353c407c92078f168d8a02d92d

SHA256
e0ba9c60138d8693dcb736d4af9b0a8747a52caee7e36c9f007b319e65651062

SHA512
c37e25ec10a860b21d684858616198ef2383315adc84fd76296bbd2e1ea0598724931ae7e11666d7ca33b3c2b02fac0ff5591e114de2d74863746e94aeb37368

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
41d9ff7da402a17cfec9f7e8eec0cf6f

SHA1
b188bb3eccf3fcafe57cd069c706bdb87f17f653

SHA256
735d233f44b0235ca4eb0977c5c36c322707babb916742147c16492d5ef8675f

SHA512
1454b3d4fecb8440aec425f5c23e54b55213f2ba1d9f5c09983706a67e82647ad95d1f6a3d4f6d2fa8cf543dffaef5536ea9745432a081c8de8858008dc0cf98

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
e492afbdf0c404432bc6a287a488d67f

SHA1
c87a9ae15f7f9a36630b63ea5167933b1f20bce1

SHA256
6defde486678e645374edb248efe0a5504fdeb1b579e2977837d7ac5fbd7285a

SHA512
972c1dbc34965fcf624fd9b393ea4ac3417305e9d93f62563c40a665fc1c9ff1e5f4109b02a0a6818ff91e2f9cd922a7eb0fa54a98aef7b131eba33a0d83a2c0

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
c13d03df923be4372e8735ac804c1050

SHA1
ca8767faa901baa7a4eb1c19f7941ec98057eb65

SHA256
ac6c0c68a932ced436f546db8a218af7a5e7d605cb01fda83fa981b2d3845256

SHA512
c7e9d01a74fefee9d8ae03aa5ecaa1ef9ba00f124380c80825da46cd1a86ca972202edd5f8232c662c3381be793efe1be9a19ffce389be0a49b75710024fd233

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2f929868cd5bc733d0ed66d374d487bd

SHA1
caf12da83c09d2e5f7be94091d6a437908496a5f

SHA256
09e31446880c29ebc48245d789bb87abacad0d97fe257035e990afc21b2bc632

SHA512
7fb3b310abc257604542a04fc25594d1d43c0ebcd7c4a7f4735d64e8fc183855f1bb04468d5faa70a1a65de43a4a9f711b5b251d20c7b93c455ba999db32baff

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
86e3c3a92493f5e3876c1183e525340f

SHA1
5bdbbf56a3e7f664c7c8deff68b335f9c493899e

SHA256
794fb841090513b56ae65d52a5cb771b18e7c190d8da4aafa359409f2e8f8a9d

SHA512
3df093a06c655cffab713a096e88306a0eaaa82173789bfa33f5013d92760e20737bfdc41b39a071efe497e3c21ad48aaf249c161ea77e3f678037f66e3cc486

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
228e357b0cfd484286342f7504b1bfe3

SHA1
c58f071fdf713bed4e752f3fbe8f337622f6266c

SHA256
41a4f87a9dd7d579be58d288609d5207581185e62013f21bc460faa2b6b28525

SHA512
06cc9ae8477cb51f51b557da636aa9444441d756016416d2e8605aa32ed9a00c599ce9c08a86bdaaf4b34b71fb0aaf02e023bce859db2924b3e878edf822bed5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
7048fbc5e07d134d073ab050df3b41ef

SHA1
54bc7a98f41b38f12656b687b77303dc09186455

SHA256
86849000297aa98b34ca91ee08abd52c7016f4e42c80236ef50c541cdf1f79f8

SHA512
835677f284e0a046ee79412077649981c6fe68216f0d63ca455f68be951226248dc6c3190342ca3e6a322c7ff02501b4626328adb52ad2d9c4ba710976b3f6ec

Download Submit
memory/744-777-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/744-264-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/772-205-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/772-325-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/1012-122-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1012-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1012-116-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1012-124-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/1052-302-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1052-784-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1496-788-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/1496-334-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/1848-301-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/1848-192-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/2132-107-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2132-128-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2132-112-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2132-126-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2132-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2164-195-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2164-313-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2232-322-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2232-787-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2284-253-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2284-776-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2384-150-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2384-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2384-499-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2384-6-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/2384-2-0x0000000000790000-0x00000000007F7000-memory.dmp

Filesize
412KB

Download
memory/2440-155-0x0000000000D80000-0x0000000000DE0000-memory.dmp

Filesize
384KB

Download
memory/2440-165-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2916-643-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/2916-228-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/3480-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-688-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3480-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4016-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4016-783-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4372-289-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4372-171-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4464-138-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4464-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4464-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4716-183-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4716-93-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4716-100-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4716-101-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4716-99-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/4740-141-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4740-163-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4740-152-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4740-147-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/4780-754-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4780-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4872-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4872-789-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5020-283-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5020-287-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5080-182-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5080-85-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/5080-86-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5080-87-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5080-79-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download