c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
Size

1.8MB
MD5

6c0cb5ee00032f385a96bcffcc5940d4
SHA1

2c14cf36e9f29766fac36bcc8b39b7b0972deec3
SHA256

c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63
SHA512

790b8eec13a0d040bb6ec4fb01fef043a54bea0f681b04dbae76584f488970987c1a4b3890fc1b6167ae36036dca65c7229abba99036371041947d39ecff0c69
SSDEEP

49152:fx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WAt/snji6attJM:fvbjVkjjCAzJUEnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
440	alg.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
368	fxssvc.exe
4268	elevation_service.exe
4836	elevation_service.exe
3476	maintenanceservice.exe
1656	msdtc.exe
3628	OSE.EXE
3504	PerceptionSimulationService.exe
2988	perfhost.exe
3508	locator.exe
4396	SensorDataService.exe
4980	snmptrap.exe
3368	spectrum.exe
4964	ssh-agent.exe
4216	TieringEngineService.exe
5084	AgentService.exe
4008	vds.exe
4160	vssvc.exe
2868	wbengine.exe
2424	WmiApSrv.exe
4528	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60aff7d392be0f3e.bin	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\spectrum.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\AgentService.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\wbengine.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\System32\vds.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\locator.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_no.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_th.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_pt-BR.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_ur.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnetwk.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_fil.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_en-GB.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\GoogleCrashHandler.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_cs.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_ja.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_bn.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_ms.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM3604.tmp\goopdateres_fi.dll	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000df81eaa434a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-114 = "OpenDocument Spreadsheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009df2b6a334a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000959f5fa234a4da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f8d0f8a434a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000b4649a334a4da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\C:\Windows\system32,@elscore.dll,-7 = "Microsoft Devanagari to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe
3680	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5108	c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
Token: SeAuditPrivilege	368	fxssvc.exe
Token: SeRestorePrivilege	4216	TieringEngineService.exe
Token: SeManageVolumePrivilege	4216	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	5084	AgentService.exe
Token: SeBackupPrivilege	4160	vssvc.exe
Token: SeRestorePrivilege	4160	vssvc.exe
Token: SeAuditPrivilege	4160	vssvc.exe
Token: SeBackupPrivilege	2868	wbengine.exe
Token: SeRestorePrivilege	2868	wbengine.exe
Token: SeSecurityPrivilege	2868	wbengine.exe
Token: 33	4528	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4528	SearchIndexer.exe
Token: SeDebugPrivilege	440	alg.exe
Token: SeDebugPrivilege	440	alg.exe
Token: SeDebugPrivilege	440	alg.exe
Token: SeDebugPrivilege	3680	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4528 wrote to memory of 2824	4528	SearchIndexer.exe	111
PID 4528 wrote to memory of 2824	4528	SearchIndexer.exe	111
PID 4528 wrote to memory of 1248	4528	SearchIndexer.exe	114
PID 4528 wrote to memory of 1248	4528	SearchIndexer.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe
"C:\Users\Admin\AppData\Local\Temp\c85fe09cc15977eed43adbf2474f514e07e76a815da70d9710c6c150b8b8bf63.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:440

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2796

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4836

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3476

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1656

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3628

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2988

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4396

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3368

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:4964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4548

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5084

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4008

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2424

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4528
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2824
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
8a4f1eea75f3b9b05bcd5f3647a6ea33

SHA1
3cb8f87e32a2979dc3e951428f96e4410a01919c

SHA256
d1a24fec002c01ad6d2fbab0c29eeefa22aad019e59a68104cd84b001b9d5ef0

SHA512
6bcd171fd4cd64f751f69d8fc84968cfadb4ed8407e075ebc01ccc51664eb739a81fa2561f5d4b7c34f49e733519430552edcd922fceb61510659c8324bccd48

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
2bb4d58168bde46f059eb33ffab60594

SHA1
a319e822ebd75a256339f4ef5b6bf39c81fdf464

SHA256
ee7a69456c20297a2f857b1597da717529ece28d240d651996cfce438d6a8ff9

SHA512
9c58beeb9978f6ccaae89450204a3dc0fbb16dbc7611b5bc79211dac95f090f015f419c8e0b51dc262af56310562026803724fc605156fdaa94a1d815d6fde69

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
0683522cfccd67dbad4b65c72144b391

SHA1
67ea8c2f5a96e74b2e732c81352910ca39bb2832

SHA256
ea3d9b10eeac2f72cf9ebde1bd6a68b2cc0da91bbce85943ec2f28fe061a1ed0

SHA512
e2883ce4f16180157387a195951dbdf1ed42c5d6cbef832f8df00c797b7cbaaede9c8d18efd986cf516f057abed2b8f280a6cbbcf128e2125b6596afdd2adaed

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
135d0c9f363ad8f0245b038d70c92c8d

SHA1
4ab3035e0a3ca0268cae5387085e82985a45a34b

SHA256
be6f48be63431ac3a8a0e2256b2f5fa8a1a5422e705f3dcabbf21fac74143b4a

SHA512
309b6d4ef69412ef00f667ccd819289b4c9558e80e7d61ac96855fcd93a876dbcf302c61de78aa52c53e68e1add84e5f1a4e222a55858260ee2a32e952dd7b28

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8ad2dd3f3de8a522a0ad5a947354662f

SHA1
75a64dbf43ac15ff46490e9a93aa9c3dda0c77eb

SHA256
c0b6b06c7faa3b697afbffba38233ad95e7d7eaa5ac8f995c06b3d8878a5a287

SHA512
76a2adfdaa436c0b68d9d4a1714d14c9e28336fbfba22845d7333b5d778eed2aeb4481558ea89fff8a0ccd24dfb185ce8c7c50bdb808221217034f4cbd0fad74

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
7d0684deb451e56685b88c5f45e1a944

SHA1
a8c064098ff33ffb2478d2c7ae21d9b771fd56d9

SHA256
eb035a475be524466c1c1491108b95b10997ec803222e1351dee602c2cab3ddc

SHA512
8329726f3ea738550d1de4e33df0783a169a288e13a81691723f97be001473d6bc440243f06ce42e1b95a3d2aefa7d9534eb20fc3a1db756211d434373fe8025

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
ab46f91057f5f02510dbb2a1cf0721e6

SHA1
e92c1253d86f7161fb98f957ff81c182c849cd28

SHA256
3b1f13a447205d778ffc95f3b5ba151256e339e1c55a5a4eb6720e5137a25b91

SHA512
7b1e05c6ffcb5266dd8297d4bf4e8c5fd3f6e492ba555cb577c03c94a20ffe5fa637f27e2aaed4f2c524360acb6609fae6e6851d5986e21b21f9a57fbe2ed575

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
cd78fb775d508ec30b4e37869598334b

SHA1
a7c8a9f14d586ba2ea5d87f970c70aa85b87f887

SHA256
a7b9d76c9257e4b696e8bdee00d7dbd8b1f7918c05cb65bf2c484f7c9308c8f8

SHA512
2ef49726114475f7a6604623e0f330761f79e1d49ff07deb33cfa99c060a16a8df4a2f27d216e67cabaf05fcf22d161735c1f7d3098c735723e027d10dddff04

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
a4901aac51b11ba67d28fada735f280f

SHA1
543ecc8be564f4432ed6b8c55c9db3f829daa68c

SHA256
7026552d177af40a46599f469d9f2c54e5091c643bf4d5dcdebaa268b7038641

SHA512
027f2a2ab84835d990a3791e9ae2157632635d356ca18db70566b80e155dbaaab7231ae6481fa7373712eb91b3549b6fd6987eef8de732a53dc95ba2180770e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ac7c85639c2c8785b1a6cedb6e2c3cb5

SHA1
72fba1028ff39c8557f0c742ee1165d3bc6bc98f

SHA256
c7dcce8404571058f36fea89762354048339c87599825d6547167a9f2a1f6c8a

SHA512
3353c548b5f9583bdcf5def41cc4ed90d2815f813decb48cf6fade3f3e1b8fbd1add7cd5b43e90951d0b96c4654902f4db2ddd7145ee34b2d2d623d8174ec172

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
fe0901708bbc4f9ea9e6bfd66206fc78

SHA1
3772de2692114e003498bfb4dc05dd51d507d55f

SHA256
6ba8fe0a359427de68ec637367f23289ea8aeab1a3af43e2e73af0c27de117a0

SHA512
b90f3fd3b20de274277593adf800fabe4705f1342cdba1b5afaac9186ae1e0084d63025ca5f0aba40a10bfb7aec5e9124d92545829824bf8b81423a971955512

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
25d5c3c36467aeac146235402ae0cc3d

SHA1
fd08f6146f74c0ead6c153b4a18cd9eb01fa6644

SHA256
46ff70b9d52d6c0fee9b464b9840b7bc6f325251fe3a51cb24ba7dbc6ce22483

SHA512
8c64e7df6a3db2636b0c9ccb424ba58d43575ece414ea755a50d80d5e846f5568db882faf350cc426da6ee8b6232cc1677f1650379c517d391c0c904ef72bece

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
5f6509d0b2cf9c16dca26f989129e754

SHA1
00d93e908d90b0eeab105a7262a452abe8bbc146

SHA256
fed29c7ced12aa0f6227c3b38ea3593aa1539a20b4e39219c127fd003a542902

SHA512
4ae1f1c386d0c46161f0e26cc5bd9aede499d904dcaf867b92b1af58617f288b0901f2b3f0210220809fcb604d357a2441c25833d46d19eeb10c7fd5a8efa4ad

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
56b9788d097ce0898a60a35cfffbc313

SHA1
60942f18ed0bfabf4338d024f8af6d78876f4243

SHA256
dc9e7e734d3a2fa184692f2cb0895734a2c5fff70e321fb9a6db7f9cff51abd1

SHA512
00bf6645569d3a0269fc110f5c1547683658116872b458df0f491643145b2cee291f721ee86be8713aff544bd8f3a6ad59c079693f5f83e47a6d4604cf0918fc

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
023dbf4292c1096e1d4ff3c828505819

SHA1
03658d23223b87d3c690178407440c79e1b639e1

SHA256
dea335116640c79717d221368b28af585605635db65c5ae0d605a2d841eca1b5

SHA512
587bb7fdb109122d4fe3642cefb1dd2bae7b1fb065ee7f6eeb5a6beec254d2d0236b88a048b63fd3b08aefe1de7db223b51e256afc987aad5f275944f57910fd

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8f6f81533e55c65dd38ec4503f8dcc13

SHA1
6d2e2627133ca34d68875d4f726f7e76ec667bce

SHA256
624eae0135e283bf9ea6b1c1d4c104eb36e0db5d99a8dbc15d46fa27412ff968

SHA512
4da8e00951c05916130d267da97b1455541c7da5d9c7a965da18d3207b98ae7c478377258092291d4552cb8cf414313fde20b45b981555e444c3b0bd7a36461e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
0734e38b8cf0860605f524e53ccb2f1a

SHA1
b80d2e7bf9ff62e124160b0dcd7c64326ab0dea5

SHA256
5ccd2809364b32d4443028aac0dc7862daca98e699c11aeaead8927b994b887d

SHA512
7eba91e58e99ad2368e69cda66f8fd11bd6cf10d7094622903742450c3eeb3cd1a9e2736118981de9b8aa2fa88363d528f29a2317fffbf3b968f18cc28992763

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
957ba654ff0efffd0fad0e5a5113bc24

SHA1
e7f8d69ed35a447f69fcd5280743fab15ef65b9e

SHA256
0c348cfa6298ab1f06b13dfb5085f6dec5aa404debfef136702291b8f11621bd

SHA512
b16f57e9a8f10e16bf21e0a6eed66e33e4a672e7e2de9f29f3563994aecc39486b2ff4df621893e8c33da39bf922de7e7fa37216bb1c39280d3fc9b987ac8a2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
6b5f99ae4b53ff500d6dda5e2b7e891e

SHA1
87b145e8a899a950ae309b10922b7d9ce9ad8f49

SHA256
89e3ca0342265e3ccb9cf034dce8ca68c1f74825cb1f6a84c7d6983031a2ffc5

SHA512
a64790b54b4e472f3d0a31ef41641a361e91c916e44e3f4f01b37302debd1235e9690ee4c26f79b5e66af64364776ce74b12931d7617e47d9c4145764eb3ed5e

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
1f674f1f0a19fd5ee4b71bddfef3e3a4

SHA1
4e90b9e926a29ed657d803a203b35b8020238011

SHA256
a9f6d684b736d9b6ebd73db6112cbdbe17525d7fddf83c2549c54eb7dd31f0d5

SHA512
2ade37efd43427a7c183518b0ed0e3c6a0358c4d24f5da570a70b8daa68480055b96f00e8f45cf0ca5949291e5f61e111c9e9d57f52ecbfa6cfb5f6d496269f4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
89e164741f3179ccb3af6e8c3ba01c7a

SHA1
1650ae847e3a371be6e7a70d4b946fd8f56220d7

SHA256
77066516570341bc815d37caf278b607f8f9f93de6068921c839668ae8a8da28

SHA512
c45d3b3dd2a2ffbe3863e64ee77f8607aea157a143ed2ee22aba484f20a70cdfb5ad24ce78467948d02f2c40b4766c5a4f6e34b563e2fc4825ba9ae004551e82

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
5ea1d92a6761c8f85ba78da82cbd2060

SHA1
10bc81c36722e5b4a478415279ea39513d219649

SHA256
29820cd39ab8d0c405bc433a70699b2fab84109b1f6f1e1c599ae3046bbb0087

SHA512
c7f9b39f904f655994ff37678d8090bbb162cb68ff2c13c23f7ffe0aece088c162aa593b4418e2480b5217e68b60255872fdda69dfe107dcb4cc63da113cd4a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
c12b09c2585202011932c92916795f1b

SHA1
49d0502ac4e7c4d5e4cf60d4e20ef83741975eb8

SHA256
7a15c04b71d880495fd13abf896465266919343719883b17abb4c2ebe10a7137

SHA512
d95a24015f553b52a3f1e285b2a4868676b8ddb21dbbe000f9a6111231ea1b92e420f21eaf4edc87f7581e5beaa89a8c3f34e39424578cf057a436a34a8d31ab

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
c2fa7760f116e11bb2d7ee7f17bba571

SHA1
2d2a2cd5bb53afaac2dc1406cf52b6fc22eeda6a

SHA256
3e7eefb7fc3c879efc473ae783058544c04dc51a30ddea6eb1df90e1493c1d17

SHA512
e88254b4701809b8696e2f78aadd95b7d6712bf5e9d4d3bc8fe11efa9c39aff5d66e499a140ef6374dbfb1ecb3cabe25877715206646561e6ad41893f710c120

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
272f55414f938c75a05d7ac5b9899d3c

SHA1
c954677a47b003abc96bb7dd0c44056945fe6dce

SHA256
76d4cf21736ccf257a8e31553aa920f5eba03c7ca4aa96bc799bff24fef47fde

SHA512
6d305d639ca762b3db2691a3f4e782d75d5a7b12cf67e73e70d1419e68102e8acc942dc470271fb3d63ef86298e4a2c34f0d8a66ab520dde0e9d3f3a40d8c279

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
a3e5e203945a8f7c81b5ebaa79c16ccb

SHA1
2422da1138e0bce912c67c0bfc5afbf42b8830f1

SHA256
b1420a2420ef80f510c08b2e07c816d1b3ce1c42f1c06370966cb581930716ac

SHA512
a623d17a85baa2f00d66c4e21d94596c9685e3bb03eb020d4b5b9fee375bc46cbfdd316c63dad012c85ed392f746f0267bf1bd2e84abb928ba7267f594ede52c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
4748c47ec6d25440e8b522318e104f2e

SHA1
20eb8f4f5292e882adf2e123d619570e927e44d0

SHA256
cd42d87079fb2f24c2deaf8a218975d1529b4a8c882a4ae6bee72ffe2ce4e171

SHA512
4ce5b918dc87826f5f0d459826b286c637d03aa9621f1d9802c37b39a252b300d211d89f936f31593d018b0c11ae10130da4c442651852430bdff5f887d859ee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
48f8e8b48455836ccde4b6c9a6640c9d

SHA1
aef81ae81a064518ba5fa30e5f9b7f4530a492d8

SHA256
4b341bad55ccc34c4a269f15e1e01bedeebc6bf5bea3de84ae3bb22a24e46c89

SHA512
c2651099e2d0d88bace3e5ee7d3430d182f364729a1f8b90be63d70d94548a7aea4225bfbc03a83a2a4373fb727026fe4ded8c1876ce3cd78eb2ec36fc435621

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
986e8f83c1dbb32a027fd1d57033bef6

SHA1
312e62bfc0cbf175fba8de97e35a6a83aca7bce5

SHA256
5f08ec33c4b403d3debee476024cdba5b3ddea42140bcbce5b9ebaa7d0f9a2aa

SHA512
fac706cbeb38090bd6aa7b7a362f12586d0f277d24fda93f2bc7ba4d3a2f3a0c601b0ebf690a30dd583786655e86a68be864cfee7147f4544abd7a3bb7a0e167

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
238ecf431361be0d700af1e10994ccdd

SHA1
afc3f496c35e447d95f4ff8bf36752b6a0707488

SHA256
d3f01b285e79d3fb2745304dd66b0fd3f5b83bdc47cabcfc5be8d926ee5b1d64

SHA512
6f448cd710aba0c0fb4a8d9a432c09082cce6c53320b8ef24a7f5f955d9e56bddd9be4ef0fd3c20bdfe3b5fa54f559db828261f998561aebb2c93898740c1cf1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
42fcb7b9053125b6f63b4ae5d6a8678a

SHA1
9ded4bd10118213a627f7a82636002661db703a4

SHA256
7fb19e1d9342c829f154dc6eb647e2d04ed977de188cb9e909544c3f7c65802e

SHA512
da446a69ec12644729824190081dd4c7384ce5119d0b1cf8345ff28fdeaa55730e3efb1cbc5a4c7e3c4009e86acd7a94d37584f84e553bbf09c1cc3499c67b61

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
2c12222f4ef913df980f65697e96a015

SHA1
b88f51b4ba42b47b73e1ebded6205f1b4983a056

SHA256
030d63d1194312cd30584bc1fee3d3531dd99c721ddf725f4ca95f90957184ca

SHA512
4ddf6c867e075b67dfef7a9a0b037b41dd605d3134cea91fe67ab00e6bdf64377c682dc863a150a1771aaf86307f04c69375b8c2a5be81897e811fcade3de90c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
95d07f81227dc2e776065fdb4c4bef17

SHA1
b1d5ef4d5a21add2b58a21e78ec0a4f3423cba5f

SHA256
603e527cb46796fe5427f7336b806a7abeb3b1d63a5b74e70b3a5f72a4d58f07

SHA512
311e701f82360d9361961039080e80b7ecabcc3679383bb92bfbd01ba08815ed4ffbd475ad8bec515d2fb445eabfa7b56cdd82465579d1ba9287277dbe07d082

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
f4ff3eccca25935ac05bd93c7bf22a40

SHA1
edd7102590e1ac0a1627bfec02aa0f67c5db745a

SHA256
75b3af5de350521b512756d40b43eb4ed26dd745c2981a9a619c1f7689760414

SHA512
e99a7fa9fa02488a7048fa4623c4676e5c6129cf1a8f9c5de5b1aa0fdb4b04948dcbcf4e47f970b35a264ba7ea83367b71c0ec6f0d382ddda1bbaeb2d98e0e8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
a72e954676fcb7b7a159f08785764a0e

SHA1
9f0e2729596d339383b69a12940421c3dbfda793

SHA256
ec90ce32fd3e72e1fa876e99db45adc29bbcefb688ef62e41fea24fa06f876f9

SHA512
0a0af0a62cceac6cbdfb350cb57711cf0feda05264629ec16b7ba09d0e0e4eb4e712fd9ca1f49c1cb517d295696097e99628c63ca14e23c4421b640cdf336d50

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
313aa0e8cd5b9c055bd251234e4982d7

SHA1
04c01b8ede9d37dadb729d2e9bfbb9c17e8b1aaf

SHA256
cd1c1b62c140856e2a946368f6be8666adee52a84ee0e6a5f0c2a24faed91352

SHA512
4cd80a84a06525261bc79a9d13412c40cb6d1ada1276fceb2d9d53f6bf9cd0860f2663be373510256030639d683d699a2e817d8b0d679d6e119bd9d43103add6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
338eb7568022e2e89556f9a4d4206682

SHA1
ca0773f92765e186ba541869a083cbe2a99d9861

SHA256
b01c0bef57c70d5a7890c976b1b9433ffc14a95be9c61a058cf5389df4e7b8af

SHA512
68016765d293995f486d6ee39796ec0e872575eb17723724f76e3139d9c631fbbf3d46d9a6fadea0bc0dcf12144ac03dd93ce20bfd962a309f3f092834908f3f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
3531fc8e109b5858623c31093af35d82

SHA1
8b4013773e117bd4e1012bce2194192a5df13823

SHA256
194bd645e896055ebdb1eb5ab89321ded70dade1d6112184cd9c833dc28db4e3

SHA512
79d4df8ed0a48a34cfe8e82a14ed4736432a8237298575dc542937dc769eb1695464b9e5e875491bf94ceb765338fe4acd1a58fa94e3922b184835d9f525b663

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
6e32ffc7180f44c05d7c0871a8020f0b

SHA1
3d85c60417e4ebb1edd44e04e408b31e09a78681

SHA256
17f65d4e098ee065e79e684cf5e84041d0f54ddc95e7fcba109d019c38f31572

SHA512
d16328b7fed5cdfc4282ec7b691921eb38c2f9da4abb97d785605cb0dba5017bf5358fd8d02f51d243c94d91d58d4791cde01a33af7addb35fd78aa4361ab86e

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
cabb7ab1c81eef35d0dca5d4422e032d

SHA1
603f6118a42c2f4871f16c7ac6cc1ca9ad7989f7

SHA256
fad908528692dff5eab8d79ae51d814e4f48dbd89fb53c73e3780e44a4a57fcd

SHA512
4f65ffd3e6897be63789aa0dbff08c9708636b16a919fcfbdf63c4bb6bf26fc0dd32856b33fac898b913486e14cfeb4526b6a4211275b46f1b39b5f978f1946c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
bc74048f900b2197bf6bf53d15fdc38e

SHA1
224b25a89a0ffeeed030624ae39205c1b3db452b

SHA256
4b9b7dd956d89aa8921ed7ce03a8613b83c0b716950a754db338f55802212bb4

SHA512
aea4205b1f098ca453529af2c74c0b8a021ecedf8c7bb1642fe3b27f656398646306ad252c6c4104d2f69b6c433963b42086a446372fe42a3206b8124ae4636e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
951b609e642b5d39093a7d138d5c624e

SHA1
80e8d6fb837eee57da0f76875ce75ad1c17e9a6e

SHA256
1380b5965c1e912ff804e7d07afc2963842ce224f8e9df700323ee942b5e36f2

SHA512
9e62539f02c46db5e63ead5949800c1a44a84034edb8c91c9f3bbd242cdf4882cbd600f4ecd1e7a2489476f1bfa4571e027ce109ce96499584008e88c1eeae01

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
ec65dc6df455628920da4bc515e89116

SHA1
68c7cf2941d25739184377ec046a54314f935459

SHA256
164be17466f9394d28c73b18fd2c1dd54666a20c075bd5988d27c66be80c2ccd

SHA512
8f433c68319ec77bda6d422dee1ce559cb017c3327750d2ee870d35a8a1fb69eb3d66342c520b71930062d3645a1b99c51fc9d6654e780be794c934d605e605e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
388b009ce84c9d8ed97df71cd0126b7b

SHA1
3e0b89059c1d436cfda1fba9f4b0719b43eb7db0

SHA256
db4c5327ae53ef1ef199d2bd675e9e918b67bc1a5252520989d55517f8660ed9

SHA512
bc69524f5b6f43509e9da41a1825a96391a9b1137340f4f6b703497187ea4f35c76c13829b7f56f8e84b71b7cd90c701e78b76432f45aa8e87064cba27e1d6b2

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
c67c6aab16138478e720f8fdd92dc3c8

SHA1
16fb3fe67f64ce72fdcba8c386da65c0fc08fb1d

SHA256
aa1d655847f8783d3aa1e152da62ce66a4135f43e66dd071751baa028a14c265

SHA512
c96e9d7e6c92d0a5bbe02f0615e65e986667f2365b4c84b16b91fc8832a390a2949d2b9d0709fb729121eae227ded4a95da0568972ef46f5dde3e4e98a479377

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
809958b391995144270b34ae812e17a4

SHA1
314aba879ac2577968570911e8a28a32eee1459e

SHA256
9385846db0404fb90a999be804e684ab056cd85173b0151ced6f1665cff2384e

SHA512
5deaf919ab6a65763e67fb4312b700735a03153597b715774483092e4e920a8e36f6a6966be9434874b61499babc6263d075598720aadad505f0e7324830f2d8

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
38eee080a7d8b6c871567d5a7e18ccaa

SHA1
74f290661d1f9ae70983a58b1db4127963973773

SHA256
d950f84bee7bff67b7d72956e7015357e7fdec3369d343006957706a0abadecf

SHA512
dce5b41d93d443dccad1c2c01542717a2c28abe36ed663862a15af2fc0bf6fef8a647b02ea9b05dad2ccfbdfb3438a59eb21591dd40e0ce0d3b609ef3b24329a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
6937a809153ae78af5b5b525e52d80ad

SHA1
37bd36e3b5c4428685b3cab963b1acf38b67b54d

SHA256
d2903e6714addd479a1a56f0636a53a2d237c992be905d5e0122e9a120b20ae7

SHA512
a398a6649e4419240d2b239427c17eb1794c456a7f09b045b6164ea02f41b235755a585d5d23e756f29b67ff2a907a2de8d265b0f22ca33ae4b57055297870a7

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c151644c8a4ffdcb2826de08f81577e8

SHA1
0ecef758a69503c398d7354d508052eddcaeb12f

SHA256
5530c80c2845314d226a9366ecc8cd16c4e5d68c4a70b7dd0e0a1105ca8ec891

SHA512
c78c8889c613c4cbac964878c3343632bfcf130275dbea7b9e0ea71a9daf4f6fb724b01018a38b2e8d2c420073142f4b06f72714a1647b5e21e4b885bc3a6141

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
481ccb204ec2ff827dd728c3ac95b45d

SHA1
84b2353384ead7b545fc4879ccb9772327874f52

SHA256
f6cfaaed120f0844e635786e3754b3d01758103a8c4d5ebee892cfb68bb2428d

SHA512
fd038896c657272c8c0711890d576e1036f49887e36ed7181b4f517b6f2a4a52c474836c526782b5ebadd85588a3ce63a1970537cb72dc4ef22ad3ac8d70e013

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
2e27e910b5f6ca61b2a89cd744f13c4e

SHA1
ba3cb790994f969c97ff0c08a4c7cf02ae1dda7e

SHA256
764da85ebc9da586005b7f17d4130c3cb880724b4ff7d9f7d4b2b7720a2b138b

SHA512
4a6185eb831f4096ae470db09562f764cf9ba4618d6c1528fb714918a42f871be8bd52a3c0e20d8d2a5d35eb8ab9d65768a0b711a2bbbfb711e8eb51c30379c1

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3fb47f790c67a1043fe9832d3d1cf376

SHA1
c8cc7767fd0882a11a95e8842802875c3c9dfee8

SHA256
dd9e9a776732cdfff12dd8375f160629f4773c432e1ddba894786bb1fbfdb300

SHA512
62e2a4767ba11e1c02e77f9aedade266c2439b6d80340be1c79b933fbc1854a64f2f94ba1aee7137306329a5277f81c6bc18c4f2367c047ea706692ce70a3bde

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
1541bab73187a0800c6da63059035ee8

SHA1
982e7cbed9649a3fea65a36ef47fdff7d27ca219

SHA256
4447e7c5d3cb96912d89915af4eb4bb5c4b8c785ada085fdd4ce9c5f1babfd2c

SHA512
302dfa6a5609eccd2e4c9bdde792613131258dae7261061e7411a2a226e0e17a850f5a58189699e765ffa0413193c4d98b339ca5e284e3c4edf9d5efbde16dfe

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
b07ca732d1f5836c1d032dd3c0e5997a

SHA1
5cc5a1cfb77254810ffc62f83ae3156c9a20e058

SHA256
a8ece154d996a206fa09cab4309fbecdf3ca6305d2f36c781c5e4b43684a3588

SHA512
d30899736e2dc94f6e8cc5e6b4dc287268f70f729091c13ab65458df3fa1d7a0a80620355fb371d2bdec4c9cbbdcac4369986976b7a5f1a720d7948276bfd94d

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
8e3b5d10d84b26a88a80bf21bce7e749

SHA1
96895e0de689a6a2be4088759d61475b4a30a981

SHA256
79e862fd13e1721c80e3cc931bc5f7f8a0d2d7f3919936fc41ac3fede62de6f8

SHA512
be49b8181ee2c60f03413ed291e8488107c5443bd2b278cb8ce199d1515086418d38dfdd3a1d95de76f1cfeb9472930fd8ca732fda7562302cb5ae3113e5ff2a

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
2819c34531d4dea1a4ff3c264d26c0e9

SHA1
fe8a579e062dd489bf053d9e18d4ebf2801bdf1d

SHA256
d763b903811e954f992d5c899821d43ae3e226cf889a9131cbf591aa3278765a

SHA512
47ea1c73a22b72e673d7e127afdf87a5a199f42fdd93c6f9ab426c033fc6ed353b0761d5b859b308dd6537befc761046455f188ef20eb6d98c88ba0c11dc29a0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
2e69fc4e80d16b1387bc4833f5602236

SHA1
bdc4abc598548e7e61e58cc188e797dba3874ed2

SHA256
dec8355d093cee75129781eff3f025ddabcc668ff6cce032312f47e68c0fe6c3

SHA512
4fde7fc0284280783ff67ba09b22882ef044dedf1b8422da70a42330572d46aaa3d9796d5a0cd3f0b166a55451fbbcc2fdbf89493c6ca1380947d42e182ba924

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b047c7c316b7eaa6f9e6e08ace7ac522

SHA1
65662d1f5b494e16e2459a4c457b48ea58e4e6ed

SHA256
593a8f8fb2bda871e8f90b0069370bb773dabe9abdb46b8484a138c9d0248035

SHA512
9e1fb8dccfb09a3215a3655fcff86eb461f8a13c79edce2ba8f12727573f89a4c14bf78db1522b7fb9c00adf48322bf4556d0fd1b38c88120880504d0215a89b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
c42d290c5e49c8779bde2de0846fd6c8

SHA1
034931a0f1ebd092a284f96be01bce175dce67da

SHA256
865621d4c900f16dee13b8b58e2e60ca74e8d0fad2e26cc6ef525a51976be7a1

SHA512
b3c6038f260f5734d54a67444fc3fad27e65b10938d786a829b0eb3e92e770df82b8685bbab2abed647f74319ddbca5261b9c911a93abf9eef5a9069aa0be9a5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
2c5cbad6d7ec6de5e166f755bc927c64

SHA1
920a78d3d56a53f07ca566f22bf2c530acbb0e43

SHA256
e42702f5d40e7e4cc9fd6c08273b813f3d7ac4712893bdd76c380804ba5cefe7

SHA512
8d41f544deb0213a99f2d686971cccdf5d9ba5300fe2ddf917e48bd89c66af677498e61f80525f298e61e0bdde4181334eff429c66e3baad5963449976b650b8

Download Submit
memory/368-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/368-129-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/368-106-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/368-114-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/368-117-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/440-65-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/440-173-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/440-57-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/440-67-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/440-64-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/1656-158-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/1656-159-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/1656-284-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/2424-336-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2424-737-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/2868-324-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2868-736-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2988-323-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/2988-196-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/3368-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3368-689-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3476-149-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3476-143-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3476-156-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3476-153-0x0000000001A80000-0x0000000001AE0000-memory.dmp

Filesize
384KB

Download
memory/3476-151-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3504-193-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3504-303-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/3508-214-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3508-335-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3628-180-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3628-291-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/3680-102-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3680-94-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/3680-100-0x0000000000680000-0x00000000006E0000-memory.dmp

Filesize
384KB

Download
memory/4008-292-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4008-731-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4160-304-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4160-732-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4216-273-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4216-730-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4268-125-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4268-119-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/4268-240-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4268-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/4396-727-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4396-225-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4396-340-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4528-738-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4528-349-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4836-261-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-137-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4836-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4836-131-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4964-262-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4964-728-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/4980-534-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4980-237-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/5084-285-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5084-289-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/5108-142-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5108-540-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5108-5-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5108-8-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download
memory/5108-1-0x0000000002340000-0x00000000023A7000-memory.dmp

Filesize
412KB

Download