0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 20:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
Size

1.8MB
MD5

27641c1ef8304b1bc212e086ee3947b9
SHA1

d6c46ceba62fb4ba94a949955db5fa6b1e14ee8c
SHA256

0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131
SHA512

0489feac5c2c7b65c6e8b6aee511f091d3d9ea62f2d8afec2e74fb850ed5897e79a1ea95e83b665e020d7a390d3c34d5727e516129868231b41d69fb0c18c33b
SSDEEP

49152:/x5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA3/snji6attJM:/vbjVkjjCAzJ+EnW6at

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3060	alg.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
2124	fxssvc.exe
3836	elevation_service.exe
2980	elevation_service.exe
4684	maintenanceservice.exe
3720	msdtc.exe
4468	OSE.EXE
4640	PerceptionSimulationService.exe
5068	perfhost.exe
3660	locator.exe
4336	SensorDataService.exe
4948	snmptrap.exe
976	spectrum.exe
2396	ssh-agent.exe
3968	TieringEngineService.exe
3056	AgentService.exe
3592	vds.exe
1844	vssvc.exe
2628	wbengine.exe
4800	WmiApSrv.exe
3904	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\System32\vds.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\16fafa71bb5459c0.bin	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\locator.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_id.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_de.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_th.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_gu.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_ca.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM421A.tmp\goopdateres_da.dll	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_97390\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004aad220f4cadda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000075ba57114cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9f2440e4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000038b92a0e4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a5675a0e4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000afe5b50d4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a3693b0e4cadda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000573270f4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ec83b30d4cadda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.DVR-MS\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe
3452	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3496	0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
Token: SeAuditPrivilege	2124	fxssvc.exe
Token: SeRestorePrivilege	3968	TieringEngineService.exe
Token: SeManageVolumePrivilege	3968	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3056	AgentService.exe
Token: SeBackupPrivilege	1844	vssvc.exe
Token: SeRestorePrivilege	1844	vssvc.exe
Token: SeAuditPrivilege	1844	vssvc.exe
Token: SeBackupPrivilege	2628	wbengine.exe
Token: SeRestorePrivilege	2628	wbengine.exe
Token: SeSecurityPrivilege	2628	wbengine.exe
Token: 33	3904	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3904	SearchIndexer.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	3060	alg.exe
Token: SeDebugPrivilege	3452	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3904 wrote to memory of 1204	3904	SearchIndexer.exe	112
PID 3904 wrote to memory of 1204	3904	SearchIndexer.exe	112
PID 3904 wrote to memory of 1868	3904	SearchIndexer.exe	113
PID 3904 wrote to memory of 1868	3904	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe
"C:\Users\Admin\AppData\Local\Temp\0f65734f62cf8e430acc9fcae49bfa13146beabcff598378a30231e5dbede131.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3496

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3060

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1792

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2124

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2980

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4684

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3720

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:4468

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4640

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:5068

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:3660

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4336

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4948

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1832

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2396

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3968

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3592

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:4800

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3904
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1204
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
173627e5d4378195b064f0cf9e17a175

SHA1
7b1f554666a05536e25f03bfda388c6a3c1f145f

SHA256
c865bb40f72bad77bacf607fcf8791f282f21f84830df8b0be42b727761f47ac

SHA512
457caf5a8342b14d8c7e3788186eca3fa1b4c74ba74f64f590946ce05a00b2db6f85cdfde985fb2cacdce7b4d5bd00df1fc6383ab0a53cf4858de2733cb9d9da

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
f37c8ed6de8ac4274799bc5292408aee

SHA1
3a7f15b38c5b45f50ad7538fccdc5d3fc358f581

SHA256
e89240af30ebd249ad29b8ccdeae814712914be3082a28da0cff0c1d3bc2a3bd

SHA512
570b5b887eea12cec9d7ea1eaa40004b2960edae1b0570c39fd940218fb0b000c5222b8a5e89ec585c3f1651d2b77f50d78ae71cccc08a950ed5e4464f5ce35f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
7dd565dd5c2c2f3fededb1ef306124d1

SHA1
a3537efe657eecb98887acbdf37a8985cebed9a9

SHA256
6a819496bf23c48740bee146a8b5aae5c1212db453897579c37543bba2c97701

SHA512
461197fbae2b9de21fefe5c0cd58528a6b562698b16ba215c26cf3321604ba4c5a9a407f804ad4f9a11b98b34420c4c148fd81c6f95ee3b587fe89d32ca8f64e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
d5feaeb1583e9e0727d25498eb40e2df

SHA1
82f1d23c3f5969523a629bf434a67042d79064d5

SHA256
a74b1c9c5b9a6d7fb614e69e993ae76ea4b9f3adb31f4094f9501d2e1e41e04e

SHA512
1d4c1ec3fac00e2ec6f5c56b197c360ca2ad65a7b2477172a89269fd5ad1e09b56886ef872ebe0e5e90849587273e03dafc923cbe29afdc2a10a647e87ee9fee

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
0d02711eb3d666b05f4e9f4bf6cd841c

SHA1
a54d1882ddca1c54c13e8a8cf7e4dd5783ca3588

SHA256
ba716d8f81c571f606576ff0a7c7001f73b089844123af2df9d047046305fd23

SHA512
997853c0158b352721eb0b046a8b642df10e188be6bd9800503f7e4784586dbf4ba1eea4f6f19e5f685a0b5d7cda9b3f1a1015cf8163aaab5eee0f1e0a43f711

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.4MB

MD5
dcc8bc7cbd6f92447d2386b8294bb143

SHA1
ed2896b87b0ccf026544deb21155f8bba28e8d57

SHA256
ede48c969f4b822173a4f755357c73b92b9a2c358d0f28b6e294b67c96cb5e9c

SHA512
820b69228d5ca720c6805df97259c6de4ef58b342b4d207afc60c932e2c3d909cedb5055845316580811e6343540a32cd40761ec720bf8154d3c1580ff06508e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
4a702c532b36d231527d7303da823bd6

SHA1
1a903c4dbdfbfa9ae2548e9a496a99acb2ca423b

SHA256
81e1f198932eab7a6743c644bb17ac3e977b44ee82e6efd25c9f8627a6583dd2

SHA512
5aa90551255eb27e8d6a09b8aa024c93bffc8b4ef137cbdb9764c52c9db5fa3a2a677b5558aa1d0401da4bc9af7a779f3ae89a950274a137007bfaf8b6d22543

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
2dbf01b98fbb276403ad79dd26d5994f

SHA1
49522f0ca3e274d1282e959ddc7cdb1817cd6cd0

SHA256
e1a23aeac649726bd7968909b405268dca5dc49338cf6836e8cc98aaa71ac581

SHA512
713df4b5da497432bae23811e1a07d2dbbbf79df1bdf1d186a53e4a22497c97b6fd6aad358d467b164f5f74d4daea7eeba555361c7664c97dc34f8bb3425c3d5

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
e62f5bfcccd627eb17073c11f7a1d8f0

SHA1
b334ffebc3deff53b0281424b966995b37fa9679

SHA256
be0253a4488b9842d3542018612fe8a9e6e8caf0e63c8cecd8f241b301e0373a

SHA512
f0ac2f9e26c3324e9c56efd921a9208b01505cf111d27ab07f2ebc8e44c5b1085cf6bf5339587eda49537ddd37ccd3a33ad0956fc839ed0ae0e07be9ee111267

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
ecc74318ec064a374a568507db9dc7b8

SHA1
08a4b931649da1d20ef885de646c30df561b3cf5

SHA256
a4cab93f430376baa0a4f9b62ab033b33f4ce0d571f0f0adaee3aaa6f11356dc

SHA512
90a3ff6bc968adab129164f40f2ff9f82439b25bde3b4bd74857e3f1374cf783282e41c234f6c99459ae281f1ecfd4768afae1e8c1bcca94d757120ba6ff8138

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
9a0b2c65ed19a86054447496425fcfec

SHA1
0594b72d5d2196e885117c2e503e691969fe8a0e

SHA256
eb34f8fd4eb58202fbc8b4b94ce2f49ca5663a26fcaf5f2886227a6344dc3594

SHA512
aafcbe0c950830431451db70a294c2f933b5ad6fac8787d0f52f8561a870cd0ed29cbb2054313ba7831db5a34f3b1d3140ccb123c4338086956412dafd783cce

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
558c57243705798fcd97b7afda027499

SHA1
cb17afea4fbcd4603ceabe79e8804014aa944488

SHA256
ad23fe8e1643793e12033e6071fda8b24ad2f5f3d98e278800ad42c21cc378db

SHA512
9613ff3ff35ebdf7c85b037d8c7f554faca83883c011a12aa87c81f386a901862ed0aa510c0b05bfddb939b1c28d50b8f8d03bf095b13a0de3cd137109d60b97

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1427c6e768504d83445315c2b274bedf

SHA1
0801d50dc1aff24c38e04f42cdd87dea7e670304

SHA256
1b4acb168a5f9509206104c60d873443fef9c7fef32c4cc15fbfbf29cec24f25

SHA512
fd240cc8eaa7ec65200fa96ecc3b1b8f10c9877e0b44bd1c63d9fa76f87ecb7a3165227802853a5df2781c0ce47d5a355ae8f3fae4b90186e84a06150dc42c26

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e0a62b6b1725d7121c1bc59584beef30

SHA1
382e52a4917c9c3b432b37f4c46c5c1c0251e371

SHA256
5614e0bf8e11ef2b677f5dda68f78fce78fe02a32b92acaa4d9c0bda18cf7219

SHA512
efeb67583952fed2dd7009d788b84bb626d33eafae38d81bc3ddaabbbb888891fa0e5ee37e419896594b44b311b8db4cf11844ae8683fd1f8676f7fa31c246a2

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
7389c34005afa1fb5c4e47148b8a3456

SHA1
935d74f3508acf294a1d63a9de1a49d01f7d6111

SHA256
d5d85e269cbbeb5ea7020e5251ceda5d755abd79746da72e962e1fa8aea12b1c

SHA512
2a67219adc43294f3b1184e66cce71c56a7ac50c331d29da66e3878cf26f7013e2821c816cb8e23fdd7f4a49f25c0dca5b01b0910fa486d11817f7539ace6707

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
1fc60748ba5fc9012b728dfbdf785337

SHA1
0f3e6ce815f1e733017e62a2a8722e4bbf58cd37

SHA256
0576088be717516af356cec90eaa78d95bc8004bd0013daf8119856616ec4d9f

SHA512
eddd37ab75684c3a57ca9876464354672e9146f83214e1c1ef9cd5f3965a0819ba39f73f05a0cc71272736555d30fa5bbb1c98ca9500261d5f5f02919a5fcc6f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
e45492f07ecfd009e6d1f07552a59b15

SHA1
577b412d1a50f41cc772ed56499a672d7edf1304

SHA256
a0e0a719fff2f829b05d90f0b3a0b1c551d5571d1fff1e60cc1f70509e954bc4

SHA512
31271fb51ceddfb262e9809b7c16ae24584aad3fa4b0eb76d7788db8f50c2dc1705788051e5162ab20cb309656d94e33840db8253fa0e52d3cacb13f820d8657

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
8e4f995ccd3006687de2d04f0ce3c7da

SHA1
00071044cdbab397a747cd5c540c67054990ee07

SHA256
5ace12a367abee3eb07542540a7a5a216cb96f5ee0b800533e330c41cc763391

SHA512
cae87683d3faf947f927e91f2696870206cbbc35538247b491dc8678817aed4d6e1c61ede001290d934d8fd9cd639531045a5a7fecd022250267e34392a7c9cf

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
8182bbe14c73d3667161931242ebaae0

SHA1
a17190641559a50cc7942e72ba3a04c7f6373643

SHA256
d61903fbab15044f3f6e3f37d50a8eb1e2ce0dbf046fc1899fd7528483e43723

SHA512
5be2b7b534b136e5afb1d4f4d58daf6b5a3967ae254e706fd919ab5df2cf59d1ea9332ab5e11c7bf25428a7815cde71df519e268d3d648216b58644b2fc0a4eb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
e3c5503443c23d7ab4e713f1e7e21186

SHA1
4cbbf0685a6e34cdc11cede35b9ac7b79a545e23

SHA256
8aa0a7a3ca7a02f1e6c9ba8fcfc894ee8697afd48e3b604e1a02921bf78c1ecd

SHA512
4bad02b0ec2f18eb826591205811a258043edc24733156dade47bd7d9e208784e622f8ed5bc55f7261a647fc3340d9e9389cbbea4f50e393aba891a9abfaae58

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.4MB

MD5
fe4b1a4e2899982337fce5831c989b2c

SHA1
6688f21a710c5b970b1e387215f428f7289d0ec4

SHA256
3e34359bd15a83f0a7765cf10ef78a904f4a1a1fcd4727c3d5c78d0ff551616c

SHA512
0bbbbfdaab512f95ddeec52a7cea666f35c1caf91324680bfede92f3c562082615a7a3e0a2c5509ebd32861bc107c9149df45f6262c2fda39ee1ef1d81650609

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.4MB

MD5
92b841cb0cc88aac211e867b84ca4c08

SHA1
b71c999b720de3cf2fc7092012b8a66b199da6fa

SHA256
e2d49e78508c92b9bbfc9cbfa48b5b479a7602e578beb5c4f3b1f29c4ddbef6a

SHA512
cf96419130d9586318efac13da4cd26726f92e2f605d62c5daf91821ed2c6fb9f3e2ebcc5c71526f6da369f5322423d16f70537a03f458b6445648bd5a28e5f5

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.4MB

MD5
5d57c1302cb558e4471fa84afb683bea

SHA1
5074d251779d21821972a0f96a225c164b7f13fa

SHA256
babed9d0396de7ae3dd46fe6260a778a6a07a053e86180757bacc42c4fcd5fef

SHA512
416fddae695c9de7066937b4546ccbbac8b42c0c3b35ab563dea57bab488a27c7a8008dbd57e48a68987b46127ac6246cd15fcf0ba322867012189b12977111d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
a1ba1d81bccbc8921cc786ee708341e6

SHA1
98b75111e648fc186d24006e3e7ec6c31f7b3ab0

SHA256
a256505ef0d31245f2403f014d9bdf5923f1a1eed324882c90a3b562b72d641b

SHA512
f959621982c4df2bab1b45473c26436704bf927afa216eb039498a37cf19bcc5757c36d160ffe3f6f45d50c6a1797df8245057cb6a80d82a2aa96fe1d65cda39

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.4MB

MD5
bce0e0d9a7507a67fb54bf91050babee

SHA1
a40af0382e3fc67e486e443afbc1f6f522853afa

SHA256
e937a7f5675bc8ab9b03015c5e2a5cb119ae3eba6a780e85d44304581aa7bb4a

SHA512
f912f01a90e0726382adc7e3fef6b04b47e97ea3258082d8a9459a7cfea834f3eeafae6b5df4a2b8c4978dd201ce42aeb9e2cdb1f805859ad502b94a07b2daee

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.4MB

MD5
7af9ff595cbe526135ef2d597b81b6c2

SHA1
ff5639af1dc1548a8f0d61a60fd659eb6f733d27

SHA256
ba43d120eb5adcdead699a9c55b37322c65c182dacc9dc86cd0400f3eafbbdf4

SHA512
cac3bd1a00bfe473a0a81c73012c84e3d84ee71ea7006277b59da97eb6feca1a757b39ba9eda3bae0a61e9d2219a0afec283e70b5632f4f7e5344a1004bd214e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.4MB

MD5
375bf99e369f58c20491e94191ff3f3d

SHA1
d92a79803c5f36e08cfe44d14e0aa7c28a76e158

SHA256
8d018613e2fdde9bf9e609abdc2b657afa6647d81413abb1a3e5d120b7fa6ffc

SHA512
c611ceed4425bb3c2a4a465b2c1256e1eef17a2b118356bfeb0ee87a0cded52fc64f7af1a0f736072e68ef00362b2fc88b712259c1623397e0de04108670f2f9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
983a890aec2b01ce3fa4495af55e8361

SHA1
537ec1fdc9fb6003767be5bb52f5b70f5583bb28

SHA256
c99b28036049c3aa45682e7d2a39dfc24ac4f880bce0da1b680af053cec4ed5b

SHA512
e2319af9914d42844b0bef59e329f0be9e900772d2d58a88cec6e8aebe904d6cc8f6a7a7e65c2d9f850f89b52f48faea119269e618ca9bcc82e1d7be356dbc93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.4MB

MD5
78a4f0d93bc5f93d8322ca61f3113ac9

SHA1
0baf17f8b74cae676a965b4860ac85bc3ac285f5

SHA256
f21254473133cab1f09e6170744fe2e5f510891e81946a5a9286e84c490d7a82

SHA512
62f2241321350a6a7e33a8810d6bb4114e2a9074bf09ad14203173f2a41abd6da9274d9916557d97f3d89436a095f96dd7e66e210f00a13b993ec3aa469563a4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.4MB

MD5
13095467c6a24a19eacab61a1bf527d6

SHA1
a6d394a84a20550ff8fc958561e92a36931e7bfb

SHA256
c291b1d2b22bae3e2d18d6317b1208343183fd35a86768ce9a5bd7f03576e07a

SHA512
d716e919a4b78225570dd2135c725ffa7f5514f877b4cfa6a186d4f9478c481de003baf28a4e2e784356212ed9277e02a1790d4091828fc439a1571af36380be

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
d1ce6d22686c272ed31e3a498cda4530

SHA1
2db74daf6cae341d5897e8c6c0dd0d3baa807830

SHA256
6c6747d9a3f791de9c1513797485d018fa00a65ac5ba584d611cc6b17669d5af

SHA512
12dff53dae8d787d4bc118da0bf6f33cda1e7c0db102ec38693d41c4fe2d3a4fa1be253604346e651e34c33390692b15dac341f68c9fc092cb954f3332a12e9e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.4MB

MD5
f15753cc8af3427714599f7dfc266617

SHA1
1b86340a8d0eeaadfa6e75e39b11ef1ad71e7a4f

SHA256
1fab72886aaec21ed6d24f2d973ea72d9ec7e0668988c107cb08d1599c7e8703

SHA512
42f7097817a89cf4438918952e3abedae2e08eab8ef49ed288f780176371a40c11a9647996dd9038265721def71d6d18fde9378710f08db469a355da92c61a51

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.4MB

MD5
649134f44a79245f1958870587553661

SHA1
99de47a0ecd7e39b4a5aa03fee81cff925bbc367

SHA256
10edc2ec3075d5ee3182762b869bc19fc3f74e83533367dbc5ae89d64dcc8102

SHA512
398ed5596f88c0c2700bad13dec028c40fd977b787c39a34daf4cde25d9636e843a48c70453d7b6921ba9020372c5c8f7b0ebe35f18f58ae71b0349871a65fb0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
2d8bb577e6c317ae022d0afcd66d9f0b

SHA1
3c12816042c5974c4d263879f96ddaf44b7ed806

SHA256
d5f4f6de78653ebc72e622486b67a727d1ee8a071648c16868b8e07a8963db60

SHA512
cb68e55e28cbfe9ca4290fe859e8cd80694c01d40c872fef7bedffdb55e2643d6e05b23cda8f8cfb96a473ce1b99039146281be9678de28b7f1f86c2fecb3a7d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
58750a4c99fce25ee3b93add97c4310a

SHA1
1704ff83138b9f9c73d34dd71b192d1b9f1eb89b

SHA256
10b2b7346729c83375bedc46d89f1b4de2fac3b7893f243ad7e35dc9f52b759b

SHA512
b97c13a665d24d75aef946ad07e1832e0d725deab5467e0c3612e4c231f707346f294b0b97640c475ca2864bd5bb79a53bbf666e721d7083a4cf0137a4be84b0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
7cde75709634516a667eca7cfa0ce5ce

SHA1
93c149824b91249e893c61cca0df57ec62178dc8

SHA256
44d64c9c60d5cb599971398aada4744a156f75542ec72eb1d0d2d9ef59db11d2

SHA512
36123767c6b87ffe6469c5c5f5ed22726f62d7a6fdfcc6597f998d1a05897ae7542a4a6fe60b618333feb54e257aed5f9a5128ac5b5b84c830ed62a9b210afa1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.4MB

MD5
96bec2fcc5321a4ebfe499ab78366fc3

SHA1
c33d66014d8f1d76d049fa7f0b3e0a56e7546005

SHA256
b3afad1dde3bfa777983dcc6b232519ee08212d498439bbfe25833ac33ef2243

SHA512
bb195b435bacfed731aa874081772418417fda7f73e3d66526f5fdce6b5ac57454e2e2759012a802a666a79c1f215b58bf038b71f4adc400620e42324586588f

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
8eca4bd3d075bf519ce75a2e35ac88b2

SHA1
f64b9eb1330bda35b98bb6a495aae6c708c2a521

SHA256
b8bf96a444bd1c9ba90a6078c7cdd01251b39626e479314d8ae927b77eb1aa84

SHA512
280ae830a908a27831a3feb3dcfdd8d8b350b4fd0d715ecbb1dddbd839e2a246e567cf21e59cdf1352a746575798ccc97d6ded4a5548f560389a998daa5c314b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
791a5aeb9b85531fa3731717e999eabe

SHA1
9fcbb99cb64b08730455d4bc71d83d484b55db64

SHA256
cc9a4febd5a6c800331bdd122c561da6f2b04b3b7b04666a263c832294f24177

SHA512
ce77a70ac735583040e36ad7b396ffde516fc6d6e351b5aeb2833094bf0ee77afb66232d1e86a4ac34f9d23a8909a28e34b06325a1129ca864e6210a3be1a798

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
86bd455868953eb51635aa2440f65bbc

SHA1
cf9f176f016177527138cd33e846beea7275f24b

SHA256
cec8c0b00d1ad2a5d778e59baf2c99d585a4e502b880b875d32c15f4c88bc24e

SHA512
f6b920f5fc40c3f40e86a462ee8a6e227fc55837bee6b6e5d34f2faf99ff39f2cf9d6347b2a46d2151577525e11b5db41b9439bdb969009e559df59049fa4e01

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ccbd11eedf31929f33d5da3a078d2c49

SHA1
581c38a276315d6513ef0202f21fd09e545288b4

SHA256
36c8dc8263dcb1525ca733c9f191ee6a7e95fa061413bad765aeb64b389fed36

SHA512
6016bb9a4115021de8267f91edcdc1a700941caa8ec3290846245043defeb4a8db51ee7639fd2da9cfb14c1ead6e8d50179e9917dcafb2a2f7046edd2b8d59fb

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
17db46e315132f8f7b69583e985d0875

SHA1
a358509595170b813a43fc975eeac5e01735ead0

SHA256
58339fa29fc4f5d45223f11d9bb3209791ee2e0675d660c3526f11abac8b0330

SHA512
7739742ce9eed7bafe582a6fd93e62b754eb537ea42b4b7b3f268bb9d384cc62180cc5d16caacfa46a4dc3c40d46966960b3b74deef6641456606b9bacdf9d5b

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
030fa6123cc7809c13ef286083025046

SHA1
06340af69699a6875cab4dc30360d48da5934a86

SHA256
332d877b2948afb32cd042d34bc72839c655135122c19310121d54b013a580e6

SHA512
a20e425b54ab0074afea478aecf8c3abe525c4b334839e2b0f02dec5d502fcb750743d3df6c82dbbecee45611923f669236bcf11ac339b46f81ca7d32f2c7b2f

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.4MB

MD5
689b01033770f535ab6334c16819c7d3

SHA1
d8a2b40f507296d906659b9e229764dff1018841

SHA256
402937749714d2954a7c0ccc870b322190d2434463c27c142f7b193f074d326e

SHA512
ea2b126f9fa85d951e5785fb0d0005362ce9da77ab43bfad1e9aa8d976e1559aa79d0a1db4ec1166cfd20a610414174d13c94b35ac4a79c9cb4422aa3623dec1

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
17b8706caa318d9346ea0ca844b3d74b

SHA1
398b79369f26ae0695f0bfae401f4e5d98a47ae0

SHA256
2d90630c5ec556d050a60c2f8e0d0ecfeae86c573bc7ef7a4f578235e3bb228b

SHA512
0f47cf609c3fd18b558540d1a52cb7ba1874e25bfc09bd6c9ca77dec656efce0d8bcb449547b4d566a3c18be1cca9902548287730a70151fe3c19e73a6c40b10

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.5MB

MD5
fc682ba86f436bee48b1ba5d0c24a7f2

SHA1
68b9918ebdf1782f6380bb03ce228d3ba49c172d

SHA256
a70331db5813be1111c2167104e0fb6adad1dd37715a2a15f98aa2137249aa9b

SHA512
a7e887a73c6d036b0771b3ddf0e66f4366467a5fb48094ce209d80d5b542d72df1ea14ae00d3c9f8b9b214ef525123e1dad3a424dca21b3688be595e5c17b7b5

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
258285cff576bf8861e3df026723ab59

SHA1
9bb70c986fb6047f44d743c34caf8fa7f4a44231

SHA256
1c4d50810e2c2b5eabd50722ee57252eb8f02ead4620959ebf78c21a9befda38

SHA512
abe68adc29ff36d1c8323996be51b4a3a3adaa520137081b2866dbfbc339dc2400415c9ad5c405ad190a6ac905d7b730b987efa19d98d91acc5ebe5636490bdf

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
180407033110eaa50c81da017881b5d7

SHA1
c0abe609605e68ced70b13745354a9f8ea8ab419

SHA256
7aceac4d6906beeea604f353f016535b666b005a60747f7245193de29e926650

SHA512
5f81a715a0abb9fef5a91d3861097bbfdfc12ef238ae09262496ca702b98bf1c38d44836171511632508613e12e111f6f9caad2df03cf80ef532146c04ee8dac

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
9b315f42fc71347f0506437fa7825e65

SHA1
b702f1ecf00d7f3a3bf793eef60cf9fe37b9a439

SHA256
d2b14105ceeea854b74b93cef686e76f6e86fa4d72204b5550442848813d0605

SHA512
4975538c847478e4a0bc091436d6ccfe6c0b09f1f2363ca92edd123ebd72bb5355445bf4fc2e8c9fcb02a6a6daa9c588ecf235d1adf0950538ba54f5179eb26d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.7MB

MD5
2a07d982214937feff49efe5e6c7ee13

SHA1
03a507d7891de2c74a706adecce72e53975b6c53

SHA256
b62d455a87222e73afca6b55d0c813c6acbb4ba408e1af4d4def0fc9d2425f22

SHA512
68e3812482c9456ee2be933294b6d495352be8c25dc955c5e09afb9669e20e6e89a173f28aa595ff41aba2171e295f56373ed8c38f53b0c10d52a01aa1ab9f8b

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
ad8ee5a238c65964dcf1e544d93e5d8d

SHA1
5560aab345e9809456daeaf3a8af2880e6ef2b9c

SHA256
e1097cd0af6cbcb4492ce7b3928fd9dcb10e85412c5b29689bb440e7a2b71151

SHA512
1e00c2aedcb6381dd52d147007a1bcb6e5c443e4e45b5a4cedc03da1feb877baa1253216ef8d4de6cffe6d6683ac861f65513220cf818554c71a152cdf6f4eda

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
3fd83b0f2e4020b93f6735c5a2df7b40

SHA1
d02959dae4d24e77b38ebd14c872e1f744457d10

SHA256
2799be18bd2076788e78b3abc966211363dab374e1a92b5a94b94fc252cb442e

SHA512
a49899e03614009fc5cffb91dfaf477839d4b014c3b94076ca58ed385948bf0a91b89b77351493b4412a84891000f4e412a31fb83c7ede2c76ce91a88140ddc1

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
580016fa947921ad782f3e15cacff55d

SHA1
91a5e2a79ee365720f62b0743e47f89219d4df06

SHA256
7dc33ff4f6f0445f1b6bd84ea3741771019122e7ea318198c477e1dcb4e8792c

SHA512
092f030e3b70fdd64c84c370498572c10e0ffb2e527e37f813f0e710d92031d92979110cb953dd469b12a50e33b0c647fef41c0f071db45b25241125af4b886c

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.4MB

MD5
6a78f00cc60f2a8d1ec4beda18367489

SHA1
9772354163c9bb1e5c3eff636b3acb80ddcaf651

SHA256
20f238648848712b0cca3a2e671b1e3dfc44d3ca467708e843ef57f7a2102ecd

SHA512
426887bca4f06bab754cfdd678766a3b51de508645feb0d4cc9c73cfb272a3d7f8825668e93fb6c03766de1385d7bb58e82806d78bd967f2e9193d0fc1375859

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
5aaf20813a0677130d243faf674ff401

SHA1
0b6cfb0068243222fcaf7d7f96517012e3803253

SHA256
ad864fa63e1251d785ddc86b4dd23a917d7c3bc4af3c734110f8e8103c43d428

SHA512
3914fa4c8e1721785b8a7f956ddc62c8bd3e07a2435145a73893fc950ab958339ecd212f3b7b24131627edbe229e5f3d817478aa34d5b262845690639c245775

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.6MB

MD5
8e48450173e91c3524187faf09f4fd28

SHA1
ac7d054cbbb3e9bee2ef71fbafd6f3c764bdc635

SHA256
514def601eccb804d754d5bc4f6aa6b62b4c3edc7166a264b9f871a8e25d14d0

SHA512
c515a2cc2d70efd09cb1fbf0b45f8d5f2a896ac1362496f4ad00af736e643b09013de8a8d374eeeafae660274fd77d29a7f5370d67a260818ca769ecb8fc6ca8

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
78fc6f78e0002cd94ba7fb7cd7a1d87f

SHA1
84f949db700f9a9aa19042590c34526ba862ab56

SHA256
1c78a8dd5f4f770c7273dee87173d067aab1c2fcc45c67373bdb4fafc65f125a

SHA512
8ad6c00c586b7931a367efe7c562c5f7b10114569eb61011c42f84d49d55153b97fe075a1d254418d641a02ffc48435d779d07068526c0843e04fff55ace7996

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
f43e356fedd28457e48177ee6c53b796

SHA1
f660f5a1e4f712ec4173e76677117afc810c78c2

SHA256
6dc164f3fca72b6a963d980025a2df7580bc81e13b8cc034cabbf466e30f01da

SHA512
9e874ed1b7c629c0881eb7344c21dd3a3e31ca7fb4375f4df5cdafec86268e560402be98f4facaafbac70d54e5fc1b15ae43baf4dd3f5792db74617bebb3093b

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.7MB

MD5
f9429e83d8e29c73dccaaf740b356f90

SHA1
62c802534a222b58da46e0f5338d0d20f955d072

SHA256
343bc4f5005e8abecb50f5b1613045a0f19d9a3a1d33ed5f52e27bc15caf9f3c

SHA512
3c44290d37e5a60521956592943aa2c627f39c64fc4984ae8ca3e5ce007d169251facc1b3ad29e204d6906154d8051b726f56ee8e9fb44df0e7c70c0e6e38bf8

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
1e6870f644a238f58b2b31e39e1b75b4

SHA1
27fe31b3b211184ec71c7c28a931537962d73237

SHA256
4d20fb08f5995aff2a874389b355e05a2b9f136be99c3315d7d06e0c2003b717

SHA512
75fef3e5fe906afac6b212ad565f0ce1fa510325ab902ead1a590e7c98ec8b30e30d7eb0b0f97ef9c8fb55c8f15f6cb9cc406ae14f5b138c0ab2cc5a8d9af708

Download Submit
memory/976-248-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/976-787-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1844-303-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1844-797-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2124-106-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2124-112-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2124-114-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/2124-116-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2396-793-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2396-261-0x0000000140000000-0x00000001401E3000-memory.dmp

Filesize
1.9MB

Download
memory/2628-315-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2628-801-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2980-252-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-136-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2980-139-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2980-130-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3056-288-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3056-276-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3060-223-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3060-12-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3060-20-0x0000000140000000-0x000000014018B000-memory.dmp

Filesize
1.5MB

Download
memory/3060-21-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/3452-102-0x0000000140000000-0x000000014018A000-memory.dmp

Filesize
1.5MB

Download
memory/3452-103-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3452-28-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/3496-528-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3496-190-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3496-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/3496-8-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/3496-1-0x00000000023D0000-0x0000000002437000-memory.dmp

Filesize
412KB

Download
memory/3592-299-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3592-796-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3660-212-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3660-334-0x0000000140000000-0x0000000140176000-memory.dmp

Filesize
1.5MB

Download
memory/3720-275-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3720-156-0x0000000140000000-0x000000014019A000-memory.dmp

Filesize
1.6MB

Download
memory/3720-157-0x0000000000CE0000-0x0000000000D40000-memory.dmp

Filesize
384KB

Download
memory/3836-119-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3836-125-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3836-128-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3836-247-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/3904-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3904-803-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3968-272-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/3968-795-0x0000000140000000-0x00000001401C3000-memory.dmp

Filesize
1.8MB

Download
memory/4336-786-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4336-224-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4336-339-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4468-171-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4468-290-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4640-191-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4640-302-0x0000000140000000-0x000000014018C000-memory.dmp

Filesize
1.5MB

Download
memory/4684-149-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4684-141-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4684-147-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4684-153-0x00000000015E0000-0x0000000001640000-memory.dmp

Filesize
384KB

Download
memory/4684-155-0x0000000140000000-0x00000001401B0000-memory.dmp

Filesize
1.7MB

Download
memory/4800-802-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4800-335-0x0000000140000000-0x00000001401A7000-memory.dmp

Filesize
1.7MB

Download
memory/4948-653-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/4948-228-0x0000000140000000-0x0000000140177000-memory.dmp

Filesize
1.5MB

Download
memory/5068-201-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download
memory/5068-314-0x0000000000400000-0x0000000000578000-memory.dmp

Filesize
1.5MB

Download