edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
Size

1.2MB
MD5

f989f69edea971f8cba8e59b5f932a8b
SHA1

ff228ad2de44737040ad184b9d8b2db53fcceb1e
SHA256

edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859
SHA512

fb47097396e0037f184602795d6625f49c39386de69319b03147193bddc9c61cf6b39d111b59033de0f8ca1e56623e1591ce4b3fb5c7aad591d256f2a66d16d9
SSDEEP

12288:r2y3FN92mrRUDkDTYNmN3Rus3SAFYq8Noz9qirzrEX1fsd7TOoOTd:6y1N3RUDHNmdPCAaq8Nozgi/rE0TOj

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
3128	alg.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
4548	fxssvc.exe
2904	elevation_service.exe
1496	elevation_service.exe
2836	maintenanceservice.exe
2388	msdtc.exe
1552	OSE.EXE
4188	PerceptionSimulationService.exe
2668	perfhost.exe
340	locator.exe
2564	SensorDataService.exe
4556	snmptrap.exe
1608	spectrum.exe
2344	ssh-agent.exe
1292	TieringEngineService.exe
3484	AgentService.exe
3528	vds.exe
5108	vssvc.exe
1600	wbengine.exe
768	WmiApSrv.exe
4936	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\AgentService.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\System32\vds.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\msiexec.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\978048ebb3b9834c.bin	alg.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\System32\msdtc.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\locator.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\wbengine.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\vssvc.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{B7E43319-E9B2-4347-B44F-112CD29ED4B3}\chrome_installer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000dc5bf5e2a2bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd963ce6a2bfda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000001fad3e2a2bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000945fb7e2a2bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004c6b46e3a2bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009a932ee3a2bfda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000092cb67e3a2bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{8082C5E6-4C27-48EC-A809-B8E1122E8F97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eb361be6a2bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c61d38e3a2bfda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008e5752e3a2bfda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe
2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2080	edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
Token: SeAuditPrivilege	4548	fxssvc.exe
Token: SeRestorePrivilege	1292	TieringEngineService.exe
Token: SeManageVolumePrivilege	1292	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3484	AgentService.exe
Token: SeBackupPrivilege	5108	vssvc.exe
Token: SeRestorePrivilege	5108	vssvc.exe
Token: SeAuditPrivilege	5108	vssvc.exe
Token: SeBackupPrivilege	1600	wbengine.exe
Token: SeRestorePrivilege	1600	wbengine.exe
Token: SeSecurityPrivilege	1600	wbengine.exe
Token: 33	4936	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4936	SearchIndexer.exe
Token: SeDebugPrivilege	3128	alg.exe
Token: SeDebugPrivilege	3128	alg.exe
Token: SeDebugPrivilege	3128	alg.exe
Token: SeDebugPrivilege	2876	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4936 wrote to memory of 688	4936	SearchIndexer.exe	112
PID 4936 wrote to memory of 688	4936	SearchIndexer.exe	112
PID 4936 wrote to memory of 3264	4936	SearchIndexer.exe	113
PID 4936 wrote to memory of 3264	4936	SearchIndexer.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe
"C:\Users\Admin\AppData\Local\Temp\edc6c1524a28921f827caf2263d372c192ef26fe845fae0865fa9b7627863859.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1496

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2836

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2388

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1552

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:340

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:2564

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4556

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1608

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:2180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3484

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:768

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:688
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
38a056c6d003c51f99632e9c27f26a35

SHA1
60e162e5abbd70c07db40ee72ffd84252687f9c3

SHA256
048d736e1029ff871270b0423cf23e68d40bab326c7d0b39b8b554549b225338

SHA512
0f4cb754bb3b9739089db89e7738da1e1a2912eb75df4296d29bf03e788fd0904efe45b8039e45c5189d6192c84be235bba5967fc77bf60d424d765d716d2ba1

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
b7bbfed3c6359aba95726befd899bf8d

SHA1
152e3b3059f4ba6eff9735dc625e7ae8309cbba1

SHA256
00a50384219bbad89d1f5fa916cf0a0ee82a4294450d93ea0d0a8496c7d4e1cf

SHA512
08bca8db531bcf2fd40cbdc71c370cb56c8fb399208d5f5a7ae4354bdbbb62a1db7027ceaf63191936e5987a7d0db2be44f556ac2582ff6c1f8c57c24ec4fc2d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
deec220f4a0a14735b717c2bafa424c0

SHA1
d6b6ac43fed3e26bb709886e9cc66a08a067f281

SHA256
2fdb32dd36e03450a20916d84739220b03a1a8fdad7d245c4634c01646c30c8a

SHA512
3be924c26b54a8e2c4c95bd9b17ffe8e15c96aaaafb08eade1f484dfc71da87a2ea398da17ee3f6bffa05ae0a2e045eb732096383b68b5834a175fb83e07326e

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
754765c4fce183e97faf47f943cd4051

SHA1
3f6e961fd1e4b4732f1e36059c89e5d513398d1a

SHA256
939c98431de72920e9d5053f49ed5925672a42e2f0ff0fc9d20452d9992f59ac

SHA512
eda0a60769c3eceb13892702c4db6475cf18ab4f6832551f635cf73b70a2dd561af95c1ee3a9df6249652921093a24f391f56044448958bdc8882dd373c2b8bb

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
8bb5dfbb87632cc9fe09bad9e547083b

SHA1
eea29145e283419a04605c5ea14988e70b776f2c

SHA256
20d432cc9abe1532741608e97787e6bda47c36233708559329c922307e77dfbb

SHA512
63070b78dc784b70fa04e63614da1b9a5f99935bcc207df57170859bdc51be4f8f9c5e12971f65cb7b176bdf203eccd3831d411492ad14c5bdd95ffae90120dc

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
7ae22c74e905af01e18e97f5aac04311

SHA1
a11f663e316275c28639eb685045f94383a5d4ab

SHA256
aafe7ed55705bea1d99f2627d960d10bd624435fa24da67be4c98c8940a9284a

SHA512
9c9500940569dbf287ec09c9020334a2742c380a9b5217cf1658c40cf2fdd95d14b097f70e5b07494b3c9300804be487e9317894d9fffcd34b99aa8a8831f8e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
5929f560936afda88a5211cacdca3547

SHA1
68be6c7cb82788bf066f613269f6eb4e0ed9b51a

SHA256
765fad5c78978c3928146b84874bb8f3fea874a78c31551152661098113271cb

SHA512
d54d47d6f261a3ba3419d34ab2a623cf903e3ce4157e6ec08873fbadbdf92e86ea95ae29acdf4dd461ad6ceea9b39a87ddc5f3fb7d9eedde61d0d5d704c84c99

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
745a3a83a6a6fe62d310539943fa8939

SHA1
43b70ed27c930e193740b59b46bd8104ad274ac9

SHA256
fe471277c87c974ab0db8ad0b34aeaef83611a73d590bc390b2128ab5fdc2e70

SHA512
157a3b0586f925c8910181fe44ae4c0fb01a2a0856925a1df2c10628839b65a8ddf26f54d519323ec33e35f39e037df80a34ee10fe827f553fa8fc74f2e5325d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
6d58dc0bbf3022846d667037794e4f10

SHA1
be818c610badf329b47bd56fc5f4ae214ad090b1

SHA256
0040b37b816d9855f0ea4f520843ca02e2f0293bcff108b5d8a8fe55590470be

SHA512
b2f3bec6b02c4b03d9e1b9b1fa6265cb482ef544ba2ba7c3d8d7b77da4f07ed3381d9ae7f796ac524e7f2fcda61c15863beebfd4d634c56b87b643d3c0cf37a9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
5cfa24b18328a31b80a74baa36452ed1

SHA1
acf714972af0a1ad570c2bb65df4253c1cae014e

SHA256
0e59dd164f12f21714407661312f3b51e468999848f9376a86abf5c9eb4c9b1a

SHA512
443eff6b4c9f4dfc45c3d3ee8a16e0710234d9f3abb320a2a3db9628d30d631b70dfaa198b09b98cc345a4f90005b0c0842d2406c31d6695813e1347e2102998

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
cc1f157428109e2f9c7215508f7ec8da

SHA1
b3fd12e3cc7b1d3ebf6e70d6444d6320a1a11812

SHA256
cd835de7ba1aae3d3ba08d94d04c211defdea367607ff68eaf5e97fdb4e340bc

SHA512
b71a56e7af7b0300447e6b0732040ca4bfa427f20adc8778f9d6010b829fffcae2fe29a249e8ce0626c39c26890cf8ee44dfaedf46a73794458f7a8141166d2b

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
efd79f28e823cef9c3e736d8a70098aa

SHA1
6929e8043df12b92d03496108cfc53e72b3d2940

SHA256
19a9cc0866e83f0e6d364d923efe2f86a6ed2c82cd1db09d2318aae8b0823674

SHA512
3344aaa105a1068e0275e21ec2e05def5e3a3b40a38f134b1d00d589436841e3a122c099e1b70a463b50a3bb07e7ccd895bdfc3799d41a7ed7501cf18e153207

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
b386c8d34411bda71bc9d0b78b87d837

SHA1
07cbae2fe55de5a2c3cf28e061a45d8d4ddd4ded

SHA256
7281b332f7366ff678f0923da4fda6bf78eb941813a29cbac40872fc85bee2c9

SHA512
5e2c713166c2e3d31c59fb95141cdd7190f50724028eb2bb514f16d6e0e7419ffbc5669d332e83ca30427d26d4638e20afba7b3ab05e4ae61908aadfbd349565

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cb6f5fbb57606149997c2e170f379d68

SHA1
f00ec62491ed202f9336479732d15aa73a144a92

SHA256
e72e4f8590cae9ef32e8aefbd9507e3a5039b91b280955607ea3649aab89be14

SHA512
729d7a287ee1d51a6510ddc17573ef9956bf2bdd326078d6f74bc4e6f58ff9cab3a40d8fa0f2fa2de7d23168a5ffe4b4dbe564d1dcd2277a2cf16671e68a1b8d

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
97ad904da234f605cbdf04700bdfe4b9

SHA1
ca71b1cac6b39144545fd44ec6df1681840604af

SHA256
2eeba0ffccff9fe209a59f19dbb0289dac29d56e471d3317f4a4ba002bf6b640

SHA512
3f08e288438c0ab0cf17b67525d985e31ff826f0a4f59c2dd123fe6c63573174b6b68f1e362389ff6017b04785523f5e723a92a18f4cb5b6e27374c25b25d085

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
9c673d873922f175388d7a2ef5664450

SHA1
644cafc50d9c73ae0226ec1a02ac71fc6788e654

SHA256
75264cdfb8a7c4b1f7b89bb9caf04b8028cf1e5e778f42370ec0a87d434c5fdb

SHA512
49339e5715ac6d0c224f94544a8f409420f7b93f689f07b45bf3b61654c6f8a50c73f3e70f42b715eda5608987ebe1fe63300c1d24cd165d9b84d394aa54fb4e

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
cb5bb83bf64d35069f569d0cc6d8e040

SHA1
44cd0a3f8dca0ea283e13e675e70fcbbba9b6271

SHA256
20219cbb7518c3acb8e8db4d20d8c8541bc9336dfab75b6576206c7ce5ad9a17

SHA512
d07d4e153bd4b756c235fbad8e7d466e7952e789f87dc2e6f3c04311db9d66175038a610bf12f785bd2719bf6bfcbaa4c6df2c5e5fc0dd60f81175253c5eac2f

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2535797344212c1a93ca8b7653c94538

SHA1
063291c8967726f2accf17df773204bf9757b12d

SHA256
b5d17d7f3a4e7ac58b9507db590da5cbb9bf980175fa50b0d7b0250045164121

SHA512
7e3584e41c2be49346ec36fa820a30936671d28825c26e57d492fb7b0f6ff1f513d93bc7d837ce8d9e9393be39b9d284b84aaa7be29fa7831d3e0fbceb53fc4b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
c9ba7d721c511f2d51f4ccec1f8f118b

SHA1
8310b672ecca9eae2acd12f1a010c5ba1a6c1454

SHA256
e4de6d03a3d2de613e29b608752141dfa3e6e9e551ec411c05a9263e7937eef5

SHA512
0f5c688c4e8f6ceb39349f9383054b782493f0b74f76a1aed6426905920ad8fc3c8952d5e4232e7e4bec27026c6e2e6b12f78a3cc8a3c1d8038272666b925bfc

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
cd26230a54187ffda1ca76f69f0eece4

SHA1
393e090ac6f4ba6cfeef74273b2f4799b0ded18b

SHA256
f453aadeb32751315dee97d93051f8c9e49b58c259e8817444bdea2ad225b682

SHA512
d3221b7e7feb62bc34020e109f06658699ee43c1bf98bb7b5ca141f50359d93019762b968ce7d5d8392e1ef1aa993da8865ee63eae380f3d019d86a7b99c0412

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
c4263969b9db195cc83eb44cd1d751c8

SHA1
3e6b502b4fca0e5b40f82160cd037e9e10aae52e

SHA256
07bb009dca6b2b3ec37000e089c8f071f8208685eb1007c343323f91bb109a9d

SHA512
f67f75bee5748b6a57a67e7b7be32df8628c7a86e8350ae95969aef8632c61b92cb993718f35e6085af1c376b3f236c5b31e977ed9025c9ead282bbc86daeaf4

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
3a335e4db07211c75c2915befbbf18dd

SHA1
ce7ec5f1ec377e4eb23a4a434bc81551cb684563

SHA256
fbb58ee2cd12695401a35b69df542bd0c896050cc0625b571b7e027b544b4c08

SHA512
4f7c3a9946a4c0850c5950a63ff3e13c82746f5786828b9e2179b39193f0154044aaa4875f354e3f9b86a9eef8d8450c2c14b1c1134619fc7da7c4d1922c89b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
21b56fa32bdb984aa14f9cb0bfc06294

SHA1
a6d9bdef8314fee33309ec64041e72e8c266b7bd

SHA256
511a7d044e9e276f8b70d31fcd4794afbe3fd48247f0904cba6eead72d5584d9

SHA512
fb64a9e3338947c38724a2167f149339e36c786430c942e523b03eb98f49520bdc56e8b0ee5fe746abb2191b260152f0e790fdbd0a762d7ffb8c54fcc3fd4a8c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
3e4e68f72dddb81f3858bd45dda3e649

SHA1
58be2d5b551d3b0ce344bb8e9bed98b4a14ac8ae

SHA256
f57ccfd66c110877c66b05c5e88976f0b81ef5e83d9545497270f148dc0ec407

SHA512
b4009c438c45d63cb3dfbf3a608fe35049d6e9f97e658871c87b159929c766f7cbba0b599344fbdc21013d8e7e3944f8408e674178b58eb85c3824eadb88f647

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
51e059b64ae618602230729e856d3cba

SHA1
89bd0415c8702232f71a58f1dc9823ce101bd1f6

SHA256
d7eb0f180e7e9a8660974e330a6b373c0f765e79d5b51370ac8abc62dba99719

SHA512
155f241a780e725f658269fb3f0e4c53bcb09dbf3472b2eae769eb6476ecbb2b0f99a283f0d3c7c73151fe2a67c5b657a22786e48727f875b4786414d35a2478

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
abe91a008707f193d5e251313f869c1e

SHA1
391022e9e76f808da9448eaaee6e004a146b0041

SHA256
c814f50c76b290888313789b11128cb05785908d6f6e3b99f123dfeccdbba09d

SHA512
4fcd606da740e571f5ea3a5d11c7998c1372703b31083b1d21ea86aed32864777e10662c72a78c36ccd40fa0de0b19b89728fff1c8d732bf824cb72c8765bf71

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
37a7005a7df8a4bbed0edf98d9286761

SHA1
41e3762f78d43a42aa6ed97bcf47c0f82ef5a157

SHA256
65b486fb9321bb061af8aac5b37d001e4cbc7088b88fce3b84ce94f30f298688

SHA512
bf8d3f5aab1d365fe826a5c41d95774646677ba648c9f4b1baa97e6f0c9852b616faf1cc76d0305b5a92af576c32e3c088b0e96b96bd2d0444ebd0b9b08aaa63

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
ba02d1aa1abd6afbb214388bc91c8b11

SHA1
f6638f17a0e880b49c62e2be2ee9354f4583f9e3

SHA256
0d1ad14673b8e3596731ac6118504b8aea1b68e7e35f9522b8a7c0e9b4d929ca

SHA512
bb28aeb277d88a6e5da974707eecc6daba24318c288f6fb7785adfd66d229519acae59d5f3b60cf4c7c709da6e0b577b53f0c5b4845ae7411cdbc18d7e28a20b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
a13fce849575076540936657d395a40b

SHA1
8fcf50cd6272caa28a40ae2ff59dbb68bf41de77

SHA256
4148fdb556e7549ca93c3687034a764a20c6553349d27e10a19e18d3f69b4e55

SHA512
00e151dce40bad23d1a9d275111e7e5b903617d2c3cff681d54f8379ac222439c6d93c4c3f593abf4ee03c13086c51ac2226574b304e6a198c423dd5ecdfcc8d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
4f7a37a717ffb12b3d56ec6b425d978d

SHA1
8ce1447746b232d58b81a2448c9b77b374305e1f

SHA256
f17da2d00ceb2218f31ef7e08f07ef4ec441f87c76f0e733098a65c805845a4c

SHA512
357609c97496330615df19af088094b815ced890ce8e374809977f8986096b9b27ce3daca41d96b489df3ca499c04a75935a2bdd8ff173f17dd5363d25c89410

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
ca12e7f1cdf2d96e4fb5896de2633593

SHA1
6647f9468bea1c181b38d7a2b9a564a44fb3d005

SHA256
6e05bce37d3665a5dc1184ed739e6e97afb8f9caff02885d513b67dcaef00042

SHA512
e291fbe1ac43c3c32d99d6e93af8c9bbec0a63c4039a8ae9e6dcb405b0b33c94d152c685e858af19cea4652162e58f3a49abedee9ea86c71af254669ad6e388e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
dc8faeeeb00bfde214b63861b4aeb04b

SHA1
bfe490f8fcf0ca25f502d6b54056a38a4c11a212

SHA256
6fcd054601ac40ff4e9df84a8e9ce5dfc3bec502f6677852f3042f0346e1caff

SHA512
c9b49ccf794e8799cda49d33b1b4662e6a0cb1535370e2e313f696aa701cae10a15b20f63625e99b46d193a16491b9184f3a097d2846ee9187b87d51ee15c2f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
45774f07fb289ec740f354c16981f814

SHA1
c3fef9cca45dedfb9c069b246b3e5a3c6437ca29

SHA256
b04db687cc5f26a17b81868ba56d3acb81ee59ecdff4e387127e5e16d2cf69af

SHA512
8f955af6213d0b4e5c18fad357eb6156aa778ab1f7d01119ef0885ddc6cf6c232e6ce6125165cd2de51942f6dc5ffd93a19d8665e358307625f9e9f97797a1c0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
1c0c1e710f92eb3cc939caf852e83241

SHA1
f9dac131d0800abc6575b6370559269765746780

SHA256
d5d4bcdaf243e1076eb0069d5e56c729cb488e892a43317c5006c2ff135478c3

SHA512
097dbaaa49b8cd7bc6d3fea05940f3a530a5af41f0eaebf1e77bfb8e59a6b076dcdc9ae5ba009cbd88bfb81c5af20e3e2e4d37a41278b29054a607e2e06a0186

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
b22bcff2f30f248945b741cc8e651396

SHA1
04d9f3cbd6cdbe93a113a0623f5a8154839743ad

SHA256
8754ba225d2cfe72287d28979660365648c8e097fb802831da316df3c3b3a961

SHA512
00e354c38aac28d1bf15e8d5fe38da52753b987782ecf2b75bd8de459e131f6c32c87a66d466a6c192aa95de18084365dc80b4d0a9512e16982d72787bb0b9e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
c3e3285f8f76d177c62f8c271112b7f1

SHA1
497bd87e438e42678bf58cabe94a19a7a159081e

SHA256
b1662e0b0c0cd255854c94a7fde1e6184636257d8beef4b1a207f09e9733c67c

SHA512
8cb52280f75ace733ae34e7c5e23cdc0f46d3eff03b4e599cac66a582741da314a90e94b3cbd2f9ef887eef41f95452ccebbab2c8fc9981b7df2c04bf56034da

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
426590380e4e1f51929502fff9df7cce

SHA1
b2c4715d75d8771382ecfa07d020575e3718f8a2

SHA256
2f7deecc875a24ee3f97247e2edadeb4a71874ea25f8417086f12a67a7a3d8c8

SHA512
b6121dbaed95f1e1490a0dcd473ad2f5968cb3b9c1537125a251b7499557c43f6fc6e8fbc75c5ad60d050598558d5854a488c89d6b3718010f42989ee2fac860

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
9e8a9081171254e5a66773f59c459bec

SHA1
b1a52cea2042c0dc6cdd7f94bd1e45480d844320

SHA256
d5960be3dc187b25c098214d658751f4fc65bbad1feafd33175a1fdf3542ec91

SHA512
e541fd6dc2c93ce14beac24fb4227b410d31fa0227ee614545f7648e7161e2eaaa0ed71dd5f79a8649acafa1be631825c5093b97ce1aa4c503890ab9fe521e8f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
27bd60a5e13de5c194bc4e901c71a51d

SHA1
6765e74632bae79d593033e9434ed4d83389ae76

SHA256
9f6f81579a0b8327c5fb2869f004946d7edff2d7ea5db3fc43047551f7865b34

SHA512
52e766f69880b7fbaafff971d60780bd2a6f3587455fc53a5c10121b58af1d3712fd5b73e799832f625b99b1074f80d9b7336c4ea9e7643e4bcd30584ab0730c

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
f7b097c905fc257bf3a327d5925701f2

SHA1
ac2fa3d8d84dbc60b0d38138175c5e66e7bbd7ed

SHA256
4da5fca4b326d2adb5328b33bfe5c27b608c69cdce5ee7509f443c48691a3091

SHA512
0c02fefa2fede24771b2515ad6a6541cd4a27179dab98bd22ab1a3263e8472f85a617022bebae26fa8f71541efaaa0fc1fe54d167b54766c5322365df6efe76b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
22a30e13b993ce6e0f9966296c18373d

SHA1
056dc0ea3b01dfdedfa0fa0ae965137fcd5118ac

SHA256
3cd9dc68e4a668f46a44dd6f8d6eff1ab10a5012a5caa356b8ef3ffc90cbcb46

SHA512
b6abdcb861023bd36bc0548474d68b07f0341bfd53b86676cf3f7e0e0ccfd880c405ddca0a155ccc66b8ca64ca1fc5264eb4eacb21d5c920acd098a1fbc1ef38

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
220c5f1cd11d2c19c31a3e76b7a73c38

SHA1
241d980fa1783024793ad0193a776c3f2b7cc389

SHA256
98420db0b13bf78accf8dad246a2a3da8e901b1feb08c326925bfaf9f639a200

SHA512
f5d02c0a8ddb15af5e4909608ca1248207f7353aa9be0c0f8f590d7f3460eaa6916e1078df7357b0af2893e0543249eb5c42178e33b661fb9bbe5bca282531c8

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
31db01f067741693c29be56073e7d6e7

SHA1
6dd7e659313dab042ceaa2504610a999bab63147

SHA256
73db9a13509dcef6c02a2f286d9a272476e335e928d0186a325a190817ca8687

SHA512
6b8879478d697f9c6a27587214c06e3e37f3825ab1b8d85e26528b7c6c58bf114ce9fa64664288229a1b18c61ccb75c601e64851a9dbeb7a2053714d3e6757d3

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
a81b0bf0d30d7209cc55899e9c96e745

SHA1
32322873ee6256a332cd06644ff9d02c823e2c55

SHA256
3000da98975ffc02e18fe6ce3f1d2cae19e9d5c30819a9c747e114d74b2ebc06

SHA512
01e30a9b0b4b07f0d39f14d63889f51ccd6cba65d45adea19f38b805e3333a3aed1960fbb7d0afaed76c5fa4da5848aaf718da921d62fe0c3488f8ca31854684

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
6ae71426d616ff3f0ad6cce87f03d4db

SHA1
94433e7d702bd4208bb50366ca33fc5fd20fa0ec

SHA256
ac0e3e701659462eb6439fb9bcc2630acd0497fa87a239fed480a7f452a3e287

SHA512
32c6ee16b0202de8c357894369402fbcc3c9215e96bf2e9195dfdd4c537df1cc4da6b3e4be71e29d99d12e9007802efb3f4808cb90f9decdacb4d7a4385acfe7

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
9c59b2f373e8d3a47eba3bd04bf775a8

SHA1
b972d83f64ee86f2b87a5f66f173710f40474fe6

SHA256
e70043a87e926fade5414783ba7a690b4f3fbb7f15f1b3898df173437876a74b

SHA512
34064d744bae2a7699a8aac6f9485b468dc620b744617fc988e7a401a082a8286a462fbabc551f5f098e947cafcd7553b339739ea27d084cd463c59ecc6f761a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
272773efbe286b2ea105a1b4070c6b5d

SHA1
78914606f94c98671b46ed3ae073f9da9b42d1db

SHA256
6e5a65fac4fdba73120048a5246653a53af5a7856e2151f508d63c1a5dfa54da

SHA512
06c6b30d240a0e09b405f7a3fd462d50aaf5ca1570e399af7703d934ab318e7b006e7e9378bddcd71895b6bca90b896e8226b619cd823aad4f70a08e985a1be2

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
06744ba073ba83f4af7d780b1d2754fd

SHA1
dfc1b97d54f647bb776f9a89dfa88f7b89313485

SHA256
ec3a75022650beeb1e0f726f4cc7e6b451c1df835f639c9447aa9d005198324f

SHA512
04f08dba070e80629148b5df31812e5ecea0320f79742c1af22a34b495e5f3c8bb1411ae7cf61e4ce6624095c0a6b1669a74dbbc1f9627e3934d38506ccd13cf

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
23814d1bbd96b7042f89b50d97aa9acb

SHA1
073a98a18edf1b402673f53c5a0c0c55ec17625e

SHA256
3853859f5dfd548647718e1336b48aa7bc9a65e737fd67b8d7904acb6e69312c

SHA512
da973593aea8aac0af827351370ecf4c808f76273d7f7753501ee0636348786619466db0652464216a7429edb9d9bdc4f9e3bda7c0d55043e8b206b7829df2c5

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
66fb9c6efd8a4c5c45c8c766708ecd6f

SHA1
aa5b420a08867e6481882bed9293550751561ce0

SHA256
ba7519cd01539d161b9752ff99ada743d499938cad05983d18ad30e1527c21d1

SHA512
22e13ed96376f0870542980f2ee79798e23c3ccb34be7321bfc3aaf9b20fc48fc3c6a6e21b8f7793d82ff5a7641d0592278b5a79392b12967185abbfe417f7c6

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
5d50f6e12a9665679375590650e86f0e

SHA1
33dbfdce5f678e885b001d356f96d477975f938a

SHA256
5058b4d17887c39d1c4ff2c4e3a53de7d1336a14ed93402af6c4f3de747ade3c

SHA512
0cd42107f1f38a948027109ba7da483f82994ebda5a2cb70ad0213cc7ebec0fe12495b802625692c0179a10819769f644a40d03bf808bd352aeb018fd1f29f64

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
bf126140ff9e4e5d332375ac3874bc4a

SHA1
756a1b6cebec17b8a9559761956026427108aa4a

SHA256
7d94a001e88d773bc18d97182aa2216e06b03470fe59a7ce4639fa85b7a4d650

SHA512
af2adcae03ab5db94100c1cd5bf440a519750bf7561ebe8d6f5043d5a4cc7b07d0474894beff4b56ebd33b5d53c8e6ecdb993adafa7c12dc89db7a8a7db909c8

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
6ecdb8a21dd6ea2dbb326962783c3720

SHA1
2933ab3ec943255858e0f4c2be65da62532acab3

SHA256
6affa7ebbe3c5b9a272eb11fd8ecfa9561a05caef09e962a9e1939c617ed63b7

SHA512
536b9e2daf3d992dd2733b5835609895dd5291a6840ba165658a85d857055b2861b0f4a6d08bc875cf7dc1e0e891b9370c12aa5a324e31e566485005c7d2f9ae

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
3097ea380d7bbb6a82ed0def0000b1bc

SHA1
0bef2a514e1fee6be518f89b52adedf6650cd8b8

SHA256
f26d37f1e8b546b47b90e75c387be2b6daa0de3e21272d6d3afb43d0d66070df

SHA512
202dd28cf219f9de42494b8bc98d55704a07de7a3e539894687a5ce2af457faa01edbca222c88d704dec09af6d7a382e7529363a8f07f53a7422c6d3b4fdc8ba

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
782ec4863364e7574451f07496bc18e6

SHA1
b06fb72e8402108eabd3e5c3d2ef5bafaa1d88b9

SHA256
bcaabbb02f31a470fab3d3e24bfd9ca7819662d007b75729ede9e9c0a29d145c

SHA512
b5dc9b760544a6757872aa37de624be47417623b7086decf37b8781d1cc2fadd38430d89ae0530ce57167d4473ae9ad8b9db99875c40775f0d432afaea5e0064

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
c661b2e2ef48c991dbe5d5b98e959208

SHA1
f61e28ded23b02913fa0d22a2e521bd2cf187461

SHA256
449f8b782d3606a3e477d80f728f2ec24aa390d7a1dc2e924d94c68fb47dea8f

SHA512
95ba11d3c7efdbd53ba6be12b914f684352e04f7d8f05151b8900a9f7527fd394a5e0cb7621d3b08f2191b3e6858fb4356c17e063e839f98a7a88030e5304642

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
11f6ae79939937f3779d232769bd8cb1

SHA1
8a570f452ededd97a1a23df7b8cef14f38354f21

SHA256
f43b2d76f53408228beb9dcb05b517be526f1e0e10ae348bbdb03346483f88b4

SHA512
bb4d3a5c15dfdeaa3bd337ce2ab3d6c7edcb4b3ef9886ce25c9eb6616dddc5c6a70b94d8aa126ac4063fe6962329c8d9d16519dd6ab53de0721cf230a8719911

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
2498b863a7380760d2167685b6278c85

SHA1
cbcdc6381b193bd1c4f4d5398437ca057c321534

SHA256
df374561fe0e8207d37a5fe2e8649fe675b93cae711dedc20f30b6b08576051e

SHA512
4e2fd734fc5d4a76f34587dc2cef056cead71c03ff69a412cc9d46c90519133c73171a15583024e3cc6419be2c9d204305c09f032e59319eaf60a12e13d02ea4

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
a1d25154e9f75bde490d5deb207f9161

SHA1
ba41b7f4bc4d66a883275bf584466658b10e628d

SHA256
90de3c0398f967290cebb7ba8d2670e6e4dfbee01ce6dca0ee48ad25d04de125

SHA512
f7612aace2494936c10c16b32f6c0ac1c025c7ea280486de0a6e84aeecc923365815da62f4bbc81faa4d4468b376c706c6017fbac2dd2d7656c0010b4ab1bb5a

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
3f89e6e3bfd09b2e81c2df207227ab20

SHA1
795c7f5b28f2a36279e498faf134c3a047a0f8d1

SHA256
1c3d241d722a6035bacfb89af3b6e29f43a8e78bdaa5c2e1f826c3444ee6a079

SHA512
5f806dd720302dab5f00c728911984f9fd2f76cb146855c7fbe1722c6116d82158a7afb3d49473a5151b0a10336871d517cfd773d544370fe159b9a7ca2dd5f9

Download Submit
memory/340-154-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/768-279-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/768-551-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1292-272-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/1496-71-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1496-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1496-68-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1496-548-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1552-150-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1600-278-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1608-269-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/2080-1-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/2080-409-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2080-0-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2080-70-0x0000000010000000-0x00000000101DE000-memory.dmp

Filesize
1.9MB

Download
memory/2080-6-0x0000000002200000-0x0000000002267000-memory.dmp

Filesize
412KB

Download
memory/2344-271-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/2388-89-0x0000000000DB0000-0x0000000000E10000-memory.dmp

Filesize
384KB

Download
memory/2388-99-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/2564-155-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2564-506-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2668-153-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2836-87-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2836-74-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2836-80-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2836-83-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2836-85-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/2876-31-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2876-267-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2876-25-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2876-34-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/2904-56-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2904-54-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/2904-547-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2904-48-0x0000000000520000-0x0000000000580000-memory.dmp

Filesize
384KB

Download
memory/3128-21-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3128-149-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3128-11-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3128-20-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3484-212-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3528-273-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4188-151-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/4548-38-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4548-59-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-37-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4548-57-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4548-44-0x0000000000EB0000-0x0000000000F10000-memory.dmp

Filesize
384KB

Download
memory/4556-268-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4936-280-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4936-552-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/5108-275-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download