3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
Size

1.8MB
MD5

d10cb5e37f42e6c278ba63348cff18af
SHA1

aa4e042f21b1681460a490c73da86fe4206ffcb6
SHA256

3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297
SHA512

bf0129d3ed7c94d61b4ddd8424d73ec9d11cf3df86239dbd58a85e6456ca45f8846507d13a0aaae06af696038fa6ec43b4ca5b1cfe7408ce2ea37270c3de9775
SSDEEP

49152:wM9QPdxwfE7WlFwKAfzuTiDFUFkBCks7R9L58UqFJjskU:w1PdVQFwKZCFgsC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4872	alg.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
3400	fxssvc.exe
2728	elevation_service.exe
3508	elevation_service.exe
4944	maintenanceservice.exe
2144	msdtc.exe
1516	OSE.EXE
2604	PerceptionSimulationService.exe
2084	perfhost.exe
4808	locator.exe
4212	SensorDataService.exe
816	snmptrap.exe
964	spectrum.exe
3572	ssh-agent.exe
1396	TieringEngineService.exe
2924	AgentService.exe
3496	vds.exe
1640	vssvc.exe
876	wbengine.exe
2352	WmiApSrv.exe
4796	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\vssvc.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\msiexec.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\System32\msdtc.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\AgentService.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\System32\alg.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\spectrum.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\System32\vds.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\wbengine.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\17c005fb16be280c.bin	alg.exe
File opened for modification	C:\Windows\system32\locator.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\GoogleCrashHandler64.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_ja.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_el.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\psmachine_64.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_ko.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	alg.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_en.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_ca.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_hr.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdate.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File created	C:\Program Files (x86)\Google\Temp\GUM9673.tmp\goopdateres_lt.dll	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-3 = "Microsoft Traditional Chinese to Simplified Chinese Transliteration"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007d7bb97e42dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-5 = "Microsoft Transliteration Engine"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005103888042dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008813d98042dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003c2e8c7e42dbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000027a1df7e42dbda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005d8fad7e42dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009f04c37e42dbda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001420878142dbda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004ccc897e42dbda01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe
1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2832	3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
Token: SeAuditPrivilege	3400	fxssvc.exe
Token: SeRestorePrivilege	1396	TieringEngineService.exe
Token: SeManageVolumePrivilege	1396	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2924	AgentService.exe
Token: SeBackupPrivilege	1640	vssvc.exe
Token: SeRestorePrivilege	1640	vssvc.exe
Token: SeAuditPrivilege	1640	vssvc.exe
Token: SeBackupPrivilege	876	wbengine.exe
Token: SeRestorePrivilege	876	wbengine.exe
Token: SeSecurityPrivilege	876	wbengine.exe
Token: 33	4796	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4796	SearchIndexer.exe
Token: SeDebugPrivilege	4872	alg.exe
Token: SeDebugPrivilege	4872	alg.exe
Token: SeDebugPrivilege	4872	alg.exe
Token: SeDebugPrivilege	1576	DiagnosticsHub.StandardCollector.Service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4796 wrote to memory of 4256	4796	SearchIndexer.exe	116
PID 4796 wrote to memory of 4256	4796	SearchIndexer.exe	116
PID 4796 wrote to memory of 3040	4796	SearchIndexer.exe	117
PID 4796 wrote to memory of 3040	4796	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe
"C:\Users\Admin\AppData\Local\Temp\3cf50fd5ff5157149deb06c4580c1b483f4752f61c88209339fca36b335d6297.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4872

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:312

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3400

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3508

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:4944

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2144

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1516

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2604

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2084

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4808

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4212

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:816

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:964

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4032

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:3496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:876

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2352

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4796
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4256
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b03d0027cd847e6ecddfa7afa7dbb638

SHA1
383fbf05e10a37224f578ea00d56481144eab13f

SHA256
c010dce0ac7a09c5bd1b2512ffe43ca40a5832662f4a11d38588af2a50aab1fe

SHA512
e1966074db84537333c6e552397fedea4be8a1d115ca63a9be6893ca6f472561a90e30e9217dedc55313c6fc51e195f96fb4e37c6daa1856aa8ec0217b6415dd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.7MB

MD5
d39fd328c2957d5d1c3d42d908cc4502

SHA1
95a9be6a1c343b7845578be39d3cfb2051e51177

SHA256
d2a84dff408989ca300de285466803f2623ca561f93c2712b92bdf7fc050e97c

SHA512
1a4560c645b7e6a0390c98ce2b72d7e3ae0dd52fe3ee046b4a15a60afa3a317574b1f72689a3f61567256bfab6f0f22d3e28d298a52dc84c2b4b1f6e1e6adaaa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
2.0MB

MD5
8e3ce285a8aadfd73cc083946f5ab331

SHA1
c9f79a6aa0a668ca23fe7de7f809e90e85d47df6

SHA256
abc681dd7cbdc5de9eaf52ebb27325b20376001098f5238c5cdbf929a1247e0f

SHA512
558b2b82c41dc92868e7d25ed89baafad8d6853b3c4f6f843861002079e094a90b6b6bfb601fc9e92beaaee0951042cd69a7c57d2201e039ad65b90db3aedcbe

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
df743fe482f03f4a254d2c037238cf93

SHA1
19b87be427f6ef76b5292375554985e43dd40d14

SHA256
4c90f59ebd8da1e4a62d3840d770759a24dbe3f024706edd715a6a0caf59c8d0

SHA512
bf4e305376bf7b0c3d3798e3e98a4e0b21de2304e7f76dbcdb464a91315c443138ab4e6e1744ca1502aeba54129891876e038ae06c19283a24abba9b31ac3e50

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
eab35821d98a94f88bdff7a1af8cf2fa

SHA1
506a8753d5362a81063b020a20aa55b5328bd5f6

SHA256
8ec93086f1d8bc5216d91505aabffd4bc698e4fa61b8e74f6dc04e27494c2269

SHA512
a5000f596acfbf72a58be6669f95543710add24abf763a541e805f4f60e8e4a3929c455a0ae77f736fbcbe1151faf2d2b38398e3bca5d49624e2439d453a0fc1

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.5MB

MD5
953823bfb0ad430d551831813c4fb893

SHA1
ef94fbc6892634421fb60dc850a45d714517507e

SHA256
48da17d5ac3a05e078e9388ad2fef9972046ef679d2697db96b23f004a5c1a2f

SHA512
364acd0ab91e8b3c7fd0c709d0a4d4a62a20051cd453a58f052aacf0bb69a10ab796d20570147c3b60a0fbeece8a1b0659213f0fcb77a6c9c235088439bbe498

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.7MB

MD5
65d33d9e631644b539e07f8ae46f7d41

SHA1
f6a093e85b81b6152683810e4acb1ffc54d0868a

SHA256
e8f3db98e15cf783696975443ed5d1385046004c9472dec4dc07dbfaadba6fae

SHA512
dfc538f7de56b6d2d2ce9446b35103519b0de2acee919eba748b7502f1ac1853c6797bc8c99591f33ba92b1314e7e1cc97ccdf3b8e108e995fc640830bdd21f6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
6de3564d2448f0cb529b6da60f3bf0c0

SHA1
0fb653315a44e36755f60a67cdce6852079b185e

SHA256
afa20f9f2a47f5211dbd227725d9542562671b7a1ef9e37a935196bc2f5f89fb

SHA512
05fb564e7cad6b40f51192eb1e6dde2484994851072bdcdb37ad8a7215c05be0b645f13d9f8860a0220b7f56949303fdae019e0b8b660c370f474b8bf06fbc43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.8MB

MD5
f9c9a773b219bd83cf1fefb7c048db8c

SHA1
69e1c8ec332aa4a90e1c374a3d278993276e269a

SHA256
74b5abdc650f68947c33a198d25d68d4352ba532b48c3673f94a4de05e8dfe31

SHA512
473d5627e8d4cc167ef673bce02db00c7584f808848d974f3b3764005c621de8295e9ca7c7126c7a6c260ca40932c0eb77c350ed6eb31ab75ad9dadfd72b2d49

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
3ea5d88f9498d5ea0c0f85882ed843da

SHA1
27c5add24d47340cd079cab2cc48341bdd32b6d7

SHA256
dbeb2b63ccbbefa096d11d9d8d62a97044f918fee1b593c5e5df993b2f2a876a

SHA512
f7090db8ccb1b6c60490bf0d8a8dfc73c55e6683e4cae25d9e8909747a01b928f42b315539ecc83b1fa098fdf123b180515b9da4dabcaa1e194d17f427156be6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
3969df005aa6c0fb12078a1e238c8571

SHA1
9f11d773f75e347a1a8b715eadd3e9bcbec303b0

SHA256
d4188169603643434a179689bba6a35f5025f19bc2071ae09f8d9238d6491f11

SHA512
d2daecc8d4b1f99749632cdc9e8d583a305754702110b3c31306d4a20cfd0e79502a200cee63acef6a902d4c53a18e38ade01924624da8c5b174725978652199

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
cf1387fa470c2cb2e43531fa035fa481

SHA1
55f8322fcf3f5534f93d701eeacdb73008078cd4

SHA256
c1e043e8d06807c8a030a16d3f9f213b1c09e2fbaea857a8f3bba6400e7b4576

SHA512
0c8645c6330b4507562153fcad658f58e21f2bacb0a82107cb6c11a19fa95fad00fd005b55322c9a5b77258af2665ba5fb513c7c046b00a101f9e92d72f4972f

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.7MB

MD5
1e86e31224d7bfa676d85b81f505fc5e

SHA1
5d346f43dce98d168471c7bde45448caf3ad472e

SHA256
2e757e8037fa6b20a5ff0907caeb4403b16cab9891c43754e31f7a4e66fcf9d2

SHA512
db81dbe39ab49f74333726b6473cb547b72713b97312b010b1957be402c39255cb7d9f5d3adff04f583b47ee9caf7c21d3b3f45770bbd44f6226655aa8d13ddd

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.5MB

MD5
e128a4c5fb55b3c537528196bff627e3

SHA1
4bc4addc8a7f239479f6945a63bd778b9d1b479a

SHA256
8040559e0983901e9f199cc47f8b2e26830e5b8339a5acba69c46e872a520903

SHA512
e0e5a27f218e85c2f5dcd8d28458603bbfff66ca794f0b5fddf76dd11809300b8df3c08da42e9cf51198cce5ac0af1277f6a47a5c585d25d507f052276830092

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe

Filesize
5.4MB

MD5
ced4012fe83bb04b03466e67dbf7c409

SHA1
696e35ee8f1494dfc1c3613e68feba27e3848da9

SHA256
f5870409209e1eb665444592afa3f2535255daaf93b4668cee30633ddf80589d

SHA512
e04f5b9c5976155731499bc434a97a15af941bc176684fff2a98a1d2bba4c8e07d7993e1252cf5c623487770718928633fad9d631e460860bb3b07afb891f385

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe

Filesize
5.4MB

MD5
8c3e88cb00673fe07a3b76aa69d615e0

SHA1
874ce5f173274126ae493951a91a7ad4b115abad

SHA256
a4e68fea35acac794dec72d3ed0df66fd13e2ce1bba59eeb6c38102e7c550701

SHA512
6ec0e9c3245a89eec623efb9348b024c7392fb85d287525e6aff6442c3f54c85141c3e6603ff5f659fc8b2a2cc5fd9fa571bd7a6f4be48075e57895269928caa

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\chrome_pwa_launcher.exe

Filesize
2.0MB

MD5
a4e6e67982b14e3cba41fa4fc3145e9c

SHA1
5141b350fd41db6931aac7eddf20454b37a690a5

SHA256
bd0cf32be5e5422e6a28343c0cb3f40baf6a2660e3814cf3c67d9458372adc39

SHA512
0617e35524e87180ac797886538d4b539fccc300d5dee4b44c5bd28ca26c834b08472b8f6f040085f383cbbb8838d61c0709c3dd5978121bb65873ee4f25f860

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

Filesize
2.2MB

MD5
2d6f4cfa91dd4a58ad12b451aac8cd0a

SHA1
4cfa038c6f839a68174e7f5903d14766299b859f

SHA256
9307a9ec4b874c83678e34077536074f61830c8b7f05734797b541234eba21a5

SHA512
8566768ec6addd0bb44c46b064fbff8613f4185fd5066e69896790a8df0c8d4d9f6392c5fa5202f90fab18883b0ee8332b83de468d71270db247ed3768c43e4a

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe

Filesize
1.8MB

MD5
5441882af90a1722d2dcbcd0d523d0e3

SHA1
88ecdc85ea72881412d36bfeef2168ec60490c7e

SHA256
53465963a3f646daa1c35b5fd811e8358c5b319a2ef98f6bfdc355d9120318c1

SHA512
2a2b1feff176df0edc6dbde7066f822d0781325f0336b5fbdc934944b1e1592086f55f49fd4545720bdbc4ab2b1096b2b9bf3e26721c9d61f460ac32cbce70eb

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.7MB

MD5
86894e27097db7c21eb46469caf4b38c

SHA1
4f873939b25963fc3382cc30402468b0e5cf99db

SHA256
a26755838750f0d2f49bfc151cc98a22c9140aa8313a8d7094c076f50f57ed45

SHA512
33f84ab9faea5d64df6038714cff958e46a06cfaf0ae34e5616a9690d070b0216caee8b14f2379f00ed418e77623495020d6589bc08c9b4f5b714ec060089486

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.5MB

MD5
f4ca7831db11b45e96cc6a15dd380be0

SHA1
539ce4c2b50512546b07aadac30f492787b64b23

SHA256
74786a6484982d449715f1bfe3ff1b933266bdd952e678ef4717861ea4fa7143

SHA512
0b983e8e6b0171dcaaed4a8562591da35f6ac6f1f85173734f59dc4c70cc334e8a8bea5c729643f10dc6f0861b8532223beb9ee6ab64676868496f15e258211a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.5MB

MD5
f5edaaf17bbe54c4adb1721124e76457

SHA1
81df4db3bba0d6990b03814730d406dd6440a18b

SHA256
584e0b34e5cb21b07a6885ebc54362c971c200e0683b0feacc899824a7e0e66b

SHA512
9e2c54538cac0378b8ad1d8b3b86171f07a428297c64c9c8bec7604363dd4cd55dd5452a6b9ad605e4eaed8e952c4bc6d17bc598e1a4c6ad8a8bd6a275ea407a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.5MB

MD5
0bd739e543a62176aa9054c9c0be1c29

SHA1
afa4b01a2dca97f005a08c9cf40ca51abb292b1d

SHA256
8effe145adf7fa16d6a457cfb92cf6347e3d8b7c3b8d9393993959d68dbada2a

SHA512
1df54d60a75126dbe8457381bd697230c0233d4bcb0ba3ce316ace40aa3fda0c1cc165f9c5f65d6fe46ceb859621ca2a34d389579112c8325213229742c0baaf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.5MB

MD5
cc4539444560469dcaa62ce45c7e37be

SHA1
4b63364f7695281f8fd94c08a9eaf4bdc9f90f59

SHA256
5c3cd3e45cdbcb99cbdef21b37681d71c384a0006207fd3a6b8033b8a6815674

SHA512
7fa5ac2e9a0666c0e9f812068f3b2d38f6a3cb1b2164771f6e80a74adbb416b5ecf942d0ee75486b24254cb2088fb560dc70d43b7196172d5d6084bb716f7383

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.5MB

MD5
2e7abc973b1d0897dfdf185d63e1791e

SHA1
cebb2d9895b514fdd87199498e86fe9406234f66

SHA256
d94e117fb03ad5524a4ba18217f646940ad65592af86fb685548a4ad64ce187f

SHA512
9e0041e253112d077171b0d912ad5208ea7037572a9314e29c56e676a972d77ce167c3e524eb22e882d9e7de241ed9d52fde7aa501168f2162698bea113db86f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.5MB

MD5
954dadbfca1963ba090f9e8ed7fc0847

SHA1
bdcfd65c6d8278e66bb0cd62b38aa1ac9a22a7a2

SHA256
c987b4c1419027bd40076a39331d10030256c9bc06e97744b0eb71f1e06c742e

SHA512
e7876d1ac826d863ce9026025c260324324e920ea2d44835746ab459cf9208189178a5394432c27d76ccde33aea68b0047c80bf372aef0fb422f8980fc3ed5e3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.5MB

MD5
056f26e4c89bf61e14a6e300576351f0

SHA1
021b4fa3e6d1d657296b52eb848c780a6fb25b5f

SHA256
8c19bcc757552eb4b7433568af568bec3fd0ba3f22e06af48cc835bb14eff072

SHA512
495ea0b710b2a30d5bcb3bf9b0104280b6c53af66acecad18ef0a3c4594f0bc7124ade8b2d285950f809f291386a18c20c1a81d1f08bee3b638cfae5c02d1143

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.7MB

MD5
44490dde71059abca2b4d02d778a31de

SHA1
d198e8418b56e3695a235c00d77a7bdf7e299fd2

SHA256
a99a219fd98e8f68f8f041007e30f7485d973848ee352dd6624ddf9b1677ffaa

SHA512
3ca2cbaa9942bb2b37bc2d0795544df52f6ddab0830b7ea258029fea2d9c102073c9ed2c5bbc08e86879fd462eb5c6e1b484e86537e6ce512e9147a987887c16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.5MB

MD5
9105603b3285c256ddbfa90ed147d88e

SHA1
64395c2b0355bceb7e6d3d146734360c16261deb

SHA256
80196d05ad5c050661804aa17648c0aef67e110b681d71951526e70c0e7cc175

SHA512
0bae6cb9c79429f7f68b86b836c6f8a357b625ebdba6f8151d508477efe0100ebcf06e8fd39616eb1b3fb6606cabf0039264dc924d8f61c5b00010155572d7f3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.5MB

MD5
6e8ec843bce5aeb5d0f379bd5e06ab1f

SHA1
d7595d0a03dadde516587651b917b37bf894bbd0

SHA256
c9be266794677b263adc645d418efd20d6ddbb06f08f126d3eaa5af2d3a0babf

SHA512
64fba63afd2ebaced98073db131e87c96e286861044e469f6c84d98ef0b7ba498b0d8a8d853d6d2a812257499b0cdfebc9b7bcf63b09002bd7455a8de6cb3629

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.6MB

MD5
fe4ac05cbad3208248da5787ea470a78

SHA1
336fcdbabd954a2afd7d4f3caa0790390280fc34

SHA256
a996033d2923653032fe8dc0c0042dd8a748f1c96ef6a1c1360cfc26926b5fd6

SHA512
38ca7b921f1b10e30c685d2b138b7fcb917ed35efbbfbef2dbbb237b6afafb3ffde9a9ff1590834de04b3e1dd78526de9d000ebbf982066559aa24e06bc9543b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.5MB

MD5
4891531506f2284dd19875fdf41426f5

SHA1
c8d3d232cd88c8039fbc9cfab910c99c76cc1d67

SHA256
f33dbb67f2ef32dd660092488a4933de85afe382cbda597d8fe0317ae8d5c0e3

SHA512
d7461edfbc4204fc2645c0beab384595debb36cfca542aa927fedef9606779b4d98d3cf87bc6fb8d448a4bb1261ff1fbb66be8d069f1788e89edc8937a7d53cf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.5MB

MD5
01f8ee9881c4fa78137b580b65ae42ad

SHA1
af6f99a00e64a17ca7ad061a085531aa14ddf486

SHA256
8a4441d84c142c3521105902f993cac1cd3fbc9b8220a8e647fb8b1d25637404

SHA512
f46807910b944ab61e039bb375d51fff9fb75f8e71cc4f40a40b759b7bd8fb07d1f82d8036554dea0632719592898ba9f770f71b9a546f4f49282323728f9ddd

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.6MB

MD5
6e98710d9c3c442a5a0aeb94a43fe064

SHA1
e7ac67a31223b011480cf7ddaed66b24a5a2b9c3

SHA256
2397624e4b31a9c805c1fa99113bca962cc1b26cdf90b7775944dcf106806e33

SHA512
8d828aa31d6cad1240cfe52e20173b27193164f34eae85d12ac7c9794ddceeb82178889b3c4f3c99f567b4236b58ac71e3011dc7bab6fc1d535801237b8ce773

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.7MB

MD5
8fff7079e1e394abbcc1b163fc925930

SHA1
59c16733286e8a1f78e117f91aba2f42f867808a

SHA256
04ae584abbba6838c967b7dfed43b1f9f51503fbb23bf2802b96b1a2401f8206

SHA512
841d68ad3b4cff7f576c6d8110fcc6a91505891795f3069cd6ddeda7cb8e5ffa1617db9962e562883386ccab129e9d9593969dcc68a20cf40464d5833bc21947

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.9MB

MD5
9a05474c1ab7f8ddcc4efe712852cc5c

SHA1
bc30b01ab2d27985443a83890ec5472a3f2b825f

SHA256
a0691ad9eb60be3f45ac781fa160eab5a45ec1253daa4d577f89d7599a0edf51

SHA512
a767aca1b2023005b92170048c9c2ebcbf4a8aafe73ca041d3303f01e3370e1551265dc29781eddb4d8dbdc5cb2777ca43ffe208ea3321f86a36813d023c20e2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.5MB

MD5
7de143aee5e4b70c0ea85e3ceabc3005

SHA1
8c66c17272ee7cbc0ea30a51885d268022fb1f24

SHA256
536418126ce661d86cafb96b95f28b12011ae008bcab1bed858f4c6eab0074f1

SHA512
48b6081955cda17294a15a1bfd39e4e92de0c860172785baaf7d4d577404d47f8a014ea1b935703b61d1f817ddb212617d570845b331d36b5dc76c621a749e35

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
44444072aa437cd9903f04b5f1979ea7

SHA1
31d1769f96aa04de1491749671069b035ed588a1

SHA256
e19ea9f881dda7c2d1fbedce864f7503273356d33ffd60a849bc0e136056ee98

SHA512
e9d8833cabee50c430e3ff1146b438d7e0e7ac922cf8b360939e22505e6ba90c9814c7cea55a32d11160080dd8fb72bf68ae3aa4f49f0d11de1d0330ced93540

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.6MB

MD5
68edaf999e42a8aab4c249ea0a8032d1

SHA1
8a70680d224876674344a42cee419566e25a6ab5

SHA256
0cda0f64db97f074901b81a2d9361c49ffe1b9f9d6b02adc91f63745db63991c

SHA512
6a07ce85c89c7c7e9ed191415d56120ffc05c36adc36cf613624f9d1bf5b18e1a7744ec5d5b45dc33d2f6d50ae525b21c5e1b2c8aa51b7ec2b9e203e184d1477

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.5MB

MD5
617f170fbba14a302b3531fc9b0f2c3e

SHA1
ae6de848c8818062a47e8e3c1485273b8bcf3986

SHA256
87d27d15c5bea724015bdaf7f0ecf313de04964371c73603a23e996be5f0abe6

SHA512
096e1e78e5d7cc639ac6533793c5ead327144cfad4cf8b71421fa5fc13894124777cf17795a16bb363fe67f5789b1a4d220fc52d7311c5d2d6667fbedbc30e9b

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
376d6b73a7f8cc88777d8a988aea5c4f

SHA1
c7f1690c51ba9c115b38b6dc1bf1dab31789ec24

SHA256
23b766609822d786ec3d93a02025684b0873dfe9cc6d0d445a86286aae6df495

SHA512
f8b952da7f9e4f6ea2f970aef6928d66167c7c9a3049b73bc6fff42a346ad49038460529fedc98aaeee3a0e8bba44afb7b6348dead76662cf778cbe5de8c85b9

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.5MB

MD5
af34f7b0e7eb95a0a8f4cdd6fec731c5

SHA1
3c43c3ca6e75bd1e1a847a5c9f9af86a10efc5e3

SHA256
f0cf3d5b0b9d4e4db50cf886a7580395269ff262fd65fd8a236475a2d82b339c

SHA512
5f99c9ba0c8a20095aeb56592285feb9a41f737ff6e3155c5d57433f57eda4ee97124259c90c8f1b21367d93d6d00990aff2b3685a9ef6fd339e306c352bbbea

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
bdb723ad4eb08470beaf9d9dcc4ecc8f

SHA1
fe57eaae80b128e80d83b2e99a9da92989d67c96

SHA256
029055122a54827f52f9f543765ce35093848eefc3249e190cac72ed192fecf8

SHA512
f08661393427e9e5b38c4af59667112356c0c44703cbe3f634b5f6ba73ee2d08e7342ca4750e310a2b9381aab3f92c0032d6a0afbd5b9f9aa7f938e5f5fefcaf

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.5MB

MD5
78ff510cf5cf0ec009fba1c94e4db103

SHA1
3c0cf6744d980d9d6176ef0eec6b3d02023715ec

SHA256
7fdce5ece3df827b9629e7b352c4e69897fb9ac27dbe43b114be649464395e18

SHA512
d6bd7b5e627220f12e25fc969ad15aa1c2d2ddd0a0749d56c6345ff41bc79e60cd2bdc265339bb19eba7ae5e41d111508a3f5d2da3ef10e1d280c62f7485fce4

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.8MB

MD5
ccbd755ab2ce49c631f643d76ffcb131

SHA1
d999ae676971217d30ded989c2d8d78f0c6c6754

SHA256
15c1c94d6de43e13781e917fb6015f87c4730c001b8120b329037fbada10e0f4

SHA512
c4c4b005c961577a4cb810a0ab3d70db3651f5988cc7d6cfe8dc5d2d96e3c321cc30c290c3d349881dcca380ebe136eebb690e54e4686d805ac67916ad7c907c

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.6MB

MD5
3ce6ca9c9939e17e51381dbf50749fe0

SHA1
a5aa345a035c826a45f240c5b48f0a3d5e182b58

SHA256
0ddc3992ea2422dd2d8e2a99d6f21b121104c2c6f914804602ede7a5946abcb2

SHA512
e73bc471bcd8c3aa22856a26e8e9eb6f93dfb3c9b6a98e5ce368e8c303edf5b06a9209ed5e61c9e39a2ab3aa6bfdbbf7904396fb6277155b0ca61189ff3da41b

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
3344f6c6c51996fe5b01b7fbf5a3c068

SHA1
1a87ae6a831a27fb672fc1753b1891f0be2285c4

SHA256
08028002fd6ccba4c0016f91a3d89bbb98001abf2f0a68080e4e97709f25eb52

SHA512
e900f288b9fa0b60b41423c74fcaf829d430bb38cde7ac67ff6c3e6f3f7faf895c2745a1f4e789ce86ab944660f51d79223241c8693e4ec16d87b2e03787dd97

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
2399536df5812840eecb213f9ff3c235

SHA1
bb2006465a5bd484e182137efd736e86a04e22e4

SHA256
6b1e1afff4acb081ae849aed9151fd82538af43469c8e4ee77b8c50886d5ed07

SHA512
cdf1e5ac26754750a96624e6929260f9cbb994d403bfc32d263b0eccd297da5bda027c3b4819b6f04ec89a55696fb2884e07da83d2b06a2e62b7f75261b13f54

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
b389067a03c14df42f525b7d372dd699

SHA1
a5b011f58ae743f3f057dd1a4647a74b4861fa5f

SHA256
1db985daaddc47e9137f9b97810e324dc16792ed38966562d66bb12b25cfd9a7

SHA512
6dac9e144c0fbacefe802ca95a06487044177d7b32a8d7c58421ae79b3b2062bd306582cd9a86562604be7d9f98437c2949beaa41fcd1582ec20e82bda1fa77d

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.8MB

MD5
66dfd1f21ea3309986a599261c8c6a79

SHA1
5cb624dac6452b818a7e77f200b6ffdf0c8d7d99

SHA256
b6069c76c0a018ca32ae800c5eff4eb963a6151f2b1d266c7b2724f841e5d12b

SHA512
cf01f8475ec3ddca1bd05729b40593976b9929acbb3a272377c754ecb30a0acc7ce10160e36c0c878e4b831dcf7342caf74d6bb0ce328dee92b359da6131d37c

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
4b978c9febb3b4e40a667df3c81cd735

SHA1
b66790ea38c40144ce35174d3c1b07307eeb91b6

SHA256
2826806847484d82d3d2c4543ceebd376d89e11ced187a387f6a0ac298ae8c73

SHA512
f56846e4c16e85fdf2358926fbfaed44a1e09423ea5a170ef8e1156d889fea63c3db30d35e26a112acbc0ca24c62b9e08080ef6a0e459676e604ceb00b47dbfa

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.5MB

MD5
d1a50e8fcc373a8a2dc11b215c9bcbb2

SHA1
6fdb0b93d9fe44041b3c50b566c6a9bf9c79e6c3

SHA256
05b1eafcd73c856875ba4f48c7f93910cf33a804ab4168b120e464d40e470ceb

SHA512
63992d3156667ecfef3ff1dd772c99961f8e792d8b6847963e924f097bbe06f6cb54524f9dec5f647464ccf26d90004625dc3a54e40a543965480429d88a6444

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.6MB

MD5
5ff7f54d813a2509ddadf0b449768a93

SHA1
fd6485bf3315c605adfdd2f23d8fe4c4bd3ff65d

SHA256
80dc87312af5540bded0701e19556199103ff5e0472d91508ec25702a658d573

SHA512
b52d966dd2b5f2dc1f1caaa2e10906fad45af488555d9af78bdd196e1bb8033f3539a48edd5157e039b95f17985eefffa1a7a417a1e56f1ac2c21ea51dbec99f

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.5MB

MD5
c0443ddc5464a8858d33aa7dc47d9d1a

SHA1
fccad944bb16c9f8bc6668a6000483fc543403e9

SHA256
b0bf60783ea92903ceadf1dfabba2650626536ae18dc9c0d7d1080616b7d550a

SHA512
7869ed45fe57b4379a827ba949cea5f5586a067c94bd02d0cb2bfeef94f3f20241b94a7c4dec34d37276ff7cd9b35174f34654c16512e2c0973984e59ad8ed62

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
0ef23480de6eb1b3d8856a95052b1a82

SHA1
465112fb8b4fe869f4d90ba3fdbac95038537501

SHA256
7e37d8c916048f18c8f9193ac4a2e601aa6a52a1f08e2160bdf976255c0b7e30

SHA512
c49799ea6aecb1310226a46a19d7be117b44647d01e52ac53e51d2cd847e7acbb4a94143f669710dc038b37806238cff35c433264c69d2d28de1215858461adb

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.7MB

MD5
6528d0726b9b6b6699d107d41727302d

SHA1
09dae04c126cf01150dcd38478212cad7376149d

SHA256
ae2d4a43f24b0633a45eea90bb7f3f3c18f47b61e71ca21d93ae991e731e13b8

SHA512
243c1b7acec01c793dd144dea6a176dcc907da017d1a24fd05816b5472b54a720d0346e591e2fc73ef38eed69784e5e94ef4741444bcc094449da063896aea0f

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
b115f43fa26b881fa4bb2258f2409172

SHA1
52818d31692a679e306935f2625cc7750c628643

SHA256
63bd6c37c89f75d6078d15949de9eb43699eb9d3af84956b388e56251732712c

SHA512
6aec0b98443557100bf8d7c2a0b75be3948e8f1cdd7e010a35fc3e07fa21194fd92bf04e495fd812481b2308a2d0fee5a375bce34b2a0f1954d3742decf6b5fc

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
596b38813ec843a8b70749ce346064ed

SHA1
12b35ef5640a0691523d733c25465dcc8128291a

SHA256
afc5f74164c03f2dfeccf8278f74ff4583e0ae830496125a76e67ed610e7648c

SHA512
ecf73291cdb03c577f5db266bd84fe86eebf994b6e40a30abc479590ed29151fab75eda64ef3308e3e4434df88b91697a2124aa90283550020d51f0f6f732574

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.8MB

MD5
e0d925c3ad232675e2adb27484cf301a

SHA1
db5253eba66dd259783fb2929e82b2f287cf4bb0

SHA256
97e22a9b8f5ccc987c7dbb4676746780ee603bae1c9f499e1e7cd7f3b618a617

SHA512
51c8bcfdde13bfe64099bd4dfd2f789f0312b310f1f8f69789603cb1a51938aa0dc91d161e3223971b6e2ba4cf86da231a5947fee57d12a6b14e12b7ab76f528

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.5MB

MD5
7db83b889d88fd134e1a9b7166540612

SHA1
fa770c1068b6a5722a6192a63d0cc7b512840ea9

SHA256
611a90d8677354cda1cd22f4984d55f5e126f67139fc98bdb06b02b5992619a7

SHA512
91e05bfb5d5997a3b0d4042aaea6337f30c98ad5845c1a96b6cb6c62a1ecb80888184992dce533302f98c51c6237273591bd45b69940a36c03fe34c44fa52f1d

Download Submit
memory/816-549-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/816-220-0x0000000140000000-0x000000014017D000-memory.dmp

Filesize
1.5MB

Download
memory/876-773-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/876-306-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/964-240-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/964-713-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/1396-256-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1396-768-0x0000000140000000-0x00000001401C9000-memory.dmp

Filesize
1.8MB

Download
memory/1516-289-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1516-177-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/1576-99-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1576-93-0x00000000004C0000-0x0000000000520000-memory.dmp

Filesize
384KB

Download
memory/1576-101-0x0000000140000000-0x0000000140190000-memory.dmp

Filesize
1.6MB

Download
memory/1640-772-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/1640-296-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/2084-305-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2084-194-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/2144-276-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2144-157-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/2144-156-0x0000000140000000-0x00000001401A0000-memory.dmp

Filesize
1.6MB

Download
memory/2352-774-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2352-318-0x0000000140000000-0x00000001401AD000-memory.dmp

Filesize
1.7MB

Download
memory/2604-293-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2604-183-0x0000000140000000-0x0000000140192000-memory.dmp

Filesize
1.6MB

Download
memory/2728-239-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2728-115-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2728-121-0x0000000000C70000-0x0000000000CD0000-memory.dmp

Filesize
384KB

Download
memory/2728-123-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/2832-517-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2832-6-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2832-0-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2832-155-0x0000000000400000-0x00000000005CD000-memory.dmp

Filesize
1.8MB

Download
memory/2832-2-0x0000000000670000-0x00000000006D7000-memory.dmp

Filesize
412KB

Download
memory/2924-279-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3400-111-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3400-104-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3400-127-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3400-125-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3400-105-0x0000000000D70000-0x0000000000DD0000-memory.dmp

Filesize
384KB

Download
memory/3496-290-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3496-769-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3508-137-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3508-135-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3508-129-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3508-244-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3572-767-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/3572-245-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4212-680-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4212-216-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4212-338-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4796-775-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4796-339-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4808-317-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4808-205-0x0000000140000000-0x000000014017C000-memory.dmp

Filesize
1.5MB

Download
memory/4872-11-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4872-19-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4872-20-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/4872-176-0x0000000140000000-0x0000000140191000-memory.dmp

Filesize
1.6MB

Download
memory/4944-153-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4944-150-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4944-148-0x0000000140000000-0x00000001401B6000-memory.dmp

Filesize
1.7MB

Download
memory/4944-146-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download
memory/4944-140-0x0000000002280000-0x00000000022E0000-memory.dmp

Filesize
384KB

Download