a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/08/2024, 01:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Size

1.8MB
MD5

ed34b680cf2b4103d23428eb4b766855
SHA1

fc86edf6657ac81d58d1612de7088cc0bd60ce87
SHA256

a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466
SHA512

ee70154b74872c3f0c11a59c58def5bd8133e3157ccf39903bb28e35c4c96847678ae489c4e7be174b0ca597ca809b97de6b48eb1189d51b32300b91baeed85c
SSDEEP

24576:jdFIeHFlGYDAnNQu49sfO+sKK/kMyRZybL0oDMXLHFkY07Vr68KZ:jAyXUGu490TR44XrT07Vr0Z

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4976	alg.exe
4036	DiagnosticsHub.StandardCollector.Service.exe
3024	fxssvc.exe
4612	elevation_service.exe
4828	elevation_service.exe
5116	maintenanceservice.exe
2420	msdtc.exe
1992	OSE.EXE
2652	PerceptionSimulationService.exe
3708	perfhost.exe
1364	locator.exe
3456	SensorDataService.exe
2564	snmptrap.exe
3492	spectrum.exe
2812	ssh-agent.exe
4152	TieringEngineService.exe
2260	AgentService.exe
4688	vds.exe
4656	vssvc.exe
2128	wbengine.exe
2996	WmiApSrv.exe
1472	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\System32\vds.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\AgentService.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\dllhost.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\msiexec.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\locator.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\spectrum.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\vssvc.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	AddInProcess32.exe
File opened for modification	C:\Windows\System32\msdtc.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4a0187e4a29f13f8.bin	alg.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\wbengine.exe	AddInProcess32.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4484 set thread context of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateOnDemand.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\policytool.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	AddInProcess32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	AddInProcess32.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	AddInProcess32.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	AddInProcess32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007608c3286de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006730162c6de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000004a71ef296de8da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a1f10c296de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000627854296de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003ce1bb286de8da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e9da56296de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\zipfldr.dll,-10195 = "Compressed (zipped) Folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d5c6ae2c6de8da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fe0b2b2a6de8da01	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe
2408	AddInProcess32.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
Token: SeTakeOwnershipPrivilege	2408	AddInProcess32.exe
Token: SeAuditPrivilege	3024	fxssvc.exe
Token: SeRestorePrivilege	4152	TieringEngineService.exe
Token: SeManageVolumePrivilege	4152	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2260	AgentService.exe
Token: SeBackupPrivilege	4656	vssvc.exe
Token: SeRestorePrivilege	4656	vssvc.exe
Token: SeAuditPrivilege	4656	vssvc.exe
Token: SeBackupPrivilege	2128	wbengine.exe
Token: SeRestorePrivilege	2128	wbengine.exe
Token: SeSecurityPrivilege	2128	wbengine.exe
Token: 33	1472	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1472	SearchIndexer.exe
Token: SeDebugPrivilege	2408	AddInProcess32.exe
Token: SeDebugPrivilege	2408	AddInProcess32.exe
Token: SeDebugPrivilege	2408	AddInProcess32.exe
Token: SeDebugPrivilege	2408	AddInProcess32.exe
Token: SeDebugPrivilege	2408	AddInProcess32.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe
Token: SeDebugPrivilege	4976	alg.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 4484 wrote to memory of 2408	4484	a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe	88
PID 1472 wrote to memory of 1812	1472	SearchIndexer.exe	116
PID 1472 wrote to memory of 1812	1472	SearchIndexer.exe	116
PID 1472 wrote to memory of 2196	1472	SearchIndexer.exe	117
PID 1472 wrote to memory of 2196	1472	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe
"C:\Users\Admin\AppData\Local\Temp\a5ade64362442929ca1805bedb8e50530bb2790e46bd0aa4c6e4805728325466.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:4036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3116

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4828

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:5116

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:2420

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1992

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3708

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1364

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2564

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3492

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3180

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4152

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2260

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2996

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:1812
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:2196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
15fb127f8bd0980f14de93b9719b8b9e

SHA1
211d01035bdb1c7639a762a4ce03f7baed664adf

SHA256
49a920d880657ed230c59de19b070a3ccd25f084b535caf9ac05c5146777a9bc

SHA512
16049335f98b21fae561f1abb6c4760a638c67d4a6035b95a8eacfe73c60362e0a3e3805bd3fc0726b973b79c2078ce70fdc4ed9c638f4be33b5664034be1ae5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.3MB

MD5
0b7e993f2f5ddbaeb4766d9474c129f1

SHA1
cfd8509b5344e184d378b48f5d9e94807461b9f5

SHA256
979b2681673a70750af7774b6e7d85551e1fe18e5713842ec16b7020645e77b8

SHA512
c4ac59dd7fc397af0b671597441b6cd817fe9a51ab3f53fac8d5ccc23aac2f73ce029fb4982774f11625af8020b94efe81e9eef67352aad3596ca6659af62c2e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
c651656a18811989c1a2958ffcd88070

SHA1
9ba9c39d736fe889462fe37fd37dc9bfeecfe6d6

SHA256
4a6a659ccbd9cad15cd9c0edb8c74a17f79fd27a573bf12782a8700de87dc89d

SHA512
feb88426596a996fcec6d336325317e9ff5fd71035d3dbf906702947c51af93a85fa4f7fec88e2283cb03ea1ed0999d4c2d44b8c96b9fec66c82e4091b568609

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
c63ebec145f44a9d8398c185baf80c19

SHA1
9ba12d3d812b6aae2ebd79231bec2c8f8b1f64af

SHA256
b74b9b50fd62cf48fdc163c656332ee3d515a0f6a4ec0a490b93f9f15f58567c

SHA512
c0f577b4fe49362a5f17b19f6d6288c0f8458e3ef8f65c0dd3ac49e14a12e235b06f178152b7c47f66e138a08b4fc83cae4f87587867908a38358a96a58cc6a2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
3172af39f9aa4d16d030c46f9a68bd17

SHA1
a7092dbb91a645c9ad1dbb40b3be6ff97f03334c

SHA256
07a287e0ae3a05e74fca586f591b2cc06c9d5b25f03a2adba5374b356fe5d470

SHA512
e378519dcc5b75a6df8404df590fa63f74a14f0965177cc4fff843d6864f799a6f9ee802864201dc07d7483716c1a0de668a9c42ce3ab63c5fffdf7b2f80d21c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.1MB

MD5
7f0b84be0e9def45a798fa4705bbf43a

SHA1
587df8433e61355c3aa8e6db4d30301fca1e91e5

SHA256
25bb949577dda2a05b379d462cf20041ff841b68fda2dab33dbe45d85b04c2b5

SHA512
d9e912e091e64099187e3ae29ddfd4da4fe827553e1656181ceeecdb7b4e670225a9917975276eba33f3d1cff70b1d7d66f6fd2b79a717efa643ebb149a9c519

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.3MB

MD5
043b9ac4a9030541a7f16e14561713f7

SHA1
c8de389bbe7a42cfb551f2e105a4c9cc228bcb98

SHA256
96c82eba95bd3c8b3e8c731f2ec62278713f7f0ad3e35336bc6f18711315e492

SHA512
f90e444dd040b5ea81b3a28c2e4b270cce334d65a5df90b98f64155ad2800dbf0d510ad48f5aeadb0b9bf31737670728af4893a87c60345145ab5dc33e31b7a6

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
b5a1207820696345662c2eb2dcb077c2

SHA1
7cbb246288bb02b47ce313f6fd47ad801bcda4be

SHA256
2fc15eeab19698a749ce4f29138e4fa63068089736690bebe4cabb74258b3c93

SHA512
5c9bbaf99edb0f1346837bd1d2fee53abb454497cde51bba62b5f2a5c8a2465dff2b06ef4b621711f21dc9a796f012f26c9ed31f04f7937405209d4a15a77bae

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.4MB

MD5
ac9a599ab195792475d5005c98e4d43e

SHA1
5f534ed6f177c46f2b9b8cad374423ee7df3c628

SHA256
6c834e1e1cbcbe56fd2ef36e954a525e290579ba454b727c2659abfb3a1d7fca

SHA512
c67d73a3b23b515291f4a373ccfa1c6400f05d3f327c419ed6ac0beac0ade9331bea617e4fd192c47dd8dca6a2fd8f1c7968706f6d4ee9eb24dc110ab299aa89

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1f5538a5ec3fda5a375b51f8c9ac9089

SHA1
01b7e644cf092a5f957e269f7235b1fb21705437

SHA256
98234d9548a87dd5b1ef467d3fb0656417111aa6e09ed8117162a175cf0a1821

SHA512
3d59c00cc6df9db098facc0d60859e13869d019f7470c4d8bd71d99dcbdfdb1a71d9e96ba8d2a221650b67f2849dec1d88d1ad60875785dd8b1c017e9a08617a

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
7d99c3e17201dbd0f0e3a6050c5f49e4

SHA1
92f4efdd89c55a10ba2364b3ef47551844ce5533

SHA256
df26df19c3f87dbde318ac3936ee220109a2ae7168b26378e257611e3766db48

SHA512
1753926267616d6b87978d0c3b4f6edb496f7e62fef77f02374f687abd53f5a827866d68642e26d0bce7103c684d03e3165399d2a461934a0856acf01ada3c70

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
755d194315f58aa0abef06fe31c2ffbc

SHA1
7cb34308816f59560762176bbbf7ea999c080dc6

SHA256
f5a2341e9a24488f527fe193de5c615b98055fb2dba8f8f2b108945c650c3f49

SHA512
c5f1cf3eda0e44567b6b05dc8137925efdcd7f978f32090f78a490365b48bae7089d7b477045ab2229a97ab21222c08d8115314d71d2f264e79af707308f26e6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.3MB

MD5
357da7b7df319bece942abf00207aa2e

SHA1
aee21d561ee8ae21eba120dd64fbd70c173c9d09

SHA256
85f1aee28b648be387232c4da28cfaac3c188bb154948889b515b3659caad7df

SHA512
dba2f4b60bfac418cb6fc1e6b1c8814fe6efcde0a01561e3ade3877f40e5c533fdb707c99a706f64a2e59dc663c755db0ffaa1052e019f3446df8b774ea45e95

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.2MB

MD5
e05711d2e778e2981216f7bd8d8dcc34

SHA1
63d7120a2a0f1635409db0e0ad6fbf3f4b1da87a

SHA256
d3ed770cfbcad2cb55eecc8d0cbfe8e717e3ed415dc87923f95e7dba7ced4a35

SHA512
4d010ee09d10e15d02040c6bfbade2578dd86438d4b96054f458d600a0ec20afefe08cdc5410b08476cd7a35d210ebc2a8687ae4568a801bf4106f8678225401

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
fb57574114d8cf038d487c9be301aafc

SHA1
dac72e173798de996bddaa53a127d16ea68ccf90

SHA256
04f9ce8743d1900aed5291c655ca469b3cd4a1fb1df7e2eda2a06b0c1d0e20e3

SHA512
f7da85ef34fe8efeb4a27930d27d2b4eed0507c3f7f62d68322526e4dc2ba7ece280df4ee62911072ec5b793189ca0143c3d0b8d9fdbaa9c80b29e5422b039e1

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
46ade50a76f16487c5f9d2a8941905d3

SHA1
3331af05301d2c0e16feb5647878d7ab285b6dc0

SHA256
b402d0795f09cfaaee41370a3faf04d71aa9f013ecad554edf86b5a5bce0f4ea

SHA512
7b7a0ffa024d50011f32f901193e722137eed78a2ae8002406a735c2d4b1aef97e310ba7fdc5b71323dca8e4234c9c8fe2d5c2d6d49bb88d7b2c00e1851ff428

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
38d4e352f0bcac848cf2a7e0ebe58feb

SHA1
afc552ecc5ab3946e0c9ba92682f84c63c0ff569

SHA256
ee6e521f6c7bf109dbc6cd55efa44b24afad074f67f737468bef0621951bfa6c

SHA512
c571c896e4b29799db91b8aed9599f7d20f6177ddab2eae6caa1890e44194586e0e09e6621cc7ed3c0ca66e2472c768b8148b235546c57cb8ad3c1c7511f0c35

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
8af38d5756f9f1a70b696bd29d33b496

SHA1
6fc95439a0dd895d693d1890e35dd39cca49cec3

SHA256
fe362bc7b344b7ff363daac55b9132d527d73c83e6a52553793e8033b921a74d

SHA512
4f17ea10c0ff9969d4e8cde44b13f11baf3cab7edad7cbdf81c12deed258d5788bd619b62b459a9aec9b3e4d05a525f4fb6f24e829234493d35aed84292a3bb4

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
8e714da1de8e8fe25969c57196240473

SHA1
7df18ea32f72bc8429efdc011435a96c6280cf6b

SHA256
c97d4f3216afc5fda9b639efc233724ce35d5ad56338f47611908ceb86773e0f

SHA512
066047ed4836fd892e5e2884b7bf8e72bb74ed95e9d54c478bae78eccc5169cc0310d4308987a9e577edf627b3acdcfde03bdb350f23d9f337c9e52e7aee4dd9

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
3c224778372f26dbbd5b2e3cd7139674

SHA1
b0ac39ef1e708aef23fa34f9389382cb47bc0cfc

SHA256
29f0ac7e543027477ac51cf237886fe1dea1b0e7c321366bef8aa0eed6c8e097

SHA512
64a509ab520775f9e1006f9ae886b07fe24cc8669b68371080db5bff247ca9cb6122ba9bda1781c31ce3a8c2b1fdc95622ed5fd3c5cd40aec78b6e13aa39cb0f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.1MB

MD5
a505fc79375389d39f89f776db6fbc2a

SHA1
ce5d5b018cfb1b238663b265c2e4201f0fcaa187

SHA256
adfaac8d5e392f6778294f9c1dccc1ce42f57646970d8de5cd4bf5fd518964d1

SHA512
cea95c0a242c38c594f08df5113ae4aa760dabcefebc8bd9e873c81f78d4709d8dac67794048a023ecdaa2b8242b5c67782acb3463152740cf8741074f1cce90

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.1MB

MD5
7ebbeae2e49910eca3912ad3bf406145

SHA1
6775d07c059e4610de6a86d30ef3b6954363be33

SHA256
8dbfae397a456f050806baf29dd662e2af8728118df7ed7ad432f3e91f1a2298

SHA512
3f93ef078087786eb2e58a28ded3474e3d0c29f5b636a1a9a5d12be627d2a9103f17585f91b1dbf77db7b18d1609873a85e6329eab3386c819a74d6967cdc763

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.1MB

MD5
93a660a15a8bc5d9b4bd57e9e48a5f25

SHA1
cc9f194c95851a3026f0277849a7e00842b3a87d

SHA256
0fddc5d1f92a68fb99df627bae5e7af7d215877853b98d2699744ea4374b2eab

SHA512
4894d294588e179d0217f5779b67418f485e366fa01fc63715a2bae244117b24c12d8975700808e67f525a08c51f965af36c9659c7dc68deb2e35699cb14ff10

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.1MB

MD5
be614094a295613f067b22aeb97f2224

SHA1
a1a02c2642fcf94aca8fd7c45ea3194a66601f70

SHA256
b5feb601d836a8918302be6c8b57d3fd060c969bc6fba9400839628aeccbe57c

SHA512
d9985a77da9759bb1883e3a0178fdb65a0b2a38540c141cede11233e60e5ae0b21b697ab000ebbf2a4cafaad2d9e0e6291d154ee9d513a1b0a50b6b0a4375151

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.1MB

MD5
13b803397f9c36feb8c89e6c21964db0

SHA1
3c25e999339f077d7a60c61ff0c88edb445089cd

SHA256
769ed90b8405b901ac7af4daa464b82539dbcb9f158e01a8c100233b60ed7347

SHA512
198da1830a8630f18967be66c0f6dcbacf9fa6588d57364c6919b7089f3e950180b1eee73403e6922335617e64264ccaacc88b3d5f6b40fbc9b2a92320938262

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.1MB

MD5
d5c4746114c7a6f1512ba651e61cd2a2

SHA1
1706735e0b1aabaa1fdb69cb0c943fb0206ee51d

SHA256
500e9f42a5dc34415f177653f3771d99c7eb5d5137e4d0506a8deb861c103591

SHA512
e4368307bb0896705d9a9928fb2987be880379b26e3745b600169bcc7ed70c600064260e77ab5af5b657b4961064712b9d867b85ec59b39575c540852bac917c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.1MB

MD5
6f37d82f99c1aff00ec142109878f6e4

SHA1
5a415a45d92155481f6245f7f2d1a59b4e39e1ab

SHA256
7dbc2011652c9ee13b5392d0aca1d4899f212a31510f516ae12e39ff5d6c6cdd

SHA512
6b5a692ca72fb89c4522d34701d1ce9a7b329722602e65f7db35fdd07c1f147e9aa70482c766f6f231e4b6e2287bac4d43639eee103f7ca3dc8a7a502df4197d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.3MB

MD5
e8377811310f2a6e1edd81053eb0cdce

SHA1
59bc79f072226523f0a3a9b66a89be27641aa952

SHA256
151074d8b231bfd78b7c3a47d1b3568c904269a1100b64eb567cf8affc65e4be

SHA512
12a5f2e9e6187c26bb4db3fa6d55fe5f6479dbff91a08b7c3532623d960db94e1d1f6ad9fe619740cbf09d7951344d8c69557ea93d2e0b79e9865076fbaa8449

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.1MB

MD5
b6f4430ea6e0d5a1167c09a6dbebe51a

SHA1
71c6c665b616aad75780d62c965aa2a0012864e9

SHA256
59ea5c92ee17f0a62c86d9f68b789e4732dbc60057ca02b6fbb71d74aea7c1f2

SHA512
b1d54325b26223b1f9568f2e96d4dd2a9a4d6aa696d08df8940c511922c31c6328a5cb285cbacc9a93c5a5751f7ad33bbcdf03b802b70ae884e927523fe82361

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.1MB

MD5
578577f70db08aaa19c502ca4c8ed28f

SHA1
c8810678ddc4da69c95909db8f3040dabe9d9178

SHA256
8035dd900e057aed09145243b7469be0280a32b0db3ff85bcaced7c9c2f07bef

SHA512
6be135623dc0faddd693bbc9a9a370d757cbf6626d986a4e6b22954776d02b135c0ad801b3b8dc30e994c345aed0b3641874f8d6daae48bb6ff288a9ddc12cda

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.2MB

MD5
e237e69c3e7561f060983bc2097249cd

SHA1
4ec2aec3e32e6d2fee27e26093fa12090a220bfa

SHA256
efd65764e93f1787501ce54a0637651b9c0abc5b1179746dead459296c190781

SHA512
cde0789532e7dbabdc8ea07eff21e5a306c787a5deb68dad6ed1557566d113cb790b6fc38df7c8d21fea993c1bfe718a385211d037142ced67df242d6d5e40ca

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.1MB

MD5
f57ab2dc777f36e9dffd001eb0c83bb0

SHA1
bbc68b3ba8c4a52dc48f64dc85cc3e18175b3574

SHA256
bf060611093ea35f91342434d9405aa8dfd4378aebbf73b523828dca419cdb7d

SHA512
ec7a8970dc935c76de87c082f3eea32dea1e699ee34e79bf85bf1ede94dfdd2a79eaacd1a50fd99554dda9b8c20d1e740cd2bc406155e68ab24d5f7428537daf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.1MB

MD5
e9bfa43cee8647d0b57b215553389d2b

SHA1
72e9b169f87052918e9971742079b76c72c61444

SHA256
df83b713c1b6f437775e50675d410c2b908f5aa8f2d17709c9a679d508fe693f

SHA512
2f934b03e938c27aea5fb62f1b8a6af1d9cbb33f66694e7344cd88bb61cbffa097c35699e571aa5278e0a9db2f6109d68f676da8017bc1341d952cfaae0ceb43

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.2MB

MD5
cd7380b17f234d9499f4c67ac38ee866

SHA1
d1ae73b03a649c4b65ff64f4c0fd9476e4cf1766

SHA256
a9db4fb9364b15a0c6ba5c407670ccaa85ca6d3df646b512e0ecd5edaf92cc5c

SHA512
84365a22387f6ac6c8b4b20da62fcb602d990ccab14e7df98c9283c135e8670529cefdd9829b06a7406b5552f5ea6d9032a0af445548e2a3ed5f436b49eb42ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.3MB

MD5
23924e145be21c93270638f9132a2fb9

SHA1
4eb1dcfd624e1fa8cc76555861ed15354cf70af9

SHA256
58d5ea9fdaa9130b7a327ba894e18b7b8a98795062ac9a24fb8d1fc2f8db6d0a

SHA512
e1e285c13103120d7d88f967d94576b072092d0cfc12da144930b8f1e7bba22a23f180f20cffea9779639e56f809f6612fcea10d35aff8b2d87c1d6013d6123e

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.5MB

MD5
4540a2e07dcbf5098609c960a7084ebe

SHA1
ca6761cc73fc24adfeace03f30648b41c2350ef3

SHA256
02d2778208da052217c2a76ef330a38656707716e274adcd09e44fcc235431f7

SHA512
946772478a6b8bba6da0183a58a2072877ca3c92d978d6d8fe45b37af00ce34bcd7f9797a05dc68826f6dec8da3780d8abb2b66e97718be746a4c41f01e7e953

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
ed36a0eea5923ea9daa98fa413be5f5f

SHA1
39bbfbdeecb39dd9964a313fcdddd1a6e4fe9470

SHA256
981789362e90b2a790483c052a3e1f463ab6cd0ff2c3180bef70de35bc69ca34

SHA512
a2149d57045c647dbfe3f5304cfe2a08842f97ce0a930477daef17693c67e043762aef432669c21df71c11155233745dc2e6c967462f55dbb30c8b53a1b4551f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.2MB

MD5
ce85310a5a13a7e7bd75c0b508862327

SHA1
5725ad59486cc2c3c4b5d51f2fe4f56db410e223

SHA256
5eb12c9de27be5e41ae911d7b55376c1e94d6a22e8cf55855ab5de9e40003e3c

SHA512
4125cee63bf267c6d90279b5a696fb07c42a6a7505fb24eafa041d39f07e7044d006ec3d49bb2c846714b40a82b92240cb133da094f499329a6b1bc6b80c4d03

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.1MB

MD5
9556bd92d5114b2a1b09f86a77319adc

SHA1
d7ebafe19c12890ef8c837b7f71537cbedb827e1

SHA256
1620c29fe91878554bf2383994dfc59788d5c074c0866161aebd196853773be8

SHA512
b9c30c9e8f3def007745df52bcdf4e91e89d3e15525e560c140bb43e7ac781004bb3746ef9229437cf3fd08fdf570c7f06658a4394cdd2231e21423e0aace13d

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
e99fa39cfc35ed8fd05a38b6b8b0562f

SHA1
bb5b3a4736fa18c3596c7b47f10b9fc811f0e0b4

SHA256
5e6800928c61b15340db189064ef4e37d11e00e710f70c0b8a20bde1953b1987

SHA512
3b51ae5d982fa3a8cfcb68b8bcd9ecca1c9b5d384aad6e3451c8cd89b8958f3bb33105a8fbd5eec38c482c53b7f4799da134c304daf360776ab6ef24b9fafaa7

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.2MB

MD5
27e68d36c395362956ae71327665c215

SHA1
d0fd5eea42e75f238e032699966e71baef635b72

SHA256
1d223d1e247451a4d6b7a475bd803cb3795e7b4b015e4edec0a585105ebfff99

SHA512
e262dabc9d2e12c8ef2a2eda1233d2fce96173531dd07e7882f0f9b9f7cd3296b16f7f7990e6426c078591c45481d6d7bf8e8a0d1c584779996a87ad461d87ff

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
1e27187c6f1da15a6ddbd551077642dd

SHA1
018da30f1cdfd77192dc5aa03b2eb959b248b2d5

SHA256
a29a2a8cd42c9677c1dd5899c41a80af936a7c682c95489c09a9a71825b37f50

SHA512
0c7569202fce046457b9f2232218d356bd8cbcdc5a8a562fd1800548ba4753c0d15b3ca05ea2a97649d7c0b1256dc566b914ccb8c82a7f0f50dfeb12e0d61f26

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.1MB

MD5
755dd721c1e03db8a9879da8b83f3c9d

SHA1
25b21dfe7555f50e7a4ab0a0a4c84aadaf1ff971

SHA256
1b31a40659331dc5eb37c99d346165e09a5a64c9c5648fb2b913e0de032f0a14

SHA512
00dac9ca7fb85d68f56cbdd7bd498950c89ce812e5ec94b9e8c9f4abc3c7c28af0123951597112b3ffc159f0b63b42aa05bb5a91c23d22b973a3d89b2fc61be8

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.4MB

MD5
67c79dd7524ff71ecdbd700aaf69acc5

SHA1
bc366dda4bf9335412bdfcd59954bf6cfc25dd15

SHA256
7adf8f6847f6a73246c8abe67095a2cb117f700762bb4b005fb0a3ef1a3aec80

SHA512
28744408a15671dd9c30bffb11cf788c50a181cc74a59c96a6aa4f4c2ab6f185524a03c6e70bf6c6c3d65d31ad13d299c16de1caf93c2b7796676ba098ef933f

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.2MB

MD5
7b2731bb2d373ed950447bd8762cb8db

SHA1
efa503db11cbb7098d939e095a26fcee8e7c4d37

SHA256
98d982e1f8c822f541a3e30c159f26ad3ed8537d750ba89fee3f4064390e0030

SHA512
1e63efff0168d58ba4f486686bda9cb26b32e2a38b267143517289f33c54620f54f8ae35e2c46e39891443208979f6b58aa88d2173f2e11675e76ec9ec4d4375

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7f2039c0a2eee7d4727ef234a373a257

SHA1
275853510ec69393288fd2f5c080263133b673db

SHA256
627f1d975424539704629a5f681c1dea1b1d9a9f291276ae0c0e5dcd068b2296

SHA512
7edc476723a9e01cc1b68299f6eb0a0f0a3e02ce303dfd7949fd7bf47c0a77c27af114f4a484cc54711864f72810d51f302c56372bc26b51c0c0b6876ce4549f

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
d94e30aabb53b0cbc9feef364af25db5

SHA1
8a6deb0c1e829ae3b8f5636d025aed9981640fb2

SHA256
02a171c4b3a24b1fc3ae52a033b9812202ba1b34762f02fa5416c62a96a78d05

SHA512
b614e4916eb8e2b0a48669d6ef36594a72df1cc186798fbc1e9d6ccec3614e9558bd5b1a03de7c777cef80fc80be9b82df26981666f5c3c5c4eb0861d52a7ba0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
5ce26acfbe0b520543047852ae910162

SHA1
854fb4dae7161003e62bf7d202889cc7ed7f88fd

SHA256
5777919c824f5927f0e8e8b4018bc74d78d001af082e3b8b28116ac4bd2f60d0

SHA512
4e709ae9a76cb4c3b59d88ccef8c581cba48289f9f9d40bc2a42bbb3c425bd4691fcb6e9f3b641904fc5dd7223ddb60b4b3debafe1a35f4cecedc73aff39a2ad

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.4MB

MD5
44ab2cb6075854f30d5a0f2afb3f85e5

SHA1
31978305a73a96d4a6efc773e12111e31b31b9e8

SHA256
f1f785a3cdc0853bda067e33cc82033e6b178f1963ede224e7fd947d14584205

SHA512
50d06d932e9c49fc01691255e1f2f642c44ae63ce361c3bf4c7ee95d6a60225a419dd1987cd05b5b7ec09d399d69afaa75241b8ef40fb88f08421fb1ede7ff1f

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
59e5b992eb50b085b2c531d6ee8324a6

SHA1
597577aeae7255ab028b71dae4d08dddcf67f611

SHA256
0da1072af1c4e803d0cce4715262e5783d616123ecd7f54b309e2c8ac4ce3da8

SHA512
b5fb390635f7a10ffd4e340ebbc89ee2164ca3891c71be811e2f3de76957625f2240d3a996a966d98b3552d41f45747eded114059df40b20b97d575bd9f8c98e

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.2MB

MD5
0a77684ac9457f97adf7afc3d512a199

SHA1
82eb7c4ce0242942afa23366e913b1e742a529f2

SHA256
eccce03931ecf4734ed8cc6278601efe2c1547dad867f9861601489bc0abb97e

SHA512
ac4421138fc56a7d9ffd3fbeccc99de5f028a19501329c6faffbf45bde3ce318cc694a37c76753bc3ae2e71cd305a125a14e6ec0f85c62ad18ed0207e1bcfc15

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.2MB

MD5
5b487a12037f85d85a0a46ad27cccfc0

SHA1
6d5d22f7a8e89d4c9030dc5cb193454c1bb734ec

SHA256
2b6c97e1dae299231f19fcdf1250df33c57428d8ec04afc452646e264eff814f

SHA512
2b7ad1d39986afdb5bd3bf37d8148e9edd218f7ec5cd6c28e280e72be20672288e74b90eae5140e6e08e42eb9217587299283f8cf6cccd7ef49d06f6b0aeb085

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.1MB

MD5
56e632650a04b34fba7a1c124fa1e110

SHA1
2e3b670076fc2110eb1e59416261d0bd6b1f4a50

SHA256
ff2b5741faa5d4c91c09743ad67c65306843c8f5996b185c3bfa56fa797f34c5

SHA512
4073310790a778445cbb24f2402c1cf00560bf1d4229eb587507bfc96ae9ff91cb215e8db6265f6ce4c01d0f3b578b876872af0ad4249b7849ac728f96c65acd

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
3c2330401c17c77de4ead89fb2f318b3

SHA1
917a4bef124699d806b3a79a9f5137c5e56bf0a1

SHA256
1374fad76f94daec7fd6e3fd5d57051dabc474a02790f621ea26bc5fc40d41ca

SHA512
eddbb40e4839c1adb634863d33c7a64207846002aef12feb408bfee79d9781e3a5c02ced35f45cc84dbc970b80fc8f4fabe82436494a1d74b7bc71185bb8cfc7

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.3MB

MD5
d47b79c2ffa54619448e9f15d2eed674

SHA1
838c564d274d0facce4d7cf7b1fd4cc32598a634

SHA256
8655753f6da90d232b1a795c04e5f8689970a1e9211ba8ddc8007082ff57a960

SHA512
b827f33949ee6ba527368fe62aeeb5f83c08b181f8a23b97a405026d9c1ff98c31e27d90b7a745273cbd19950ba54aef2cd699b56d35f0a2148e1cb018db41f5

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
150dccf5132a13edbdc727ad37aca125

SHA1
fce27cb975166e4e1702742a26b5687c59687fad

SHA256
df68b2575644bbe21789727cf4291f72299521cc5b16b162babe7b4698486df8

SHA512
76f7192b750bde77e47939c8e740d64b2d3376e49552ba8efa4f6f4e396b66202ce485f7bc9707cb4a823e5b3b5807d0f12bd3eb5ed13510d509cb19f03177ae

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
e78a52d6d548488bd46ee5cdad727f4d

SHA1
38d90f6bee23a6e6a23dd79cea99972d7a4b594d

SHA256
b0d6dadade78e90236c657c78f6c3e2e39a298c91d95ca8f0b9207f690846865

SHA512
c9a228b8f4e52d9d4f44719cc189a1b03d7962714f93b76e40548c10a0462ba22aa7ead8828effa7e4d355985c49eb15c8585f1f669cc992b79b3b0e30503630

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.4MB

MD5
017d876df35204cd5cf7d5e424bc7483

SHA1
f4e863515050dc4a1ab654f3fe24cf2935001be5

SHA256
b617066875df24b1ab4502ec841ad76fd816d1f50b7f1e581d41561fdb3ce369

SHA512
c6131d1e8b5dfdddd413d86f8b8ca298501640f67680f9a0d1a58293e9a1d6c717757c695f737d0d3fa7b8739197508cdb6410ce5e1307411ff5a1904514afb5

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.1MB

MD5
f68b01ea6266d86903e28489a3d41757

SHA1
dddf28f49c36d57f7bb5dabb23534141e3da0606

SHA256
aa9bb884b45cf61e3e5f67186b0ac250bf377a436978e5ec187f6dfa6cb9e88a

SHA512
fcdf110edcaaaa2e3f5c9aba70a6f831762a13a552b1905139f5665ece445d58605753df1bf38afad68a5f8b9cd3ec0061b702c2f7f9e16a7bf3ebe3f71878bc

Download Submit
memory/1364-231-0x0000000140000000-0x000000014011B000-memory.dmp

Filesize
1.1MB

Download
memory/1472-348-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1472-632-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1992-227-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/2128-346-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/2260-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2408-16-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2408-639-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2408-14-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2408-17-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2408-468-0x0000000000400000-0x000000000056C000-memory.dmp

Filesize
1.4MB

Download
memory/2408-23-0x00000000026D0000-0x0000000002737000-memory.dmp

Filesize
412KB

Download
memory/2408-18-0x00000000026D0000-0x0000000002737000-memory.dmp

Filesize
412KB

Download
memory/2420-228-0x0000000140000000-0x000000014013F000-memory.dmp

Filesize
1.2MB

Download
memory/2420-106-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/2564-233-0x0000000140000000-0x000000014011C000-memory.dmp

Filesize
1.1MB

Download
memory/2652-229-0x0000000140000000-0x0000000140131000-memory.dmp

Filesize
1.2MB

Download
memory/2812-235-0x0000000140000000-0x0000000140188000-memory.dmp

Filesize
1.5MB

Download
memory/2996-631-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/2996-347-0x0000000140000000-0x000000014014C000-memory.dmp

Filesize
1.3MB

Download
memory/3024-55-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3024-105-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3024-61-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3024-103-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/3024-63-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3456-475-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3456-232-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3492-234-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3708-230-0x0000000000400000-0x000000000051D000-memory.dmp

Filesize
1.1MB

Download
memory/4036-44-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4036-52-0x0000000140000000-0x000000014012F000-memory.dmp

Filesize
1.2MB

Download
memory/4036-50-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4152-236-0x0000000140000000-0x0000000140168000-memory.dmp

Filesize
1.4MB

Download
memory/4484-3-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-5-0x00000000054B0000-0x0000000005A54000-memory.dmp

Filesize
5.6MB

Download
memory/4484-13-0x0000000004870000-0x0000000004876000-memory.dmp

Filesize
24KB

Download
memory/4484-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4484-40-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-6-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/4484-7-0x0000000004FA0000-0x0000000004FAA000-memory.dmp

Filesize
40KB

Download
memory/4484-8-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-9-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4484-12-0x00000000065D0000-0x00000000065EA000-memory.dmp

Filesize
104KB

Download
memory/4484-11-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-10-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4484-1-0x0000000000350000-0x000000000052A000-memory.dmp

Filesize
1.9MB

Download
memory/4484-2-0x0000000004DF0000-0x0000000004E8C000-memory.dmp

Filesize
624KB

Download
memory/4484-4-0x0000000004E90000-0x0000000004ED4000-memory.dmp

Filesize
272KB

Download
memory/4612-72-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4612-74-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4612-66-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/4612-628-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/4656-246-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4656-630-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4688-245-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4828-83-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4828-86-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-629-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/4828-77-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/4976-38-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4976-37-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/4976-29-0x0000000000740000-0x00000000007A0000-memory.dmp

Filesize
384KB

Download
memory/4976-530-0x0000000140000000-0x0000000140130000-memory.dmp

Filesize
1.2MB

Download
memory/5116-97-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5116-94-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5116-99-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download
memory/5116-101-0x0000000140000000-0x0000000140155000-memory.dmp

Filesize
1.3MB

Download
memory/5116-88-0x0000000001510000-0x0000000001570000-memory.dmp

Filesize
384KB

Download