05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
12/12/2023, 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
Size

1.2MB
MD5

1afa8a16eadd939e8ba2b5a980fb22f1
SHA1

2650d83a0e71c3be69844f8db15f512ee69a2166
SHA256

05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f
SHA512

f8f0355c0d53f3bedf2fa2df2e9650b882ce71bcc6c04b1d059f01a7443a170727b552aeacccf2f77b3cf894a13ca76f167d338fcb204d27e7c7d171b1236448
SSDEEP

24576:10qmJe3wccSqqYj4Z7BYCLVyjzWDwCmTPPk/z5Zf5hz0dNUX:10eZqjEnYCLVBDwCmTPc/lZfuN4

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2596	alg.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
1340	fxssvc.exe
4416	elevation_service.exe
2592	elevation_service.exe
3712	maintenanceservice.exe
1224	msdtc.exe
412	OSE.EXE
2668	PerceptionSimulationService.exe
1148	perfhost.exe
1268	locator.exe
4272	SensorDataService.exe
2284	snmptrap.exe
3960	spectrum.exe
3076	ssh-agent.exe
4736	TieringEngineService.exe
4040	AgentService.exe
4260	vds.exe
3128	vssvc.exe
3492	wbengine.exe
3404	WmiApSrv.exe
3064	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\c061728c440a7512.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\spectrum.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\locator.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\alg.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_119515\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{741B7942-DE37-4803-B0C1-7335F92F1E23}\chrome_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	elevation_service.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jjs.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000a9983dafb2cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9923 = "Windows Media playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b39a37d7fb2cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000009c773bd8fb2cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9926 = "M3U file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005ec003d9fb2cda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-24585 = "Cascading Style Sheet Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000928862d7fb2cda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4804	DiagnosticsHub.StandardCollector.Service.exe
4416	elevation_service.exe
4416	elevation_service.exe
4416	elevation_service.exe
4416	elevation_service.exe
4416	elevation_service.exe
4416	elevation_service.exe
4416	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
644	Process not Found
644	Process not Found

Suspicious use of AdjustPrivilegeToken 40 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4324	05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
Token: SeAuditPrivilege	1340	fxssvc.exe
Token: SeDebugPrivilege	4804	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	4416	elevation_service.exe
Token: SeRestorePrivilege	4736	TieringEngineService.exe
Token: SeManageVolumePrivilege	4736	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	4040	AgentService.exe
Token: SeBackupPrivilege	3128	vssvc.exe
Token: SeRestorePrivilege	3128	vssvc.exe
Token: SeAuditPrivilege	3128	vssvc.exe
Token: SeBackupPrivilege	3492	wbengine.exe
Token: SeRestorePrivilege	3492	wbengine.exe
Token: SeSecurityPrivilege	3492	wbengine.exe
Token: 33	3064	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3064	SearchIndexer.exe
Token: SeDebugPrivilege	4416	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4476	3064	SearchIndexer.exe	133
PID 3064 wrote to memory of 4476	3064	SearchIndexer.exe	133
PID 3064 wrote to memory of 3132	3064	SearchIndexer.exe	134
PID 3064 wrote to memory of 3132	3064	SearchIndexer.exe	134

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe
"C:\Users\Admin\AppData\Local\Temp\05c43470e7ba8da0b102e2164500b98f1a0995034f81ceece3a1cce878ca3b7f.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4324

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2596

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3768

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3712

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1224

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:412

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2668

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1148

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1268

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4272

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:2284

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4168

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3076

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3128

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3492

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4476
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.8MB

MD5
e29f2108037380b44fde475058d9f6eb

SHA1
52174b4dd17cd46403930ccb1d5172c02db70609

SHA256
8a68c56055f8bdf7f9313e57bb26c090a6212dd5f9c202a6c50bcbf0978e8862

SHA512
6c364f96f8f75f26a7933380c2d9a68324c2415ed952bb72acd61fc3269fdb59a7c7d250763881305935f47a96c5850129c4aaac5d685ae29174c8c2aa26762a

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
4KB

MD5
23dd55a712761d34503f1149529d0bfd

SHA1
5de4e44af361219b73a03e388a1501615cadff56

SHA256
5b1f79e838babb2a68fb93edba8f31403df062d6390958ccd9563f3f05a2e0f8

SHA512
e0419b5bbfe680e5e3dee94a4e97f90adc5948f2951dbc6536e014302a9d480e2ac28e353e9a308132c860abba30ed18789920ef1c1bd1af759b145f23892d25

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.1MB

MD5
e759378544f5543211a74e0a72cb0422

SHA1
f4d3044c0d4b330b57eab399a1dbd9a4bdf85296

SHA256
9cead5ffc4dad7961985f3c90177c2c51530919875fc68af4131e12829636c88

SHA512
69252cb70ed378bbced70fbc71d27d5838418083408a091def5132e578ced75fd25db48d6b83e931ae71a0355b47e165f0b9fe1e42994942f2e525ee892cea9e

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
361KB

MD5
b9e205a312d6f823a35dc76cac524f47

SHA1
7a466ded5c164b063884b2e582155f17b9405ac0

SHA256
293b87e5953b4d21b9f93435b1a4568bdd800d8772234a67886a0e46047f536a

SHA512
d2f073083282fa7573d25b89dacc1558aeea70bae454e7805ef1b9a1b5db326ce258b69766c932331fc62b724cde5c24a0ed591922762f9483b14e242e207155

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
317KB

MD5
cae799f12e41526e7562b19b0d23fa77

SHA1
92418e4caad778e5f68f7c115e6fa39bd1aac618

SHA256
3faf0b9f00dbc3452a1db40c62e1b2f9d37ccb27b764c95accc790d6212e2a09

SHA512
656a59a78214002daf865abd9345fc837a7fece3b47fc22ee109bb19236c6b0022bef8085fa30c3e11309cb52800e4cec925a99c11b19cb3f0d603bafda14c85

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
394KB

MD5
289ddb96614d96bda34c0466711c2c2d

SHA1
e28782ba79ae1965e1629b5ff22b161db82a8962

SHA256
0c9862f1df4eb8637f3562494ab28664db47bca0259f2e691365f941160d1da9

SHA512
946a0221d13d5168969fa76f857334f2b07962b167f0c19e469950bf821374f5c8043295af9a1c30873e33c9e7b6c9dbdab45b4d5091e5293e2cacb32c297f2c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
272KB

MD5
b75ccb29e53272e119938affe9f3e001

SHA1
a4b609f49bfebf26217799061a5a7ee995438c8e

SHA256
13e33b3d896156ec836d055e16516374559f511eccb3e91466a24aa91475c376

SHA512
eb0a35891bf04d3f8d8ef4f9dcc3ca2ea3b0aac67ba1468117564cef8fc2c83ac4c6829335ff5b10117660e86a5b4f47e30dc73c3b4ef6e263aff57255ff22f4

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
323KB

MD5
bf4c7dc9834a8825b6aaa388171f2ecd

SHA1
4ff1400c67037b4c2937eff7b353aae422ca32d0

SHA256
860534c9fecea9a72a6b9b6b8e5495d15e77a25ded665bb1952f8c4e4a70e079

SHA512
29c7f93c74955ccfd3c112fa0e2ca88122a7961920bf440e4ba94295bfbd4a4ed1f72bab3cd4087862752bfa76a4b4e678f9bd5ed13b0b9d57eadb2516cc57ee

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
376KB

MD5
080e891988f1ab1dc7fe4bc0ca911ff0

SHA1
5b6958710861dd5f2aa67edaf62fe433281c68f6

SHA256
f69708fb8e7dc369d3383f3ed0b72982c7cf4349d662265c217a23cf832a541c

SHA512
0dcf1c27cd544da4a016b5f2d1f4d4d0348b278b20432fcc0f82b44b610f612efaaedc1ca106dc114bd19e2b444c54314a043c0bfcc8ae0fe1c1e9a219714188

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
279KB

MD5
1f44900061c348ef525948eb5faca83f

SHA1
6c4110db2e32e2debd749f499d669ef09152a738

SHA256
eb0dbfa5b09d7f9012c222047b910288c8fe925258da86e0026f60de766d56b2

SHA512
026c15f98cb54ae57075d7f3288128090c780d956b964bae5313f8d66498b86d74a52a6b97aa1cb0cecb995f01546aecbfffdddb949a46fd763b5fccf6545564

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
248KB

MD5
2e06f7d092f60ab32ffeea20dde3ef52

SHA1
e3e990594596964f2e77d15be2ece31e882a9815

SHA256
dfc8f87aeb17c1630e24a09058366a91feb47ad05591e0d90f6cdec6fd1b9875

SHA512
dc311fa3062ced6cbd2eb2ae50ffa906a365fd966d8b70cd6c9eb4a0082b115cfc332227a41756735b88be081500f84a0e1f0bd945f461305afce7c1d86bb813

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
281KB

MD5
f3855f33eab417cee56a3f81ecf1246e

SHA1
8e719f96a56fb8e14fdec19863110e08d4ec019d

SHA256
798f4ce8aa52f7eb3f6f02dd3c425dca41f6a9c71e72e919f292db0dc86aa2ad

SHA512
bf732deb25424177e2632169cc40f18a5e9f87cbc3e9a90dcedde7c7b9a21a4bcda3f5525c46fd235437f1faf5ba0cb635b1979165b89fedad2b8ff8e408d919

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
295KB

MD5
83c9c1ca94d99694bdaca0ee62680a5b

SHA1
002448c5192a466d283778de1363f8ab9b8e5f39

SHA256
578d2140493b1565884c7f30060afa0bb607a1369dd7640bfe3f041af976cfd4

SHA512
30ae14ba4d48fc5e78dd94cba1484b93fd1f84b6f61bcaa12c2e6199fdb02bad002146ba83b67f7c850fe10a5bca9597a5764004b7a536b7ab16aa06096cf904

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
200KB

MD5
a12f27fd0d7951e18131ecf4761bb25c

SHA1
111cfb431a1291aa799a9547fcec22218827d16f

SHA256
60b4fea801a1a69da554e2e04908e3b51d0e1376331da7525f1ea34cd8124cb1

SHA512
23130b15bd3423570105e71e7362e797d17de14fc751ad37dfe2fefe38fc0acdd1fb979d56647d1ebb81db141e9b721fb6c457ca1d0a04c65a09c48776402b39

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
248KB

MD5
d05a2ea19d4547c12ede8c5ac7c02c48

SHA1
ea604d4ef403eeb83b99a83efd00d29655cf468c

SHA256
96b3fc0c68c55ea60ea7b4815cf4f57d3b150756104e1d4a204ae5e7dbb64b57

SHA512
412bbd2946e48a333c5660cf6d4ce41368f6f4445a2981ab8c34e87da0f149208b2afb2fb86548975ec59f59cc624167c7b0b65572e8f6014178f565716e0df4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
199KB

MD5
2e4df0cb6d00e05c75969410d5ca3131

SHA1
a55af1346ca8c29541c3c4a13668d25bc099c962

SHA256
86a86e0f89798e5b96b12aa11baba3c4b7c4118aff7749d3fca5d59fb94007a6

SHA512
a8097cf8bf2c9a8dbd0b0f19249cebba49eb8935347411507f015c10eafa1b101d5d229be05a0b7937b1909381bd03cfb49b9d3ed4accca78ca4d0ee896eb9f0

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
116KB

MD5
7efbcdf8eee5a34899a296021a0721b4

SHA1
2fdabe82de58535403867fba41333a91c1567d94

SHA256
1d514d44bc1829b354b32ce856a8e8b9da6e0756a1995e863e43635200f90c84

SHA512
3efc8008a49214d24ed3299358dd4d63a3f95895a4a7b6a0c4ce01a3d0a7054a9dbf8465b93f092464cf320eccb0e7f88a8a9dfb3a4a1adef52ce668a1b9df18

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
212KB

MD5
fd6e5ad2cfadca48a91d29509450971d

SHA1
c4067265df4fe132e114f86f2169cb915fa8ead1

SHA256
f82a696e456302c174b797da049c30714b9456ebf80c8e4e517e56b34aeb5312

SHA512
1d1d189093494e294946ec875b7b08ee466abc71585fb35ae54f1d6397f5f4b0979121a3f271ea4936e3d3cfcd8590d31a58d5ff4eba7929bc04541c139e565f

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
ca3f5c8b7f06e66af1b52cbd793364c9

SHA1
b27b9779d6ba8f4998501c14d8a6de14b217621b

SHA256
a0b6154ec0313de3e5bc022490319cad9f66a9a984733e366a0f3336923699df

SHA512
80dd975bfda540e92b1e2906fa12920c4bdf2bde2fc3ce83c5b29a14d1ae4ba850233fff68446713cfa6420edd28f908119d97a5435d5755747f67429c21eba9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
119KB

MD5
b10012fe9ea9cd5342c0232280afa74c

SHA1
cb3b0354fd96368482feeb61484bca7a52caf239

SHA256
c5adf9b0ac092953b6158637aeabba60f022b3ab4172347c0c60953ed4d09aa5

SHA512
149984dd2489621b6138912adca55065b8c3cbf3e23b9159712cdbdc61aa6de57aee0f61d4adfbbb9959afff2182683807c2033339998cb23e5d88898cdb8c39

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
306KB

MD5
47d6264ddef6ef1230f4b6a9761c8d2f

SHA1
3a0062d0fe0ef1afdfeaab3e0c0479cc39449c37

SHA256
e2a9c354f7559c9967c1cf6081c01e0edd871d29d05e7429c79609dcfe32d9fc

SHA512
bef6bfd901b27dae6c1b13e6080051112ff17ad125fe9e8ecde7b9da51b919639a638f3076e0caf865dd5bf35fe7ed98b278a37c12196f1c0062e40276ffb509

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
231KB

MD5
0f816250a8ca16b646faf91bc16813ac

SHA1
e7f99c0eb334ebe53a9b60fb95436aed7e926aca

SHA256
7a043984f790c6d7423b84057164c760fb11d790b6b2afb48995f79bf357f8ec

SHA512
d744031d022a0012a44e4549da71ae9bccfdf46139c682e702dc69668f4385c0d8940fb38ae9059713e8196960e0ac504e1e445652092f5d643fa08324f7afa6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
90KB

MD5
3fd37ebc45031351ee2dc206f8fc3be4

SHA1
5107a6a87c49396b31f654a229960fdd2fc22ece

SHA256
beba34999d5444e683f126e9d1d5a610b4dce483d01f6625bf1e72a6de29f60c

SHA512
cb3baf52ec21f45176b9d572f49aad764229a19983373ce12909da2b444ff2b56b010a173f39264d406ef62fe40c4a3e954c7a043995ff2af92db003caecf4a0

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
152KB

MD5
d80888f055c0415b217a0f5c25c2eda2

SHA1
4a42f223a1eae50819f38b448e4682332fcd983e

SHA256
1b6871fd29fa7d2b81841fbbbca7bf1406226eb36f0aa5d1e9a96392b4c76f2a

SHA512
bdb78eecb1f124b536fdf7dc6682e18887476d68213087060c5959a2e781975b435e2126f4b376b9750ebb3b4df7492de62b9df44cabd405ef30fb9f50878c87

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
148KB

MD5
29f44f6bca7e14ff4bf40e9d4e4187a7

SHA1
840bd4681b35e2e87edc699c76f0a341ffbfef83

SHA256
b334c77558cfb15b81d4351800e069f30c8c4c2f74a4323a4dcfcbce1330da6c

SHA512
f3a65f3bf2044ade0e3469fb96b750c901fbc70124fa870c06ee33eb0be2cf70aa1f888b967023d973b214a6c59d2455c6314f59ae099dcbadc9fd5b23de119b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
190KB

MD5
41b41ae09aac764b1e299c6cb78840ae

SHA1
eba2374d47705b15d3076272a42c0e4e4bd7a63a

SHA256
c43c32340b598ea06935a03d6997cb4c9c931d60a5bb780913c2d02e4b862b77

SHA512
e343f6f7c1fc3fb87e285e8cd60e5e8e618f1293b696dcd553e53bc303db213811d21e6900bc8662a413c76d0d3fa49795b4c0c2b9aede8de5ec1a012e73ef83

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
211KB

MD5
16e8a712e8eeffd67007792abffab467

SHA1
a418404d7c60df4ba239fb79e29d9a9d81ee6ce2

SHA256
044a9563b52425514fe02a52b26b58b0d551d2ec1e9123b005917941f9079a7b

SHA512
03ae78ae147d20c208e920469ce51a8b30fb5b3dbebca55c22f01fd64f3adc374e1855e4e26c0a9001d65ffd4c36ad0331090f4a04475f9901e5567f4aa8ab5d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
124KB

MD5
540236db9d8121f42accdb84acc4fd73

SHA1
5561675c9e42f62af5c72c7332533e13a54a033c

SHA256
52b7f38404548b5b30bdbc91aae9274b1e422e0c15a7d67ebc7dbaaf105e76b9

SHA512
9572f3730f261f24fc0a9be3fe61ff5e8147d458bc01597ab4ac0c538fc91f4bf181b42a156e1e78ffabbe314e5fc824c728f767d40cf8b8e4cdf8f592509ed2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
71KB

MD5
c82730c664ba9bda208a624eb0497aa5

SHA1
2cc63ed8eaa2f77763a32741a872b81e05349746

SHA256
5ff90c1380d94070f33aa4750d99b27dc2ed391817c966002e64a4594299bb34

SHA512
eb96b057595a76a7185504eb1d9c8ccd542df70ee1b5ae4701425ab60336cfc0b87c859b19e6ca0428166b4302b20daeff4c5d86aa2c0b0b6d872bc9960d32d9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
110KB

MD5
f892cfda7c8b057a4a4e2afce43d3acf

SHA1
883bb8ef10df37baccad77440efcc3e0bf1737ff

SHA256
d4319e541708398cb24e949054e88a7bd7611de72a02d2a473c8be5139f47f62

SHA512
12b3641ad84629624324c4e35eedb09020904b3e142f4d0c0618468f3400f9117fdfe88cb0599b3324ce144959c66eb4828f43457f819eefb8ac2eff6b2b8d22

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
72KB

MD5
86cb1a011dc48b59ff6869bd9dfd6f36

SHA1
1730beffa3ef200a534709ebb254cfe286acf1dc

SHA256
2ec7ddf04e66aa4671e67e6b76b52ec908cff54f06fa5a33631f6a3be10e1d15

SHA512
ce24270be3a1f89d038f9fc71c0f32a979b15cc2c772b9de26cec74863ed6bf003382d5b1f3790f5fbf966886b50648211d4ab4bbfe886b9128f924125d19a0d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
83KB

MD5
7546b8850d36206c0326cca0de089d9c

SHA1
cd537f383b0daa7fc5ca9e13280f5eab2b4187d1

SHA256
4da936162edfd3e331eb2bdd97fa4ab4d521252c787fbd4f93ea6e08832a2a92

SHA512
0f8fb83af938cbc77784a61cbe930d02e8d3c12b7fee8bf9acb78329a2ffae12050c03a8050fb813958433ee664c2159c79bb18e2f780e6799d8eef3132ee424

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
45KB

MD5
0b3eac6357f189cf036e0b34e9a62d0c

SHA1
4c2fb03939a617b3cd5a63ceee1abff176c781bb

SHA256
422f2faa270ff166ff7b5436a4fa9f08d425838a9286bdae0cb104695ae2b3d6

SHA512
6acdd8c1619f67ef1db0812e38d32705280106d099186af6d13ceb0f07b60bf1a898bdf66d4a24dc1680d49474570faf66992a4d82b860b08069c44202db440c

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
114KB

MD5
b0266c82061a291417526edb87286f3b

SHA1
465c822282e2cfd1d6c59228fe4c46bb88856455

SHA256
b203676408a2c1716701c9731e728e06776b2e440c87c2d4286e495b312f7c39

SHA512
f3254319e8b257357e35252d2b559e188d2dd3c77b3eec9a76acc85a012a6a58da0fcc39efe6f781374366fbcbdc75a1b2ae4dee8ac7617d0f5c43e229232dc6

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
85KB

MD5
107155605324a6e7cc8358f87c318b46

SHA1
73d6dc86f4e7359b3d92259ce1f1d66475093afe

SHA256
6aec4fb826a01f9a6b9e82796fa1699b18f51e35807f52ad8eed9db9090dd5e7

SHA512
c6d9dbae45eb034124a39453308d251e3f4d9308528da0c0f6dfa3904665988cffeed8ea89d283154fe599bed538524e619432935146918e3cd6540f6d4518ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
40KB

MD5
844a3c2919456a4ed66d9fb3059d3e7d

SHA1
dcff757c9b5d0ef83d5846cc140c876aa31f123c

SHA256
46380ccf9c409793ac1fa07fcb118c6e61d015a29adbb5d4f2f9f917017c466b

SHA512
ee4cc0847d0fdc84bb995729a93707ff45ae3ce519be6c296df84652c3a4f31fa3638dba392c0e6c9c953dd3a5340ebaf5eb87922ec152c2f783900b1810ec93

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
124KB

MD5
53d5092e6a4f8f2ec68b53af9f5709d7

SHA1
fce76a94f8f678a60735866a1adac00804764b6d

SHA256
c6d5207bf1a242fc63ca18fd396f3a875becabf8f1aa0727bc7158610d05c3d0

SHA512
2f72cf3487dab58c465b17302ed057e9fd72aa7b5b921b0a9f6b24879305a18bee757811a0c71986751f35e3d9f573d37cc53c1d43bf8b8fcd6c6477852b031b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
92KB

MD5
8987720c2542dee3fe0a461927bbe453

SHA1
7c976cc9a0e065aed955ea295de2df1218d2789d

SHA256
121f1ae12fb7357c77c557a99caa8fb5dcd0003d60c30fdf876b440f9b5f7c1b

SHA512
748c8902047c7142d2d66e290ce683637ff54c31dc00dfdc6007adb9fbf56d949de2cf3446925cee4a6706c6047ce4119791249797a4264ed887104158a441e0

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
252KB

MD5
123d4e4f7b6e16495156eca03c633c82

SHA1
37d59da5ea5e34b3ed5887010d5f7d662500c637

SHA256
4219cfb8a0c7ababda2363aef4e727bd3682b91e46bc464789f08f0b3faf3836

SHA512
9db22b57be83ded3c26db7cc9de5c691aaecdc591357dd1bd59e7f92b00216e8459527a6ccd93a5732a192b8688abcb0fee91bc95516e973a7b8b41d1e579f80

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
67cab2747f6b90dd524734207a1e6f95

SHA1
e186c8d039df8ee7e7a713269b7889bcc0bd7cef

SHA256
f159fe36568de8344be09b175d930ea8818fb21bdba1adfd78646b8a73351dde

SHA512
2ddefe8731b1e1a128cbcc6bdad1d91c35f511989bbeab6feb8e30cf58490f225e171d697836ec86c0e4f8f127bdd75e5d8364b3a39dc86b145e091f83af7f2c

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
137KB

MD5
c189648a09f4afc77527d070e369636d

SHA1
d65a2632d7342da8152eb62b6fd416be363ed216

SHA256
2d29e877480584f66da4a09b2c257f2d94b4a686b329507c354efad6bc7efc12

SHA512
4527915fe9012465df67e6289bbe0863d284a99f00fd2ddba1b0ac42fe3dde4e49eb6312ddd236cb2ffd60f4e3c214da6c52658f877d136512294b8e19665889

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
960KB

MD5
5ba2ef59a97057665d6d3bd0d749b01a

SHA1
f6732acf0c21bae7f064e81de9c6bb6756dbf45f

SHA256
7f41d480a9adda6aee9e40aa48383433b33b5c728a9cf743f35fd4ba3ddf817b

SHA512
830b6d7ea5f7405586f39a06fda40b51024aa70da243df22ab299d02cd91404b44da627f2d178ad8db44557382247bab381075bb23cdeb2f2496cf9fc24e7974

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
45731d0d3bfa69565d286fd14141c897

SHA1
25b49a6f40b17525ddd40ae7c20e743c91fe266f

SHA256
db2e05907ac63bd280c15ff8a2476f9249f1b522d403ad20db03326e570b8f7b

SHA512
cb86c4e8861351a16c95049cd117cbc4ca1ab8f6ea709471088a1eff5a93500ab8e50615656966704dcf0aa75cc6c7082736c79585a5078a88e067a454934fc8

Download Submit
C:\Windows\System32\Locator.exe

Filesize
859KB

MD5
bd062cb011df7f24851d0baea66793d3

SHA1
6a647d157b59ce418215dd56561bf8feb7ddab20

SHA256
48d3f795e93c4edda9b48aba172ad395b6b79e70a2e3683b1c795ee9fb4274f7

SHA512
82c314a01150b04dceac461e06d10949c0362118069dd55c509236a71739cdffa5cb11d627062a2b1fd3d49f826ab9d608e04b70227fd6d6e323e07cb389788f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
549KB

MD5
bf9fae424a84a21c896086c32bd55f18

SHA1
29ae44f36dbe5e73875c6ef4e072d5a3917c2de2

SHA256
79dca940d8de3542e4fef35cf278aece29c6b327afa0b7a34a35ea44e17f397b

SHA512
ec885b92d5e5e66fbd70837b2a4379533deecf97871e22eecde32271bab82b3339fd3ee456300c85b89032afa48bbe85889abdf27025cb1e07742baaff13bfd9

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
506KB

MD5
c5392ca49c09714b7da8de5b15a56a9c

SHA1
5e9c6dc67ef81e56d112586ad1598d85409376fb

SHA256
1e904ba2b4bf168c49ba769d7e9c19a961463544f087ad89244a3dd2aa6e8c72

SHA512
180637681c4bd7353bd68240e66ad126a48816cf895a394a76530a33b121ca59252fdffc9ec04f5565b89ff2fe17f87658ad1e1d4bd23781e45f0a7bf2dd08c8

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
7ab09461d0255a1db73c4b351264e5d7

SHA1
c1b1867b61e6df1f589d4f9d54bded72531080c0

SHA256
e1c5c1cba510442200f713210e5b197360d28d18f81770c2754e359188f82ecd

SHA512
bbcf3d0debca17a42c0a8985d3f18f2c11b6550715bd1f759b60b0a4e662fe50901edaf92b59c0ca919c7328f2a0caa3afbe17bef30217f477d35a0d06fff45a

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
542KB

MD5
4c2cde5107fa921620c367425f585c5c

SHA1
3c76cee53ee106294de9d39aeeee63448639115b

SHA256
d9cf59e08a3eb90fcb66f0b2d3c559494e47765575987312b2327a5ef106745c

SHA512
cc66c96987e0e74373136a079f4ac36cdf26f010d6002a050ee2c749c50647417c8c3f6045c2c9e0b842a79145f513daed95d3cf546bc017ce0c74ebe5b277bb

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.3MB

MD5
314284bd76c74519724ad2ea86cba4bb

SHA1
a10ba11c5d57b957af72e55efa9fa536c5aab860

SHA256
025065393787dc82e14299bfa978414e9704ba84b3b6388fabc6cdfe1aea20c8

SHA512
dbcc8e131c39c4101fedaeebabed0dd68bef02910440dd4c0f81e25012189e90da50373463f129c6cfc59d64a8c4e1cb3c397b497ee6b2ec391b8b6a940eadea

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.4MB

MD5
e4eb0bb0645d8114f761c6c3dcebf2b3

SHA1
7bf35047057f49306809f77a7c0a03c0ce2d2785

SHA256
89d3ddebc6d0c89161938dfa2628cac721a9d93632f861f9d15cf5fb3b8d91bf

SHA512
7c99172e20fba3dcd13ba9ee0810e857d4936322b6feda9c99d004cc6d6a131aee6b63ed9a196ceba214145c4828731e991367c54a50bc3863d470f337881245

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
424KB

MD5
87c940fd1d6d611d8b993f77f1a280e1

SHA1
96bbf1c9ea9a967e4d9b4cf3af1ae904f951d2de

SHA256
743af6c02ba0556a4fec635fdaf6119434f9cec0d2e0bbc816391b783dcf17d6

SHA512
e93507b3fc327398f8e10da125659db19f20300d787d410eae41f63c90e830083c1e55339c328ea7e7b5487d02fee569da11941325e9f5d115e29470832d6053

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
115KB

MD5
61e2b74b49643deb5ce8587a55cb0f8e

SHA1
55bfbddc711cf0480640999e6b1c62112517724a

SHA256
ea378fd51afe719c54c4308b8fe41df2fa08bbb6d5777139e46107fb20be4ae0

SHA512
1451650e73921df871bec6870e479c946ac2ba54758bb4dd8593a4dfce37a8a645bc68f43f5988c3d850debe2ab190dc1d500c323e35c4621ecfd8e939617489

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
33KB

MD5
8623c0e91a0dc7961d53db8823babac7

SHA1
3e185a64d7c8cabda09025cf60dc87ebd5d46774

SHA256
ecf3bbc6e3c4beb3a2d7e6af3e6b0b72fb7698b8f51fe7505873329146949f0c

SHA512
ed754c42f5092b3b0ff3ddb2c55ea562a25b9558df9ba22d258d37330056b15daf5b9db9f3c98c613888e869ac11d6e3d68a52064c14f359fc0c2a02cef9ef9b

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
d08c4c23b140a14ff783564f3f3cb274

SHA1
57e035d1edbf379ce59e6aee154b44312f6fc249

SHA256
18cdd09c8dbd4faa2609f85e62076f7ca4e0ea582b645b9bbc2f7c5e286c66b9

SHA512
6d362517e93518fbc068dbf06cda46585ff78f9385cfc9763c3ca2d82b3835d99c5210b678ea63bddbe116e0751bcddd87d2b9877fec25d57140497488577e55

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
576KB

MD5
0fe17d033f71cb119eb4fca375b9124e

SHA1
17dde67dbec878f85d907eabc4b049dec8c7fcd1

SHA256
4a4d5f7e42808cf8436f4f38245ae982829a694af2b189ebacf718ca0fc1b579

SHA512
71eb40660de332f056ebc29c584ab638f1f464be04b4b9f71eb146c4ba4c2ee98e02f3a8133d13a4f311186f5896b4b49ee05459cbaedfb55e8fe263b4bf1203

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
874KB

MD5
ce351d5fc3b26571e5e3c992e67588e6

SHA1
0e72203d7a0e447d3ff6d3defca0dd1b8a917ac7

SHA256
8f822313a10ccd4c1fbd076b427d051f127e5038a4b1e9fe7612277d12c8e302

SHA512
2271a62f8ce98f533110b880b2deb31a59062282da22d52815955bc30ec192173b442035d1dabda9d47f2619db0cdcdc4329cfccd7ab2c98b6fc90bb4e9f9e11

Download Submit
C:\Windows\System32\vds.exe

Filesize
318KB

MD5
c535e9c97b4562dd3cfe7fc1d29bc84e

SHA1
0f51e3c6a1fa0a36217d0bbb52835a1006c6e037

SHA256
484ae8718ecc4011abaed30e59af8f3dcc79d252b0cefda719f9c4af28335939

SHA512
9ac407aca10b244f36e30fc6d3966dc2bde56ea1278ff8e257a8806cc2a78cdb70c30cfdea0697a31bada24eb8484e00ec344b24b99a52b0a3d55784c6c77de5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
364KB

MD5
cf75611173d9a42e16c58b8a8bf1dc59

SHA1
f4baa9aaea704ae1a2e97cbc97fa49be25a33a28

SHA256
a9b8b8d5001de3cdf5e60d11c2fa8012e107d7a915b915010eefdfab9e16d712

SHA512
7d34c0a8865988b4f57cc6408da7cfbba66a2218b0caab726afce8fc704cb1a824a0fbf52a39432c05f92f69496c5abe3f0a41b848e1793d0759a6d55198ba93

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
483KB

MD5
138cb5137fd2b28623b528584c8eb1b7

SHA1
d0cfc129aac6e515189bcb2e5735e0e75a4ba5bf

SHA256
a19d662bdd4b3b46ed72aea1c85410ad38655c7105e39e336b688ee8ab3f2db7

SHA512
5ac478a75f6ab0038bced82a70188673312667fedb3de695e0965802945bca6854a863f92fbf48d1b0c9ca34e1c07880c466d65caeb2d9798607159cf6d5ae91

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
7a1ee5130a1bbd0f6cdb0740adde086c

SHA1
c59512fc17ceadd27e16b62f610d7bba67dcff4f

SHA256
c087c517e28bde81977247ddab400e261e6bf11444401067c18371c4c3a92b78

SHA512
6f983483850c100e83ae39122e98077b368abb73ced005f5bfef25d49d079940c87dc89cb3beca8453ef08997ca644c009b8a456f43987ae47474de74ad51138

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
78831631d498184b6cb3e461ba40a6ad

SHA1
1350abf94abe2543a78b2e42029766b32f427e6c

SHA256
08eff98218628cf941b56ea273fef5876b1b7215dff36c88345893a5c36b16f1

SHA512
899508c41bdf91d2592c803678de78d74f366450cabae3396ac7968decc42fcf2cb89b0d70fa55068d4dc7f7ced00436531d9f58db968be33fd7201622fdcada

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.3MB

MD5
8cee3ea411230b8034ff9ac870b51253

SHA1
59cca199a92bf7b0c13a33bdcb0999d39af9eafb

SHA256
9ab7362f6af7fce701bab344692d9765151dbb70d62bca0fb4bd6d615aeb66e3

SHA512
a147b0606f99728b5c3ee403042d344fbb02ac39f654d2ec01b032f8d433624aa954de25862eb6c9f3e4fc3e522f8a247f15a67ff0fcaebcc2242aa6d93f8d00

Download Submit
C:\odt\office2016setup.exe

Filesize
437KB

MD5
9bd2dac47f9c8c8806bf756cf2e13c4b

SHA1
0ebac57f67dbd58218e2d02ac0e8d97d6677160e

SHA256
901800587e8bace2d94e8337e595e00fdddf8fd4d34a7ced8592dcfb7d9a4289

SHA512
bf419a1dc2f3a9671fb24e97b1efb72cdcc92843543f757005a1313e3e4c7859695997cb07739c4c5ce4287d11a7d5e43d3dd395667f4379ef698b4ba32b879b

Download Submit
memory/412-145-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/412-82-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/412-78-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/412-87-0x00000000004F0000-0x0000000000550000-memory.dmp

Filesize
384KB

Download
memory/1148-307-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1148-112-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/1148-106-0x0000000000860000-0x00000000008C6000-memory.dmp

Filesize
408KB

Download
memory/1148-107-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1224-127-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1224-75-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/1268-118-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/1340-31-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1340-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2284-308-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2284-125-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/2592-44-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2592-45-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2592-114-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2592-52-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2592-51-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2596-73-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2596-14-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/2668-95-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2668-293-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/2668-101-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/2668-94-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/3064-350-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3076-319-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3076-328-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/3076-424-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/3128-456-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3128-340-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3132-467-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3132-447-0x00000247A3DE0000-0x00000247A3DF0000-memory.dmp

Filesize
64KB

Download
memory/3132-425-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3132-432-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3132-457-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3132-466-0x00000247A42F0000-0x00000247A4300000-memory.dmp

Filesize
64KB

Download
memory/3132-448-0x00000247A3DE0000-0x00000247A3DF0000-memory.dmp

Filesize
64KB

Download
memory/3132-434-0x00000247A3DC0000-0x00000247A3DC1000-memory.dmp

Filesize
4KB

Download
memory/3132-426-0x00000247A3DB0000-0x00000247A3DC0000-memory.dmp

Filesize
64KB

Download
memory/3132-446-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3132-458-0x00000247A42F0000-0x00000247A4300000-memory.dmp

Filesize
64KB

Download
memory/3132-435-0x00000247A3DA0000-0x00000247A3DB0000-memory.dmp

Filesize
64KB

Download
memory/3404-472-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3404-346-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/3492-465-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3492-344-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3712-57-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-59-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3712-64-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-65-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-70-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/3712-71-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/3960-311-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3960-146-0x0000000000710000-0x0000000000770000-memory.dmp

Filesize
384KB

Download
memory/3960-129-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4040-445-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4040-335-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/4260-337-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4260-449-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4272-306-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4272-120-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4324-6-0x00000000023E0000-0x0000000002446000-memory.dmp

Filesize
408KB

Download
memory/4324-7-0x00000000023E0000-0x0000000002446000-memory.dmp

Filesize
408KB

Download
memory/4324-56-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4324-139-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4324-0-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/4324-1-0x00000000023E0000-0x0000000002446000-memory.dmp

Filesize
408KB

Download
memory/4416-33-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4416-40-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4416-34-0x0000000000810000-0x0000000000870000-memory.dmp

Filesize
384KB

Download
memory/4416-102-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/4736-431-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4736-332-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/4804-24-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4804-17-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4804-79-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4804-16-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download