52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
Size

1.8MB
MD5

f7c1aad19c85bf3ecf784f5d45feb6bc
SHA1

753c45407c6d0c4897ce36cf06ea142f8c943fba
SHA256

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27
SHA512

885204f007c8320ae68f94a43cbd0ee5fc09568d6756ce8134dee1084f339a745554c9e8510ca43a9c8d866d4dc50c1b912545c6594e9bcaa3c5aaa6cecd0ed4
SSDEEP

49152:Sx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WASf+HEB0OTx8LLoZluFCmEJ:SvbjVkjjCAzJl2HEB0tv0li5C

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exe

pid	process
2248	alg.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
432	fxssvc.exe
1740	elevation_service.exe
4584	elevation_service.exe
1844	maintenanceservice.exe
3320	msdtc.exe
3312	OSE.EXE
3152	PerceptionSimulationService.exe
3192	perfhost.exe
4408	locator.exe
3484	SensorDataService.exe
3080	snmptrap.exe
3996	spectrum.exe
1136	ssh-agent.exe
2148	TieringEngineService.exe
2744	AgentService.exe
4712	vds.exe
3544	vssvc.exe
1112	wbengine.exe
404	WmiApSrv.exe
3948	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 35 IoCs

Processes:

elevation_service.exe52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exeDiagnosticsHub.StandardCollector.Service.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\locator.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\dllhost.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\msiexec.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\4b053f1cb3e2edcd.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\msdtc.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

Processes:

elevation_service.exe52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exeDiagnosticsHub.StandardCollector.Service.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\psuser.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_kn.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_sr.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_ca.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_156609\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_et.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\GoogleUpdateCore.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_fr.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_sl.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_sv.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	elevation_service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\goopdateres_pl.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	DiagnosticsHub.StandardCollector.Service.exe
File created	C:\Program Files (x86)\Google\Temp\GUM2601.tmp\psmachine.dll	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 4 IoCs

Processes:

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exemsdtc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SensorDataService.exespectrum.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exefxssvc.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000185b71857f99da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E37A73F8-FB01-43DC-914E-AAEE76095AB9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000eeb7ef857f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000041f5638c7f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-116 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9905 = "Video Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9933 = "MPEG-4 Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SBE	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006d0daf887f99da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-175 = "Microsoft PowerPoint Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bfdd61897f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b910ea867f99da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

DiagnosticsHub.StandardCollector.Service.exeelevation_service.exe

pid	process
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
3432	DiagnosticsHub.StandardCollector.Service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe
1740	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

660
660

pid	process
660
660

Suspicious use of AdjustPrivilegeToken 40 IoCs

Processes:

52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exefxssvc.exeDiagnosticsHub.StandardCollector.Service.exeelevation_service.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	5064	52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
Token: SeAuditPrivilege	432	fxssvc.exe
Token: SeDebugPrivilege	3432	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1740	elevation_service.exe
Token: SeRestorePrivilege	2148	TieringEngineService.exe
Token: SeManageVolumePrivilege	2148	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2744	AgentService.exe
Token: SeBackupPrivilege	3544	vssvc.exe
Token: SeRestorePrivilege	3544	vssvc.exe
Token: SeAuditPrivilege	3544	vssvc.exe
Token: SeBackupPrivilege	1112	wbengine.exe
Token: SeRestorePrivilege	1112	wbengine.exe
Token: SeSecurityPrivilege	1112	wbengine.exe
Token: 33	3948	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3948	SearchIndexer.exe
Token: SeDebugPrivilege	1740	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3948 wrote to memory of 5044	3948	SearchIndexer.exe	SearchProtocolHost.exe
PID 3948 wrote to memory of 5044	3948	SearchIndexer.exe	SearchProtocolHost.exe
PID 3948 wrote to memory of 3828	3948	SearchIndexer.exe	SearchFilterHost.exe
PID 3948 wrote to memory of 3828	3948	SearchIndexer.exe	SearchFilterHost.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe
"C:\Users\Admin\AppData\Local\Temp\52d0948ef47e7703a74412771da1a9a855eb1c7ef9a5f207ee0f89f031989c27.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5064

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:2248

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3432

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4560

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:432

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4584

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3320

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:3312

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:3152

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3192

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4408

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3484

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:3080

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3996

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:404

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:404

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5044

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:3828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\elevation_service.exe
Filesize
2.2MB

MD5
6eda7d05df99e6735e460a8c2147ac50

SHA1
4c632eb7c7e7b855be2bfe632fdb701ae2934da4

SHA256
dc069ac3aefb8da7ffc8b311478707cd049ef3b0149d175d54c61cd607a2f6af

SHA512
e45c4a072f75b8dfcfa652daf962789e322a6bc8cc15badaa5c6e63a9b61754551e8592490d8e457b868cb14518d953fc82862882eed403e1231d414610b5b9b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
781KB

MD5
95993b98e65809762e94e554e6d95584

SHA1
5905bc4b7383a271b7b4d18ed69018cab524f25c

SHA256
baae96b9fcc325460a703c46ee0dab9214f56cc1b51281320b489d0ac7d49bc8

SHA512
66f49f8823ecfd9dcfb32875368dda89586f5c9b99d5c3cb27f7e6e6fec8eb28143f4c8537cc60a119b6b9c83cb4ff39228d92a69492149d740efcad16facdbf

Download Submit
C:\Program Files\7-Zip\7z.exe
Filesize
1.1MB

MD5
3909f0fb93c987446fe611f50e15cba6

SHA1
f6754eb4933bdc0c0333bc6c728d295a6d1811c6

SHA256
8e15f3099cc3b766cdf526daa9d3274fbfc00ecabdcd3df9414999143ffbb1bf

SHA512
62147af8c22ca7addc24aaedd4445875aba80ce28250bc81815cf6e384f05129f4bbafb42cb951a641770392d2095747d905527d28a9c4e0969a63507ede3fd8

Download Submit
C:\Program Files\7-Zip\7zFM.exe
Filesize
1.5MB

MD5
907b2ea3d5fb77abb55ed16c62d69d22

SHA1
0bb10673b494e6fe4d97556edbca422e46b52c04

SHA256
605f7118ce464b6ef70766c06c6dd25e9b16db9410daffd5765cb0443eff5786

SHA512
2b87f5269263621931ba163338f609f9515e7df38e110fa3dfb0b774b3f9cb05acc704ed6e485bec60825f529336067f3956511c43df67536059e200985eb5ce

Download Submit
C:\Program Files\7-Zip\7zG.exe
Filesize
1.2MB

MD5
f54d9f74bcd058ae64270337970e8f9c

SHA1
7fcd57e0e34254fc15af1f77fa2a89531a96b2e9

SHA256
70997a6d577f7fe5a84a04b054818a2f0e0f64e4c7a088cc866b49d81c0bfe10

SHA512
f36732b226fce593861771bb1a0dbd6ba10b907946e8b533429a258b21441b838d09e01828dc1c63e501b1fd0b06093402943b90e1c2f031079efa2448d5ac9b

Download Submit
C:\Program Files\7-Zip\Uninstall.exe
Filesize
582KB

MD5
90211d801458a3ae81ef0073990ac606

SHA1
6d8573564d0a1fe710ecc1cf20bda96d3d1d22db

SHA256
32844f3164e69ae3471cf23df47c4d5e0f63d00d333a6c209e30c86b66339f51

SHA512
deb08f5ad62dd3675e6ffeee91963973391e7acf4b039422038a9e1a647868fd92b1ae8f2e832206221b0b77e93308e59d616e9d6c4ba8b79a74ebd920b5c09e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
Filesize
840KB

MD5
456ca4e9f560e16f5c83e5711a9cd459

SHA1
4f76601a95e1740833d0ebb2fba834bce2c7507f

SHA256
0b1da41cb8b2c3ed96d48f8e76fbb885cd45568fbd67398c6e21bbdbda9961e5

SHA512
07351ee90fc815b1a653c55198e017c451113231ed0c191d10fca098ae030088a14442f6340c0b39d63c422b30ba0dcdd04bfeff04a61d09ddd3bd40ddc12738

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
Filesize
4.6MB

MD5
e4accd49702378c1026ccf2c1678c12e

SHA1
a3612957171b067ba2ae3438ac3967811c1869cd

SHA256
df8bb754e40130237342311942374765a7ab5780630d7894dac2eb993ca394ba

SHA512
d6e64fcba260dc2aeee6629207653ef1a0bcc42045a2918df392e1cd268a2b0f77e5573da81a4751ba5b7c6d6b774c98beeedda9770c49b2e72e26c5ea298a94

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
Filesize
910KB

MD5
1387242f87fd3937a40821b6627263b8

SHA1
8c10d7c07bc969253c4b8122c9a49724de09b84a

SHA256
9b84d92c455202cd7169fe31e7bc265d707e113dce84b940381dcdc1eeaef6a0

SHA512
c83c99a3024e1f4fa24022fb9e9fa0034989f65f6e33d905f9745a30a6fae8866862f59dbdcbc0b8e823fae56be445e419f5fe8ed12c64a260905e1d39c6fc1d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
Filesize
24.0MB

MD5
8bcf396dfd4eb251b99e49f2b35588e5

SHA1
6c98efffa8d0e6110811c5594a3eae08545b4332

SHA256
e24fda8bcd7d572084433c61c7ab6c4d8b748b985c69a76c88cdf3d080a46865

SHA512
391969ff64913a15252a582c2822a1edc75abc47be9607ce149ff09b4809c4b1d79117dd9e534392ccec104011f9640b44d74541836a30e75c5026ff587cfe69

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
Filesize
2.7MB

MD5
3cb13d1a0434ab56173eadda9849f2da

SHA1
8df0598ef286b9d6d074978633047e085a60bea7

SHA256
05d674fbf026ca15214a9f4c23ad23d043ca13deefe7ff157bb1dc9a0c627ec0

SHA512
3c94b31dd180caed0cbb08ab0f42481d431c92eecb6cd511c128205e190e180271a51de8a9e23504146f6f1c4f6c75f7637b4a17d5448292b5138a5c43862b45

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE
Filesize
1.1MB

MD5
b4667bb9d9d500c0e6d4d65efb1a0ea4

SHA1
bb2f36dee74e639666c85e0fd099f0f8b4dd03be

SHA256
541da95d4ee2bc0febb48b73d13067c2b957b17f477f0590b4af3ea4eb85db59

SHA512
e610caf3c866b6eefeac47f208b2fe758e6a4dd495d641ae00b3d724a02b3eaf8f12e189071fbb813b7dafa2ddb21bdb647e2b91ae416489094d39c05541bdfa

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
8b9bcfe630e6c6e55446c3defa14720d

SHA1
6c128631de0496c7f314145f0a54aa84fe7d265b

SHA256
2f2219df5212c75347cf8fa7a0ec7f699fa7e2b44a92903e68d41174647dbf16

SHA512
6bb08608d7c7caad2d26593fe2a120da2525ab76f34de0dd764b7989f4afe1cf1e3ecf502cedf36f7b5e99a3c2ab191f22ed242348fdf7963caf77ff1872b6f9

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe
Filesize
656KB

MD5
5a6d2664adad1486ce6a81903a7fd743

SHA1
e908f2878f2a008d43648659e98dadf57f44df06

SHA256
c3c7aedfa34d90237e02156d601a1ea2791dcfdee2a8bbd72c1a8bbeaf84bcb2

SHA512
82dc906f50119b3787be702cc6a9771541168672be0e09f92d0ce0d2201b690e8bc981eadba2e88bd49a0bda7c32f2bbbb25d62e5601af56254b21e6a79307b1

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
Filesize
4.8MB

MD5
2236a817e6521e4504e5aaf2c3783a45

SHA1
94df6260750383eaabbc4dea1d37dc876e93a340

SHA256
c831ba6d5fd21e211c1d672d713c8b579a893105b92d2a1a64cc2eb3a2c89f1a

SHA512
2b85fb6feeddb1a6a066d0fd34f24dbdaa3102ce7a7b70f91762293096479f87c984f611f095b1b43dc016cfb465fef94025be5f55d8386266421f87be3d638a

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
Filesize
4.8MB

MD5
baf703de738218bee69910e72c31c830

SHA1
0a1be93a888f50bedd22241c0b3f3b033022d658

SHA256
3e563bdb72b7a9196dd3cedf64c7f2961512441e000c06a169161e1b7c01be2f

SHA512
8685c21600d52567a81a594ecbdccc1ffdef7d50a91de91dd1e2f8b86a123fbce98d9019277e226ac412a8b1067e32e4a4394917c1b5732e9f24ed913150f95b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe
Filesize
2.2MB

MD5
722eeae3c2d9ff15af7bf860e44c023a

SHA1
799fe7583242ff8d8ad8737987716037fe08fee2

SHA256
e5f51b07d36e1053d12920121bcee095e7d0e13c378bd02631700e270e06226b

SHA512
de18cd421bbd19d1583ad80f49b02c712dfc5c27d307d478e05cd5580cff9638c59d38b4751fc987c1124032b8b477405303c1e6298b74b80f05ae4b05f89ea3

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
Filesize
2.1MB

MD5
565825a6466462d3194ff13810c842ec

SHA1
e7151098a427f3a2a301802acd95683415990240

SHA256
9b337d3461e853d6c0e6a710c836fba4fea8c787097b1a3eae28dc7de19e307d

SHA512
308e8f8203729a9697d7f746b46e896ce32e6a252027d39479eae9bc4d7a00c446974ec55adf66afee2cc1379365a0ce28f7966feb9ec860d23e24e048650639

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe
Filesize
1.8MB

MD5
289d00caf8dd8252deed55e0111fffbf

SHA1
9e82fd9206a6ed6c804b025ed1ef2515234c0d3b

SHA256
8ce641ac6573fe6b7e6d8cdf5563614864f8f04c1ca8992c571e18ce676ad55d

SHA512
5d38ab598bfe0a7eef5d498150aab7fa27aa4515367de3b4da2fd62c81f7749900d76a9d7d56f6774fd59975b935431609c815d95f6cebd929c5e4012e8ab1b7

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe
Filesize
1.5MB

MD5
b74c72773967c8ea3a5b3d461138a961

SHA1
4f79bee45d563eae5c1a9cf98ed3db4a8d134bc7

SHA256
f5cef799d038b9298418dfe24854b4eaacc8aea26a8d2b158a28a3f1b1abcdfd

SHA512
dd39641b9175d03b489b0282f8eb66c007d905d42c802df9eaa7fe38abf4e7f7fc7c79c178621b15540c976e716f5fe9df4fc895a3392a1857159a3cd0acf971

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe
Filesize
581KB

MD5
2db65f26f17b50827141ac9a36a59cc2

SHA1
9a1c3dc585f5eda1525684e95d3f8cf57c7d4d68

SHA256
a16d146aca116b93afb32212c5b3309fb7d27633396a66308bad281b7a495dde

SHA512
e9779cc5ac5178acea78365670ed1ea366e4d7858170ac70d307de4fafff014a92d944c12fd2f225e48f59fd46ad0caaf2db2a88b56a527c75c629159fecab3b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe
Filesize
581KB

MD5
693cf27e87a56f9404e5df15ed4f1139

SHA1
e2ea929873aa392d92a2bb925bb78ea1dbdafa90

SHA256
2040a28cb3a862a27127d2e94d2a95319011df98783177144185c5a1dc992b5f

SHA512
278ad87cb1557785bf8e535c49164587996dd26cd07c679680bc53751011e1dad0b8940f68c3ca4062e50becc29c77763f4bcc85a26fd00f03ec8d966819a623

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe
Filesize
581KB

MD5
61da9cd88707b50d074b6752879a9c4c

SHA1
1fc5de656d38734021d6dda992be5bc83371b44a

SHA256
3e17b374b713d976566fbb5bcb8f11579b9d836b5e72f3f43b1cc1a21e59cda1

SHA512
c11071d39b8e1fe572576ee102fcd04c0dfbb600696338af89a6724a6bbaf08dbf2b50526ae92e41cb1b405971950e771ae5a9fa3362367bebca31a12e3d61de

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe
Filesize
601KB

MD5
ce7abc8a88f66f2182be736bb2d97284

SHA1
92028643c415f7a49a489c2d208766b539e45bf4

SHA256
b5dc3d3dab677dc3ac181f8cdea026e05ea67b55c946af874b980a8876d121db

SHA512
1b88a32cf44070f4dd2554b2d44e0e3dbd8a657e1bfca970aa0dbe8c39e9c59c21653c19c18b6ba80a2a69f4d3efcd0c8abc45828fc8ea9ac1dc4e4c5ab62f4f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe
Filesize
581KB

MD5
3296dae0085abb4588012dd9bd1849be

SHA1
60b069e594d0c271eab982f2cb4b6eac14258eae

SHA256
1845873ae6b9cdfbe2fe458a433ba1e4446391b4bae7f5c3a8d967478ca9d7cf

SHA512
c1fc91de73cea31114ba4fa2ee97a474aca3ddce388de970c2fe763cadaeb4af83c54c94be6bf8b23d5373ec67c25a1fccbdbd809aa54e8f3edba40368b7d426

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe
Filesize
581KB

MD5
270c4984f566f3b0ab174ee409e48e5d

SHA1
33924d089b003b6cffabc98cc6dd179b1f1f32e7

SHA256
b306d0cb1483413943989363d4a4dc36d1bf57529eecc329a3a1d7e47f10a64d

SHA512
c3770e4f809b2ee57bc189778a4fce44ffe7e4cb26b9f7bca8c78db5ead2b099919aaba0771c558e4117baf96f0549ffe4236638c2c3f8300b9bfd534898ba06

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe
Filesize
581KB

MD5
8dc1d5f2e179e452e6152aa70d380274

SHA1
735ae082e8cfe6d08b025467622fbec45f4b3d68

SHA256
6a8b0cecc76fcabef9795ec207d3cbecf7316f0e85ab39ce16d7d47a98f63e46

SHA512
77c459ef0064555e31affa8fe31713388cd61d787258eac2208e82782118de6bafc691e02a9e0c6e092f00b7452a39acb3d9cd7fc9cf54ccef2efae72e99fde2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe
Filesize
841KB

MD5
61a91f183bb9d2066d1c470f2671d672

SHA1
5077009198a723e733cd4bcf10b3fb5e7b5a388b

SHA256
c2ac9555aaaa8a25abd5b4e543e6825910faa6b4e8c3aceedf8305589d8ab6cc

SHA512
583dbdcbc725c32d670ebed3ad3690dfc936cb9ecdf0f393feb42a8aa2475a9fdf3b7225aeb24469399418a61a93300dbe41026f965c5bac3296622cf28fa237

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe
Filesize
581KB

MD5
66c80e2b2c75a1ab8bb9217f9deb2210

SHA1
32752be3aefc636f46cf2cf2b1161c47eb371514

SHA256
dbb68b14f10309c9ee9155cebe1c7d1d7b7a4ac98156e8407cbbf2c492c1bbd4

SHA512
f676351e7a6b6472cf3b0462dfe0d1d7756540b3589aa3cd90798a326abb1d0de819acbde0ada5985b869d9785c6ee495b368338d47103d8879d0e716e2f3a66

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe
Filesize
581KB

MD5
cc50c0ba29d0bf3920688eca239c219d

SHA1
b1d8b9ccdea1596a5de29f7b34cef83d012d2e57

SHA256
ea7d389899fac9a749dde20d22b4324c9e4f4c41c01d6376427952afc868c5ad

SHA512
754a5bb5c261a38e3d9af9142b8a812d50b0ca99de9fe9a6448f97e0af493aa6ba30f519387aefd6d17667de061c2d93a263f26323dfadbba537cc5794adab1a

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe
Filesize
717KB

MD5
b74fd5a8cd22334dbc9b0a1fb388ab79

SHA1
eaf73331fa39fd0290e60122cfc68d7751610d7e

SHA256
89711efd96f0afc009121cb15b91798f078ac2ddf29fdab91065824125223c1a

SHA512
396b46ee6ebf97bc48c9632849246903887bafd21bc1ea65c96fb27c2aa0dd363181f56320cc67fcc2934b14f987857bc7ae4cd3463d848b6c17b6cd9cb8ab33

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe
Filesize
581KB

MD5
9de89eaf8f261c35b2514c63bd888108

SHA1
bab14105f5c55da57efadfc1465c2c1c40c502be

SHA256
adb9dcee6e3cb33616319408131a2698bb1d118e2bcb4e6004c0eb80a9c27dff

SHA512
a1387b713a4995e03cd860a816fe15a8054e37ecb4c4e63946adb16e1b076ab71bc32a106cf8a3fac9194edf5dc1e707a8c02f5b6cbeef80c8ae93000ca25115

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe
Filesize
581KB

MD5
1e03454004ec0e1680eb13e4d6995ed3

SHA1
06a9a7b962286d131786ab88f1f970a97fa74539

SHA256
1d3d01642b7f43e21593563e61c7da195e79fa7c8a8916d361b15666778d855b

SHA512
ae280f6dd32f69052368f54dbd12b3e0b662780577f48792a2d23989662e48fbe646074c30c7117e29d625b2dd8f4eb1111ecdcdea4e8e3dc1bae8fbe7f77bb2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe
Filesize
717KB

MD5
84094083f18ed4d2a498fce785b5c52e

SHA1
8c65febed0337b577d41efbeaf6819f25e03969b

SHA256
ef6d9298ed4287291ce4e7074d01811dcfe97b286a482a5eb965377e75b6dc0f

SHA512
4f672e84be2c40a219935a4225603ec6e0d5f3197f3a0f4a03e2aff9a733a4c50d814a23d19c407c37b8ded1c2055ee5d92ca87b6111c2cc1c91bff024b1926f

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe
Filesize
841KB

MD5
6fa6dae7b06923527f7f0203ea84fe37

SHA1
8d06f09a17179245435501956f5f31e479a21bec

SHA256
24aa43d862630c711848eb3bac74c04c2cc19425263025e6b06f0270ca35e08e

SHA512
37ab44e01f8c28dbb535b8b070d64818f9170d8c0e2c00f9be14053231cc3e9e51e11363a4d62495d5e9837b5df0b0c194f7f19ba961616c2830e34ce493c832

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe
Filesize
1020KB

MD5
7e84e4aaf50f4e836385a2b9ed2d8017

SHA1
b7037fddd03425ec485707dd357e80bf61beb982

SHA256
2a1643bed209b5985278ced7fa5ca7f3227933f481170ec1b019589146ee6af2

SHA512
0c813213a922b0d08c977230d467d39ea8026f72729f43ca89b633332679a6c59c4a79bb43cebe5bed7e7c6edea0ff1fb69b35f54aef18fce52e8b3f5a90b8b3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe
Filesize
581KB

MD5
63213cda96556ec069cc19708d4d73e7

SHA1
8f14c4eb96f65f260585ef70000cf65299013143

SHA256
8da2c897f25d67179ee984f315b1c6de71f1b17e9a2a5f02b6c88cd02b11ee61

SHA512
988807759d2599b389e5740ac944515c517d244520496d2eedb88db4f6d2ecfcf710dbeb4dfc356387e10b90202d136194e097a287cda11b239ac618b6990d97

Download Submit
C:\Program Files\dotnet\dotnet.exe
Filesize
696KB

MD5
374f5d27091f374502b6bd3c89535682

SHA1
e2aff5ae593c17ab4b8996f498a1938bf9ed203e

SHA256
fe43b43e1c69068708368f3067ed68938e1fc2795b80207138ef0ef5f511843a

SHA512
31039fa6ffa25902e2c3c40907c86af1793043c625d13cca7e93a25d712efe2ed63fea77429fd17569e045c53daa77591e5f280fdb32bf1d1983d86db349b15e

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
13dd949b8636466ae5d84794223829ed

SHA1
68a68b1e1023d4c5a8f3c1779127bdc05d96d2a8

SHA256
36c4f779e01f0b7ecd2f982a26b5d994c23aac2ac1e6a4290330cb478847419d

SHA512
1735d7c7289b547ac68ed37cc3c651db28cc6ec87bb6ad4eab72e2f9a6d59a5049451666dcca175a9092d6fa80b054ef16b1cc08bca1ffff1f6a54181aed6a34

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
d9beb2d4cdb01c5e66a6352ed332338c

SHA1
8d58fa77427e2b4c6a956feea4ee81a72be2cd2f

SHA256
ad4e2bf1369e5a7ee2a9d4c5cc1c3f6176fa66bccbced6092296ad80a46cffcf

SHA512
9ae079bee01a2539af3563b4953f532e033cd54b8fddee702c8c51c8485a6aa9122581d2af4601b4852ea99788e0730a9f1fc9566902e07f0c317f3182aa54e8

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
4f13cfe61649c1a2bc266583723215eb

SHA1
a1f3657e304ab90aed92a5fb38fc4e94e80732fe

SHA256
4e147ddcb6898ca524c87afd3c81869ce4f9c7f3d89086f3819197564c505dfb

SHA512
49d55b012a025fe02fc11beb614c14eb490a11c829bf70f97a3846c3ace971961c10c041acca71848e19f5c5d1e8e9bbea9e31381aca7e1eb7a37de36430160e

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
dd1d6c692ac6bde932f06a22396dcb5b

SHA1
a96be8a30e6b8cf64bcc08cee2b9f3fc5847b8ff

SHA256
d99f783ee58964d2c5641a2af2e6818cc04f24b2e366fa4cfeccc24f3e3021ea

SHA512
02d9b7eff6e411444a0bf7a56f79877fb9d753674d678124d870eb3a9a6eaa73e05a1508c87298eafa429179776cde456ad8da2f9e1c2429d81f53b520396fd0

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
582447836fea237e93cf755168b8cc47

SHA1
26fbc23560b91b460779dd6e7c58a818d0d7cec5

SHA256
fba856fd94145f26a586aa4f15c5bc8397368671b2919be6e2fc912163434a02

SHA512
989e9649ff9a27eed39d28d8025c3841fddd6ff33494bd5151d7449548f84e90ca2ce232bea35a03ff0fb840cce0aba747ca9daa4ffd4315a64214c67aa1d86d

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
2b27267a3d12a14861865bfa21fa4855

SHA1
42995a615857a16d4490530c89e9ea8cff058b4a

SHA256
be81e5af4c701321e3345aef5f35ef01345d6b01f3ae223b83156c55f1d932c7

SHA512
a7b5a3abdaa887991afd1b7068508e69182fca1ce752dcd5d089f0a065daa44d86e48d2928327b469359dc0598c4742859794f36b180b317a8118a8e33853783

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
6f6bace6ce819fe30be493f57ed10a9a

SHA1
065a8e08663424472423250650023dfd5cddbdbf

SHA256
d6d11a0442bb54af560dd3724b82296072e28288467b873c22bd488afbe51c66

SHA512
c30e7c5ed78cb73e62adbdade3398b9dd9a9e97a7b56217759b19f8fd90442729f733225932e0e218b8a71bada0880378cfc1b64daf7ab43c640b17fb3e68e7f

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
5f3d845fc84a00cf376fc380878ea229

SHA1
fa9a473a329ac2b6119df760db1933438c6cdd5d

SHA256
980f20033d631d658e474ca7f3122dc0662e7f94986e6e2af001b493ff5b7ab5

SHA512
4cbaee768ac7a920ed02387e7156c6c698e0f6b64231bc03d3fc58c2091b61dc38c72ea8869927eb7cf5fb0d484f2a728a925c5e62393a075399925bf520109c

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
0e5e19a9c488cb5a6328d652706e1df0

SHA1
9108f3dda349f9efc8bd7227f8a7693c6571b9a8

SHA256
bd7e46b833c04efaed91cf4de5a1a90933f72f3b12a5ee956389fb14f4d94d65

SHA512
437e31f75a4a8b455a1f4f551eccd91f6efff7219175e61cc0121287021e980cdee4158919b5c83d5345ce3e2a8d7c2dfb47c716859792070b71334aa0a59682

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
d14824833136b18ddd997ed27055fc54

SHA1
d2684cfd7d3d7af05e3480ab2a92f99a3734e7c3

SHA256
48a3732bc07ba19bca47620c31ab02be60d911a7b939f5c17d4ce029ecbcd8a6

SHA512
fb6bc053ed83cfb3cc724008ae4bfb7ddd04553c6bfb117e8170558c0ff0b4763ce397e3d56d42a3ccac2833bd8863430c16996fc5a1a07ec83d06ec495a90c9

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
aac619350def6c745f563016ddc4efd5

SHA1
4e0dd395c86d2425992d7e447b20d1f0781c8bea

SHA256
f290849175113410c439a667459b2bcbdb59221c8fa5b42f589b9e6d8fac1f9d

SHA512
0785dc85aaa7a7ef6c5cd1838f069cf94ed3356dee75d8b7eab90657eea29aa33fbc9c4a419a2eaca6efab0e59bac3f8bf8d76db60b38c3fdc3f640ef21f9a03

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
078b0611d355f9d0b8916d4358ff6a9f

SHA1
58306ca512cf6cb235f2e373e8d20b795ab8cc13

SHA256
53de7558211ed479ef66ad1214708336f34d86f4c2b9bf843cb54f0890b667f1

SHA512
b4c590ff9a82bc619eca1a511cc9f9b06acf38f7eb203758fb84e732ae20c3752aa63f360accf75d6f5eaac4946c4362fb165dd13fae62130bf4b9a407e89282

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
6f60b30174a05fffc0a4a7105d8fbbce

SHA1
6a00582d26c4bc82818f3b1469a1eee1f0d889fd

SHA256
4a029d4dfc6e2eb7ed581ed8128f0fcc8a57495648ea96434f8934ef1f67a6ec

SHA512
f7f7f02f31ab8edc3bb909243ae767f91ff7a5af7aa3f2a415375f6c90385ef5f8142561d2c48640645a1c04c1413da4de13d87e66f2679697d6dcbc25a543b0

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
8e31f985481077c0c265ce3aafdb9913

SHA1
a6836a24d5fe5f03e3b96da455f108b792d82d1f

SHA256
6809863c96cb94da24256ea35a5e6ae940de84f4392a7b694181449a9e38cd73

SHA512
77e46db223cacbcbbf95f0baf92a015796f8e265f664937ea49ca1e91913ce08b93f73ade29624cac9ed63f7c373c9f7bb523aaeda4b355e2e0549aa8e801c57

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
3742f7a445eb6b1ee564989b306e6eca

SHA1
6e8d86df0e0f4f337ade2eb44e53b45c2fbe39fa

SHA256
368a59c2e70873bd4104183787db3fef1829f411aa324b6cb2915b05b813c21d

SHA512
c4b885ce9fac1b8198704f8b0fa0d5a88e27cd1c3a17a5a70c8edc38e9b1b7bcc4b81adca65ac1ea0756b2937f8b9a2dfa346a49c4ffa2e6d77474bed0b9476f

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
f9f97664cea459880b11411fe122a9f9

SHA1
d20ca83dc5de50308e2dd286479cbadf311e25ec

SHA256
7ef8a1b53d419459204a9727c7fe5d13cfd19f313adf001e608546e68d86baf8

SHA512
5bf9a5d6ba7175fc78d040b28825dedbc9e058748e9f84a9657651c292fdde076d2eaf927899b0c7551580393fbda8acbfe5916e3db047f0e91e593d5ab35aaa

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
a7acb7932ede1d7e243d5033e0e46bae

SHA1
718e882c38323fb163b07896b22d43dd7207bc73

SHA256
9a89db397860c70572c58a6facd176b05011e147822d0a0af4a612f05d6d88d9

SHA512
18f7a858a0cb1a311aee2ee11763a4d137ef5817c3b16becbda68b103eb7d03b906f9e08543916193eb9de49f3ddb156f3903261d0f4db43aeaaf1f28c6bf8e9

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
8578cd8620e8b63ca70a742925c13c27

SHA1
8980a38c4c77c06ef66d3f25b060a83901a5ed73

SHA256
bef790011d433556fc6b0de2d20404756fee6d82d6e844447a090f9f444329c6

SHA512
8314c9bb19e74c6bd877e7f962fd3562f5eeedcafab4ba75d8ad6f84f97484461983c4d5c6f87604e3daae53568983a8d2c76862149c9fa304fba2a334344fbb

Download Submit
C:\Windows\system32\AppVClient.exe
Filesize
1.3MB

MD5
fdd95e4a6bbeadf3cc7fbe3c012fc70b

SHA1
b6aac4d162983f2d44cf0437721b753d548ad2f0

SHA256
fe49068806c6e6f71d76a21bc1866cdab75e9b6bc06e71fdf86a14f595afc2fd

SHA512
563292ffa025ea92b4444c63e6ad7a748e45c9c3387c3476126e99bb9a0e43a5982335bc2205b5cb337da6329538390344f790b6d7817fa114f0b752d08ddf58

Download Submit
C:\Windows\system32\SgrmBroker.exe
Filesize
877KB

MD5
6826f1558242c7c93745a38d00a91122

SHA1
28a1f8844963636efefb5ad319132f0a904a6b69

SHA256
79f8c3f507c73828232573f6b56bce1b86ee462c122d9a3269c8bff4236f11e8

SHA512
4b8e5e671b5da957407d6a5ccb82030f012c51eb79da468013f6f7a684909277e2894b143f51dbe182595d2fae147946b5d15a71a29bae420c483e4db4f09133

Download Submit
C:\Windows\system32\msiexec.exe
Filesize
635KB

MD5
9a083136ba726375615b82663f14571a

SHA1
c5ed10a5b9ad888bf7f022a26c849815ab40ea4a

SHA256
68daa12c2357b86c25d93958f2b5d03fa04fe4b097bf2b0121ca2d21eda350a4

SHA512
8aee3775a58fb84468472abab15826beb91b967ab51ebea1d7bcc93fa32f83d0c4d08fe26548aff1fe393ec4f6f08d7c0975c8bdaf7b698f8a54a43908cd6ef1

Download Submit
C:\odt\office2016setup.exe
Filesize
5.6MB

MD5
eb0de1b19670c106159a148279acd8de

SHA1
629e9b47a621097cf28a7d99fd05d448da1520cd

SHA256
c8533c6caeb3d069635c414d4d5b890c4970ec8077c7ad8d55abcceb45aad455

SHA512
fa669d866c8ce8812f1e399201605910088df8fbdc12b74439b7756eff1eff40f13b5ae7f45f3e45f9e1e0edac3dce0e020400925d8775c840009d35dc7fa78a

Download Submit
memory/404-482-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/404-662-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/432-43-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/432-99-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1112-479-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1112-651-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1136-457-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1136-274-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/1740-101-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1740-107-0x00000000008F0000-0x0000000000950000-memory.dmp

Filesize
384KB

Download
memory/1740-109-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1740-190-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1844-139-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1844-124-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1844-130-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/1844-123-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/1844-137-0x0000000000CD0000-0x0000000000D30000-memory.dmp

Filesize
384KB

Download
memory/2148-558-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2148-466-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2248-168-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2248-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/2744-471-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2744-469-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3080-455-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3080-187-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/3152-164-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3152-157-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/3152-428-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3152-163-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3192-169-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3192-170-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/3192-175-0x0000000000620000-0x0000000000687000-memory.dmp

Filesize
412KB

Download
memory/3192-448-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3312-144-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3312-412-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3312-150-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/3312-143-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/3320-392-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3320-136-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3432-16-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3432-17-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3432-179-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/3432-25-0x0000000000730000-0x0000000000790000-memory.dmp

Filesize
384KB

Download
memory/3484-413-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3484-183-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3544-476-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3544-628-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/3948-664-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3948-486-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3996-191-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/3996-456-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4408-180-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4408-451-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/4584-119-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4584-113-0x0000000000890000-0x00000000008F0000-memory.dmp

Filesize
384KB

Download
memory/4584-112-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4584-273-0x0000000140000000-0x0000000140245000-memory.dmp

Filesize
2.3MB

Download
memory/4712-473-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4712-625-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5064-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5064-7-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/5064-292-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/5064-6-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/5064-1-0x0000000000C70000-0x0000000000CD7000-memory.dmp

Filesize
412KB

Download
memory/5064-135-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download