e9b52b00b032679dcfeef69d208f202137a728f713c5d04c1f439c7138cf26b7

Analysis

max time kernel
599s
max time network
606s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 10:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
Size

1.3MB
MD5

658658a15dba58037d7fcc138a498e19
SHA1

0dc27e7ed4fe55da04aeaca909ab256ff0b2ae84
SHA256

16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c
SHA512

34b9770c83ace4a5a4270486f18ad896be22fd93d1ed910a8bce3e930401213b455e51f3f2fd1ebd71fe04049b2ad01d5e79c8a47164e0bf38e202951e2a3832
SSDEEP

24576:J/zlUFcWcyCL1yrtSAzSpNjtnAHcnQO/k:JicyCZKtzSpNRoO8

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
1420	alg.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
1284	elevation_service.exe
2476	elevation_service.exe
264	maintenanceservice.exe
212	OSE.EXE
2584	fxssvc.exe
4780	msdtc.exe
4204	PerceptionSimulationService.exe
2700	perfhost.exe
4448	locator.exe
1456	SensorDataService.exe
4420	snmptrap.exe
4020	spectrum.exe
3760	ssh-agent.exe
3296	TieringEngineService.exe
2236	AgentService.exe
2704	vds.exe
4804	vssvc.exe
4328	wbengine.exe
2372	WmiApSrv.exe
1140	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\wbengine.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\msiexec.exe	perfhost.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	spectrum.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	spectrum.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	OSE.EXE
File opened for modification	C:\Windows\system32\SgrmBroker.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	spectrum.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	spectrum.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	OSE.EXE
File opened for modification	C:\Windows\System32\SensorDataService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	spectrum.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\61f71fa6358f2c5e.bin	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	OSE.EXE
File opened for modification	C:\Windows\system32\fxssvc.exe	OSE.EXE
File opened for modification	C:\Windows\system32\AgentService.exe	spectrum.exe
File opened for modification	C:\Windows\system32\dllhost.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	spectrum.exe
File opened for modification	C:\Windows\system32\msiexec.exe	spectrum.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	OSE.EXE
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	OSE.EXE
File opened for modification	C:\Windows\system32\msiexec.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\dllhost.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\msiexec.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	PerceptionSimulationService.exe
File opened for modification	C:\Windows\system32\AgentService.exe	OSE.EXE
File opened for modification	C:\Windows\System32\alg.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	PerceptionSimulationService.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe	perfhost.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	perfhost.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	spectrum.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	perfhost.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	perfhost.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{7C5F1F7E-8F11-4C35-98D2-5907B947E9FC}\chrome_installer.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	OSE.EXE
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	spectrum.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	PerceptionSimulationService.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	spectrum.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	elevation_service.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	spectrum.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	spectrum.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	DiagnosticsHub.StandardCollector.Service.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	spectrum.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	OSE.EXE
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	DiagnosticsHub.StandardCollector.Service.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	PerceptionSimulationService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SBE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000678bc735c0b0d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\acppage.dll,-6002 = "Windows Batch File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-4 = "Microsoft Simplified Chinese to Traditional Chinese Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-10 = "Microsoft Hangul Decomposition Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\setupapi.dll,-2000 = "Setup Information"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000badeb333c0b0d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-6 = "Microsoft Cyrillic to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.WTV\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-9 = "Microsoft Bengali to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ab328433c0b0d901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bf8f0234c0b0d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007fb6ac33c0b0d901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
4632	DiagnosticsHub.StandardCollector.Service.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
4632	DiagnosticsHub.StandardCollector.Service.exe
1284	elevation_service.exe
1284	elevation_service.exe
1284	elevation_service.exe
1284	elevation_service.exe
1284	elevation_service.exe
1284	elevation_service.exe
1284	elevation_service.exe
2476	elevation_service.exe
2476	elevation_service.exe
2476	elevation_service.exe
2476	elevation_service.exe
2476	elevation_service.exe
2476	elevation_service.exe
212	OSE.EXE
212	OSE.EXE
212	OSE.EXE
212	OSE.EXE
212	OSE.EXE
212	OSE.EXE
4204	PerceptionSimulationService.exe
4204	PerceptionSimulationService.exe
4204	PerceptionSimulationService.exe
4204	PerceptionSimulationService.exe
4204	PerceptionSimulationService.exe
4204	PerceptionSimulationService.exe
4020	spectrum.exe
4020	spectrum.exe
4020	spectrum.exe
4020	spectrum.exe
4020	spectrum.exe
4020	spectrum.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
676	Process not Found
676	Process not Found

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	892	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
Token: SeDebugPrivilege	4632	DiagnosticsHub.StandardCollector.Service.exe
Token: SeTakeOwnershipPrivilege	1284	elevation_service.exe
Token: SeAuditPrivilege	2584	fxssvc.exe
Token: SeRestorePrivilege	3296	TieringEngineService.exe
Token: SeManageVolumePrivilege	3296	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	2236	AgentService.exe
Token: SeBackupPrivilege	4804	vssvc.exe
Token: SeRestorePrivilege	4804	vssvc.exe
Token: SeAuditPrivilege	4804	vssvc.exe
Token: SeBackupPrivilege	4328	wbengine.exe
Token: SeRestorePrivilege	4328	wbengine.exe
Token: SeSecurityPrivilege	4328	wbengine.exe
Token: 33	1140	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1140	SearchIndexer.exe
Token: SeDebugPrivilege	1284	elevation_service.exe
Token: SeDebugPrivilege	2476	elevation_service.exe
Token: SeDebugPrivilege	212	OSE.EXE
Token: SeDebugPrivilege	4204	PerceptionSimulationService.exe
Token: SeDebugPrivilege	2700	perfhost.exe
Token: SeDebugPrivilege	2700	perfhost.exe
Token: SeDebugPrivilege	2700	perfhost.exe
Token: SeDebugPrivilege	4020	spectrum.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 892 wrote to memory of 5108	892	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	86
PID 892 wrote to memory of 5108	892	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	86
PID 892 wrote to memory of 5108	892	16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe	86
PID 1140 wrote to memory of 4300	1140	SearchIndexer.exe	118
PID 1140 wrote to memory of 4300	1140	SearchIndexer.exe	118
PID 1140 wrote to memory of 2316	1140	SearchIndexer.exe	119
PID 1140 wrote to memory of 2316	1140	SearchIndexer.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
"C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892
- C:\Users\Admin\AppData\Local\Temp\16edd818c1d3c100aadb6492597f3d3b0b253efb3cb72f312e6fc9299357985c.exe
  -deleter
  2⤵
  PID:5108

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
PID:1420

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:264

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3524

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4780

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4448

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:1456

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4420

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:3596

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3296

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:2372

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:4300
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
9bb64575cb8e9d41929f74806db384fa

SHA1
3b8f01e07a2b4f08b0f731fe2c22f620c20d36d5

SHA256
aeb5324dae6d5937ffb9253a6ca4e4ad53b5abcf131969316a580625d9570eaf

SHA512
97c90d74ad9d1db3c0e19f2cc637386a13922c7b46a11614d3242f44ed8723a92e70200705f2894372801e566046b63b6dc4dc77255c0ee1c62f0f1a0d1b7cf9

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dd99536a772b934c84caca79300efb63

SHA1
89bc355d092c1f1439cca2d31702dff64e2bb961

SHA256
cde2e816fbae6a75cf17e05f7c521bb12702ddfbb1027f012f3f892d9be830c0

SHA512
43e9452bb8e25eddc0b2370ea2888a34cd403a14192552a7842d3b9637b1585fffc1bec3268b91dabc9e5c94dab11d2f8e37fe03a3407db2dc6c647d31838662

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
dd99536a772b934c84caca79300efb63

SHA1
89bc355d092c1f1439cca2d31702dff64e2bb961

SHA256
cde2e816fbae6a75cf17e05f7c521bb12702ddfbb1027f012f3f892d9be830c0

SHA512
43e9452bb8e25eddc0b2370ea2888a34cd403a14192552a7842d3b9637b1585fffc1bec3268b91dabc9e5c94dab11d2f8e37fe03a3407db2dc6c647d31838662

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
cf33d2a26a3fc1d9c499aef5ace48a09

SHA1
f9341c0672cf836f460654d7cffc29cc19eb7858

SHA256
b4a68f85e71f4caa0b3ec202b60384b555dcd1a7fa6abd65b0fbf9b9e9a08969

SHA512
724a687920e78ab27de2345441879878082903380ef5c1b7d45f09350d9800faa1b0d4141bcd68c406a4a3c8d0979170f6408bb0c51a79bd361c1fa164f94bc1

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
98beb1582bb3902907fccd78e2ac1439

SHA1
40cc02bad39c7e351c6170b94e8064ebe993746e

SHA256
9a3e90f357fc2ae3227b75d5f94c98bbe8e2889915a78d73e8e464aab8d65d89

SHA512
99f23b64612f370125564641e769b30826dc2295cefa8f1adcc706f4a3f8487d152a6c7d260ac868d38dd2843c55716bb71b8c55802cdbc4bc1d235256693ea2

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
e25a3c09e294c1d4d0a51089de899080

SHA1
fd0b107839ff144f55517b1bf8c4b5251d4e4dfb

SHA256
5db60bf6a14798d7a4447d3992f46dd26775f16394b5b6726a30f1738d204828

SHA512
6449bf51671383a1585de390a65878952707dbf5df47b53214fbd2c1473b01096ba29699fc4ed1046aad042730698fa3eabda0b37ba34983d6c66a0ca84ab62e

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
8e7669f21a31464fcb68d36dfb8684e1

SHA1
e2685176d4cb738454fa2c46ba38b8a0838c9995

SHA256
093da30e95adc0fca59fbf23a777f1587f0868308e84f3d756b8425d06956a3c

SHA512
17faa552d90ca95af165fb8d23af2c78e1f2c0e0e8a13ce5e1650ecb449cdb3e00ad3c382da8eae182009424e6bfd93eda07e9ba18818e4e463399b14b412708

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.5MB

MD5
ccf11f5c17d05a31658166ece856d7e2

SHA1
fcc97b9cd562271c226440ea4780e5fb0a337413

SHA256
0d9388f4753ebf070ba8a1383873c8c34e23330c0c5669af2f84ec571b826185

SHA512
ae26f7a42021362f1ed15776e8ec1a5d7198ba1b3ce4399a3d560ef3de6c9c8e856e167be8a8aaf95e6bc9e88a63ad4501f262bd3ea21b452276a77f0945204b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
0a75deb875a3af8ef5bb678cff03be2a

SHA1
0abde1b9442910662242dd234aa7bc2753b38f0c

SHA256
ed8d5a2d9031ab1c3e88a9a451e387e89707c0aefcc4ad8a741fdbc7e8f20730

SHA512
2c4a23570e12f1110644f0e88390cdbb2624cdbf82e194a4d9c75e386195aa1a24edb0f0175df93e5d928546be3d5462734a24a9648c9feb1647898713bd65b9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.6MB

MD5
7d66b6c4a2ddf606ad08fe02d314710f

SHA1
fe3b3e3869c4bdae9de537e5dfdc478080daf2d0

SHA256
6a966a438cd5f1d3bb5864e2ba76eb7e7431f7d05c2d21dc9725f61f33a00fb8

SHA512
2907d369158cc0665dafb3014c8bccc6df1aa05172c9a212ffcf2b5815ddb43b278bdde5d1efa61e8ef3db04de2ad6c6f5c678191d47734db165a82f7a879df9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
54359356ac42caab4fe39437c133ee19

SHA1
14db040f258f607c8d95fc604b346c6d464a73c8

SHA256
d9a094284aeb37f4adc4565b0a215f83be3b11fe3a9633aa08ab4e40bbb7cdd8

SHA512
a3799e286b013a7b06cfced299446923106bd5b53f94bf59841a9caa19dea570d7417970b34f4153f068ce6f50dfb48bbe1324d73303326e5ac16c93bee882d9

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
e2cd0e73cd2056500dd4fe2a5f5ee9d7

SHA1
d7aaaf11529ddb8f95a56cf2d464aa615adfdfd1

SHA256
5efdb278b8ce2583504a09c2aa895a5a4d7e1151287031b8afa5ac9734b5d8fc

SHA512
07050855032920770ca63eff41509d072ea5102d4a7afbda0d694d240311a23c9a0d1d97bfeebfdd50cf76aa0cddf7717a314dfb89cd5a2dde09877eb6c86ef2

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
c913a5e07ee44333daa39f8f52b1eb3c

SHA1
fb84a88d997104875ced25104aafec057b912e6a

SHA256
a0249bdb04058dd4f9e4aa7cf88d39f98fb34d4fca7d268db2650b18f48a8e7e

SHA512
9256a286a5638956747ee82d2ffb669beab63d4a6b16286457523d4a197561053c2bd58418c52facd4149fc6e92f72c1fc14cf415bb35695940c1dea190c4806

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.5MB

MD5
051fbcaeb4364fded479d92f20a6c842

SHA1
93432186464afad3dd89f62b7b25258b9bf2b95e

SHA256
7354e1bd6be6346061a117f4c9cd567d512b5b6c1d906f4d2ba4ce1db4dcb9e9

SHA512
8a2d05d08ffebe7b32831ce7116032673475e5fe797bf55b00427ff6f23b7d01a955add0b2ac2d44415ab0b3bf510d9dca49d2c7a3f586917b80da123cfe23e1

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
cff2223b010d38dd90eb73e95a2014a5

SHA1
4d392d232f32bcf38ab8fd745704dcaf9de86fc8

SHA256
3788a955143ae75238b2c288bc221b022c3313120f65a17d07e1777e462a540d

SHA512
ef1ad75855b90d2dec58ad9027381e80dfca1eafb2de18ea528db14bc023db33acc71df0bdc7b268663f7c5154b1f676b2eb90e32cc3ca679973cb483303255b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
0ff6185de76ac50352fee0535b2c4921

SHA1
b4fc0edb549c4178ca722b7ab2eaabfa44a9d635

SHA256
f22a6e650f9fdf656426b74d93b90059e1d06bb383ff24bd98ae7220e812295f

SHA512
e131a0a0f883d8d2e0a284337b008aeac4743ac982e1f4026ca9e788c553220ea85bbbe260cfce7eab4e114322e410faa3ec55da3fae28a1822f19e36b9ad4ae

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
c0c463b0ee78f60736b461fbdb36838a

SHA1
0469c72b7bfed4bcce788b959218d827207f83c5

SHA256
4a93013e6de28b0713a95411fff23625c800797ec44323c9708e49e1b20443cb

SHA512
b7863e3c587c9e95f08f559543d34eca6a4a4b3c2da475d956fb370019e7429b04a97628eac7ceff45364f57641f45ed23e66dae08dfde3359bbca037d5d1e20

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
4ff1148999d0d5d639e048c758c6e85a

SHA1
fa582e049308c5d41eb44bcb0e4f76458acf99f6

SHA256
9dbf9da7a11a47354d3d103b94809eedeb549a4667c0b62b4d077e849cca36d5

SHA512
b3a0d2b6a515927dd1d706b1239a27c9a94ef7ea097533701ab5ab2e6d86e4a63eb7c766f394c5b526dbef5eb8ffca7afb82446ae7d5564439f7a04153d96ec7

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
95aafe75d4ab1a8900d80e07241d4066

SHA1
9d4b3d559a8927b7599f24c95198bbe70899d65c

SHA256
c9e0d2a1c8350bd14d03160139e964ad72484b0e05c6993bd384b11770b1bcd4

SHA512
667ce3f880cbbef5517b2ee0836d2f4af2aa3bc99e6880f70df5a844400a02f6c83e6dbad9cb37f35ba7d16c9dd38acdeed520ff73c5b44976e84b0450c72ae9

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
bd1c4b0b96afc1a095f20529f6aacf66

SHA1
d7c8a520ba1562856c98844ce39bafa8f8e05a68

SHA256
e0de0ba0226e5e1021ea304843ccb688caea28c7a3f2aaeef3be679afe60e70d

SHA512
fa1ef3634f165dfbf98357e7c4177b58fa4bb2ca70530450eef4bd8f1e08f6cff19bf91e694d605c995d331968eba83e9729bf53b0ae44d45ebf97d0400d8f88

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
ac0292032cae9897db924fd33bf3287b

SHA1
c70167e4fa20b5bc1d83ccad50932011100b391b

SHA256
b1c7264dca346e1ad326c533b83f151a50ca45b027962ad2be35654fee70a412

SHA512
a2b23f55e55469575097958d6bcfb163b21857f7e5c35ec6a157f7c6c358e3ca40907e31c8585fb40b202c40ed7b2f8b0bf3a1080085e99153cee5e5e7ef73e6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
0d004246c661a74090fa2c206b0e8c0b

SHA1
b0fdea50057f25da255916690e27d7126ab3a827

SHA256
01444c010f1de4d67f695d822faa84dccd4509bb34c7833860d6861ad6165f96

SHA512
d20e24dbfa9b419de5e14aec47cfbf4027b2e8a1b4086396f6d825e55ea768b55e4f57652861def962ea44914f5ffd11fc339e230c3fcb2e65c35da8a28d2272

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
9188b5f0685509864368b54349fdd531

SHA1
d22641dc0f12a37a56018ad2ce3aeb2c6fd2011a

SHA256
cf79fdfa0f77ac50a1285db840bf078f35d8e9bf1a0f719107a33286060fc15c

SHA512
e2af26ab976ba93a53ad3c0e8620be078553ced8666a4dd741e83558d3f7175dea285fc6fcb90fb074c31575821496870e990eeef16065929d24b37de924f287

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
9e964f779752bab8966f6e594a8e8417

SHA1
7806183f305cce831cdefe6d2af7d25544ad7108

SHA256
b7553ce1e3ade220427f6bac1dd51ad529e01e6c542124ecaa28a9f3c73fb193

SHA512
88dd09eb878f31dd6577b7188b05941f0019185e20f2fbccc595c3349e4c2e45afdf6bbf63fa0b0df182e1724dffb0a46c9e4e3e1b68fc4f70d6d86ba6ac5695

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.3MB

MD5
48fededde270701ea34e86a8be3472c1

SHA1
89ffd8d00e4bd38848225e52fc7647f1545859b2

SHA256
d63830e3db95068518ae1f1ace86270c603784f54440ac716adae4201b124acc

SHA512
c120f27852ccd57da557cdd63d90cdcf4b10169a83c33c545e2ec2131def01ccd9bcaab20865d6bc43a1af7b0fca988fc46daba746e8d5192c691feb2ce9055a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
aaa024246debbcb51a73d24ee09032b4

SHA1
11fe5169df91b736dbdb5616c06de5c14b0c31dc

SHA256
b19839c3c66c31a11cef4603621bb8b8a2b1a9e3495a0c556318756be297803f

SHA512
125893435a9c8fabe10becbe6a6bbc7551225f92dbeab8cf99a2ae4da9e8ac8d98c5bfc2610a29496772599176d695c2ed629828962fd1ed0f976dcd0b8f2559

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
7e5563dfb65cac0abf70d2de4256d729

SHA1
22ba3db8d5df2154a51610a84885fea67f67f068

SHA256
33b929c2f4278c5af19105b11098ce65d04aaf126b45aa5f7f44d697aacda1a9

SHA512
8e74b22d03d0ee47641d244f77c778cdfbe9f19fbb5177453a9e86d014c9d9556822bc3597acd944d29c329ee489b3bed8ac2a435e9b224eef9ef7a087db7b94

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
bddd920e6298dbae780892507ecf5399

SHA1
5c20baa513b885418af187238fdb31f05fa3a589

SHA256
1ccedc3f01aed055bb4fd5eaa0ecd0eb14e91b58edebbb0d4e6fcc0410e9f7a8

SHA512
9d321054a384a299174bb4c4f0cc3d54cc5aa73a21bb5e209ceed8d719b6990317b74641cacc5d430abb8c826924da956a3e07cb52845b93855a85740812b46e

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
3b90c9630fa785c91ef14302e2fd30cd

SHA1
0513ef79b97e1dcbcf7b48419890f160330e0caf

SHA256
5ef3012d7a34830ce44c0fe4dc00a4c5ca5eb03e8eadc90ee2c9e4868e98df95

SHA512
982422e603f08ec899ec3049f31a01704bbd1fdd9ea4b6837531f76a436ef4ab4369f06267a7fc153f1f951a77bf1b17dfe9204973d34815f4228992e0efb6a8

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
0641989a1cb54c28ee21b4f803a988ab

SHA1
bb54385193c5059aef2f243279c9c983ba29d138

SHA256
07b7df3251bc72df0b573fd6b4ae1b5e6f8db461db06d02ebdd0d461df78d325

SHA512
727f587f870929049e7655871f91342d40b96c5fcb957eb9f8f4c1898e302b97caff2fcd587bc106e7ba16c0fbd3af5bf1a437af70f5836b8fd796dd5ccfa3a6

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
4937e075f1db66526f09a941ecdf426c

SHA1
bd3cf971d22c8839cb71d73309f3702958dde20d

SHA256
6c177244cc68b431f35fb1dda87059dc8d0273eef0e9b9c6836096bb06394bab

SHA512
d6b38c1a6c9b12259b97a8f4bbd441c445a2cdb6253efce64fd3c5d17e3e584676a7677e40d89a94438392ee575b75317fda1a13bb3703f6ce391c8161c06eb4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
62fc5506b1d54e5a4715810f07583877

SHA1
ede71812e5f9aef4e9c1195fe852216a8264f59a

SHA256
e9d2a27e2a1822c860aed9f8bc53a98ed116666536cfe9dcd28e40214f6b7d77

SHA512
1d443afb02d06d02c3f0bcc3d2beb1768492e6a8b660041bb86466babfa98c7520ae143043cdb3ca1b5416f41917910ce9c4ac1f05be7ad53b601467601f2d4b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
a0289dad4d2df676cf44495d40d9d21b

SHA1
31a41e0b3c9858eb49df1c59f774585c0130343b

SHA256
b5d9adfc4a0cc64f3da1ff43220595c20e5d62584c8e0556f1a7a38b43f26e39

SHA512
41d6b55cf53ab196eb34847495ce6beab6fd3d170a0ca927239dda91a3adc52f959d95a439a87313170736a783d392a0773410b657fca8976cdebc782e2b3d67

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
231fda646a307a209e52cd8e9ff69b10

SHA1
374808ffacb1eba9cfed8720d83012090ce68a06

SHA256
945a9861d233b398176bc362eca8646cedd1ab470358d61c85daf2b15051829f

SHA512
a43f31536100c8e1bde9db9d0db9d17d1a2d8e689f65433b3ea026dea58332ce04dcd7d24406bc403cd52dc2f708fb2fd0ee4961ff84f3b4d100fc9a523eef55

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
f9f4db0e4bf56e0fa03ce32c100c6724

SHA1
0a1a9d785d64c87e02255fb09256aa14a758a92b

SHA256
2d06a27675ae96c3641960fdc036755a460f3a2ecb52a028df7a12a511952c4e

SHA512
c8fadf95156108c042701dc2701650986d3ef3db863ebaa79a54dff016c19c90c8dcd1f915b4276f2cdb952cbb2fdeab76e0b5287003f539c442bb5109c33a6b

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
12dfa8ab30a1a367859784b8629b12e1

SHA1
3c7a3f921a314c42333994c8084f1fa100e1b634

SHA256
f224a37c1cec4dc6a556237e43a4ffce762a8ffb99707d15e43a9273303a9582

SHA512
f044d70e3992585364bad4d07536723743bffe40804c4c55764d71e427003677e2365255d37f6d74494f2c6054b9bc546ffb09461fd8da89aeab82d340935416

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
682503a6c1a18dc7add617785b49f359

SHA1
feb85fb1a9615b6e4c7594e8b5d482ff1b85dd2e

SHA256
d4195ceb9a64a4797aa1641121fc37d77dc5b951a2c4b786554fdde98c7be0f4

SHA512
2695f3cd314f32ca65abcc83f14fed1520c6a4dc14dfc0b86f733944a0142d70c0105d27ee1e321038e6b3244faded0ebf4af2f89d1722ffacf2fc664d66caef

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe

Filesize
1.2MB

MD5
d79d1ed80cffe8a6551db14ccc9d0dc4

SHA1
b9b80a03df0b1d6a58b34992715b116ffdf991d4

SHA256
a7880bd36590c057412b764769a7aa53f90af21e0f4f6e3b9766a4e9f6dbe420

SHA512
e57d8acdccd6f1d304fd9572fd8f3fe270c73bbdf5d1967f60c591f0dd905f2c752ef47d7b0acd545a5e9574cd63e710bb2ded3d748d5a9138c3c0d9b8d83691

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe

Filesize
1.2MB

MD5
69153f89a39d59c312f38afe78120f11

SHA1
813c67a0a3033a92e88dc4c072c73707d15c4431

SHA256
bd4ae0d02bc37a362c58e9c2aee2593159fe2c8d91ac29943967b90cf00a664e

SHA512
edd5bf669c732f6e297ad8a1374fd8d53d3d52cc2dc8c58701a248f1b34a68545dc79be8e8894849a71079a3d439238586992f5c9256c0cf357f1bc44dbc51b0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe

Filesize
1.2MB

MD5
89cf4ded0185ba93d1178095d279d78a

SHA1
ab85d8a871703432f650728dc545a614075efb91

SHA256
77e33509006c4949cb468307441a6492a69e6fe0f6dace65995fc2d22779a464

SHA512
060db9f4a4b594b9fc13938ab3a9f04349948a9c48d97a60723eecbfe432b39b08b9237440dc442968ef5ecc3e6028f384a4b5bf820724f5a2803efbd808ec2a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe

Filesize
1.2MB

MD5
b3fc8e0fb5821302ac031fa123d39832

SHA1
24523b029e0b5f9030226b3f06badaccf3091045

SHA256
4bb88c6a2cd4dde5b636598f0ec3a042990c727eddee7a43a40f16e2576b6b67

SHA512
0601e81df72e2d24225404988414f5dea52829a47c668f5ce2621d645980929e0b532e65c0bcd3887206c4baee4ad5cecaee1fe81638b781ab6bc900e9f5773f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe

Filesize
1.2MB

MD5
57a8cc9b96070dbf9b8e259e7f0557e8

SHA1
9c3cfc2a78f2477ef708dea582743c22cc74e22e

SHA256
51eccf2662aff81918f33e002d0747e2a48cba39f3dc44c5a83908e52ffe8669

SHA512
2b41c12a14436ff23017a7abb6ecf7f0435d00dd6942e84778ba874546cefebb1ec5a8e152748e0ca239cb06d1f3a781d3ae8fb6ca8bb3c6847760bb25deb6d1

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe

Filesize
1.2MB

MD5
4b858857e14b836abaab2de89c55e6a8

SHA1
bc0194d6bd8e76861d9f999846b064085ae2ec22

SHA256
34dffa776540394465a8fc4bc6dcb1b264b693064fa548e94b9296351e263862

SHA512
987918c3e20b5b009b388f33dc41c4992a083eb853af553637edf5ed7de19284920f238413b8bb3d85b95471d08e98fe26c38d96ce4901e3a0212cfffcc7c749

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
346726b4a7b76e8a0f9e709c7ed97cf2

SHA1
2196ebc93296d9a6eaff8228db1be46a50543a16

SHA256
88e2b8d1d7258953f2ab941bad992401a81bec31692fa66e9d70e3cb487cba71

SHA512
ac2caaff78381f149d950adcc1ebcd68455c9eb1d72297c6bd2aae757cf15518c3b6a1611b684cefeb7154b971b341073bc3d00bb69bc620d41fbef102722a53

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
ffb8a46270798487262385c3643b49b0

SHA1
a59c161fad93b45f58e3fdc3065043d62850c27f

SHA256
7145a886759d7fde6171735d5932c79c0dad92632e14df9a0171b88a96fabb65

SHA512
13b5832e64e61f0b060feb787bad54965be10a4d24261b82d20da1990caa6154517746e2362b306a4bad26d8ddd20928ab0ecbfaed92db86b635ce2991d0e9ab

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
827b26cb44d8d5c628ef836d178cc788

SHA1
396bc2fa75997167e489ef6c6c5b6758da50d87b

SHA256
90aafa2fcaacd5ac41a6864f283143f1c36e6d4316ea2255ca8ad997267b3667

SHA512
4737be3b1833d118df11b1ac6a6431a5ebf209b6aebf982cb526e47525037e41848937773c4351c28c3e3c95acd7f5cdb830e890d495506488086709f15f387c

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
da1f00483e94746f7eaa0edb43b1c2c5

SHA1
509209b995003bab012cf339ed419e0113e7533d

SHA256
cb51b56d47fb90ab2eb591d08794b6ef0ee5efbbfe8f6f1812c516a53bbcbee5

SHA512
17e83166973b7a5981f09e8b188edb5d31a79f808c0737408426be2b6c0f191dbe4e9624ad002843d9309f96d40f92b51aa3bf7ffb05a8237bbc18b3d2b49eb5

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
1da314c5c14c797cc850bf6d54c9be92

SHA1
4d116c6668cd3a56cc7c2af3eaf7699ec6db4db8

SHA256
72d5a4bc797b4f1b8649dd0eb1700a8d7806a3242d009c012f4f4acca26bf27b

SHA512
fdc2a6c197ba879a733ba635cb6bc17f26dd522477410805b81b3e53254aa50bb9b01815e72d184afa6b75a053d16f61a7a79c58b9be602e57d9653aeedf4411

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
fb632e2758e2a59c25c2564ab31e1a54

SHA1
7416b7686d618573a4ae08a2f0b7d39360ea6686

SHA256
41e39d0338571edc587e4dc98a989866f1aef3922519b41212cc9ef41e9155ef

SHA512
a24ea3963c36f81ffa90f2e65ce9e5bc225780690d3f8266936770462f024d186afaaaa92b8b2a8c1aef8964fcedf296e6cba730aab40aa412126025915fbef5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.6MB

MD5
fb632e2758e2a59c25c2564ab31e1a54

SHA1
7416b7686d618573a4ae08a2f0b7d39360ea6686

SHA256
41e39d0338571edc587e4dc98a989866f1aef3922519b41212cc9ef41e9155ef

SHA512
a24ea3963c36f81ffa90f2e65ce9e5bc225780690d3f8266936770462f024d186afaaaa92b8b2a8c1aef8964fcedf296e6cba730aab40aa412126025915fbef5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
af2acfe9f13aa4fac5900c640d104b41

SHA1
803215a8f9cbf7449fd3a611ebfb2fadd1f7cdd2

SHA256
753d03f6f7c2ca84e719975a1e236dd18a7fc50aa33c18487333e7518de212a3

SHA512
e4e2d34bf480c4ca9d8d93469180fed939be88e15d78343b4a4d81abe15f12e04a2627706c7deb828afc961f27a5ecf8f17705c67550531f6f4d128a19eaf5e9

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
b5e4819a20eaab03a235a9e3778edce2

SHA1
7c60f43029e1effbc3c24c8671c2adc22ca6892e

SHA256
dee30ce30e97721b0dfde4e51f4edd77a425f15fe3f7b83de79e1a4a040e6f45

SHA512
8cc2c5b3be3a89b218af838d05488d53b69868674ff5fa781417a2e0a21a9df3b3c1f6c13c0d0adf05ef58de2355e02927b12d22085c48e333ddc2dbb8dfc70e

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b710efb9b9f17c683620f0a3e09a4be3

SHA1
9914a9e60f45fd9f57b1ca3803af5a6911072242

SHA256
8ea64f5f76c6441c92d16162d642b4a2ab9fe281b52534728df67011406fa059

SHA512
44ef0bff5a81afe0e4d09ee7b177c2b78bee6433fb300a1a4040c919a08a4a8bbe637737edaa86ad3fa09a9e2a1ec4e43ef07f0c1bd904d5662baedc95d7cb82

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
df80663ec949802116deac6da0140530

SHA1
ddd6e2c9b4c7dd2057b18bec0079e1deeccd7681

SHA256
46a4027d964124b2ca32dd2e5b19686114e47d8e33571b27bafde1f8a8e2dd79

SHA512
2c35a164025d81c08c0955b0f9e51e2871cf88701c62793fd0dea6a6c589de8641755e934a2b0ce9efc3962017f8faf025b6090d31cf3d10a83d721234020bb6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
3110b7475bc226bc3058de008ad5a77c

SHA1
b663db9b35a86dfc9c58ddfff767149237295244

SHA256
960531812fd73fc1f1ee1aafcd85fb1db93f9cc3d82e89789e5fcd2a387cc433

SHA512
13501f543e541b1ba3f072fd1ad19aeac3d6705b63fea78f7c5373c8e9cb35bf2c1208760fe72671f098d2763b0c1187d4d62536a2df27607a6a715e9aad7426

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
34086fd2767bcdee7735f968f90abfd9

SHA1
78fd1623e720e641894ee9ff05b051f861426d72

SHA256
3f0aa76341cfd5c4c66fd54693e0bc168dd0ef0c00503dc3b3d0a44c4009d57c

SHA512
0f8a0ce51765257757595265dacc2092f81b95dbbb2f8b7c17f3e224d83d3d49a57987072f992b413091dc25d89e37fa29b9705eab1c4a89e1d1e09c15e2d272

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
601a86b99c6ae087edea566299aed174

SHA1
a96e7fedb32a51342c3a442d095fc7d6804f8ecb

SHA256
df374d9eb9ec259a80d6c0db530b619e45413f2bbf238f58be9f2828f9e4edf7

SHA512
e6f29c01b359b40b42b47bedecdf3b38e025b9a606edb850cebf91459608eb4f65b545d6c4904b3a5c252391e2dfa1906b6e0bd6535786fdcf1ac8526607e11f

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.4MB

MD5
cb45df0e9badd73ab7eae667d2ac7634

SHA1
28fee6e8a0646bd7af703e94befc7e11a165f389

SHA256
51059c3b6777899596f903133c58035a8f4db81e6033b4b7666bc793eadb91d4

SHA512
81f77ce2500eb27c6188e4318cc60bd630d38fb20fef683495dfac1640589b77679008fe64a74886f4bf49ffbf23c7edf8eba978bab9753dbf6cd66cdfd6181b

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
96cb6cf04ed17ad3f706eb119e481786

SHA1
d523cf1192d197c065043a345ddf684c324411c4

SHA256
6e3b33467a0a241e8898b501b95afe50062283d75f8719363c7cdb394fe3040f

SHA512
134282580db568d6f8d023f1137c0fe482150a54c5e4c166a1df90d7a14e68b013fc01ad20c051789ed76eb68d7a2228124127dbddcd54a2dce48e145fc610c5

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
c74356cf3b180e2bf2f1d17536ce2006

SHA1
c0ba55fb0ec9b42dd644f595c4d1c81ad537353a

SHA256
41f66553fa791db6dc93c9f84643cae7ecc42b0d260a55f5abb15b29e2dcff75

SHA512
52ee45fe33b752ef5d4840db1a07b80c19e69928bbc0734cb5ebe6ffc79eaa8b89669226c47ced388513a0293a2a1dc34e7bf1511cec170e9f3e63ad1c847eb5

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
9006431b2a22afdd87b4ed5cf676b6b1

SHA1
9c3e3c1e95b72901a948d7a23d6e14a48d001d1a

SHA256
a29df5cf635ccaf64c6156fab3afa1b0700c12be1a332af35b0f5facc8cda4a5

SHA512
a964ae3422151cf5497980159082e6e38ea0031214f5009ecbe5e1e68d0b29a85066ca5fbe089ce8c7bf92d46a85b935e339ae08737e25fd5245cd91f4bebe19

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
e489b6f6cf0757e9c2dabb17f4be78ad

SHA1
88fd673f35698fbbeaa4dfd5ffcc93d03c13b406

SHA256
ae030605ef50cd739dc7b92e2a655b64bdfcc240fc4cf13eb91ae35630e2d030

SHA512
c79277a520aa3fd8b6a9d37903dd195b85cd9048bf25ada08ce709f24bfa8804c9a67d53b523bd4b584cbf55a765cd9c1a43ce2531f49f95f48095f64baf9516

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
d1aef2ab6c1e45198c158c90fd86f1ac

SHA1
59b946cea619888dc9eb525718dcbc96b4d32301

SHA256
6eab9c575d8181546a78a428fdccc5ac3bf73f2f00e55777b860885a71b0a0f7

SHA512
5fb2d3abb0a77ae0613d2ba1e1d8279c43efdc54f6e32402c3d54c359651bf16c65c7114e73e0dfeb1338acb63c24098f77480eadb0d7ef2c8a7476c5c8ea0c1

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
e6676fa2103bc80f5e56acc4fb7904a5

SHA1
6c7c3d3f895168a6deefb19c64269ce69d10d0d8

SHA256
cf8ef9ac10c7f5792d0f50a3ee0b69d22add3e0a4058dfe6c44dda4bf2c2e884

SHA512
4380d7cc9ec77afb41bca1f60996ec3f417df74040ac9706212956e6d8d1f0fdbe96ea54dfe95c1d19a1ba642a9ecc92dedfc1bf3b29550fb80684d78e65eddd

Download Submit
memory/212-210-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/212-217-0x00000000006F0000-0x0000000000750000-memory.dmp

Filesize
384KB

Download
memory/212-227-0x0000000140000000-0x0000000140226000-memory.dmp

Filesize
2.1MB

Download
memory/264-195-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/264-207-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/264-204-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/264-201-0x0000000002240000-0x00000000022A0000-memory.dmp

Filesize
384KB

Download
memory/264-211-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/892-139-0x00000000008A0000-0x0000000000906000-memory.dmp

Filesize
408KB

Download
memory/892-166-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/892-133-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download
memory/892-134-0x00000000008A0000-0x0000000000906000-memory.dmp

Filesize
408KB

Download
memory/1140-571-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1140-533-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1284-174-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1284-374-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1284-181-0x0000000000D60000-0x0000000000DC0000-memory.dmp

Filesize
384KB

Download
memory/1284-177-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1420-158-0x0000000140000000-0x0000000140201000-memory.dmp

Filesize
2.0MB

Download
memory/1456-448-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/1456-548-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/2236-456-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/2316-630-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-668-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-613-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-568-0x000001B648C20000-0x000001B648C21000-memory.dmp

Filesize
4KB

Download
memory/2316-631-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-611-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-632-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-633-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-610-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-650-0x000001B648C20000-0x000001B648C21000-memory.dmp

Filesize
4KB

Download
memory/2316-591-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-589-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-651-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-612-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-567-0x000001B648C00000-0x000001B648C10000-memory.dmp

Filesize
64KB

Download
memory/2316-672-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-590-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-673-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-588-0x000001B648FF0000-0x000001B649000000-memory.dmp

Filesize
64KB

Download
memory/2316-674-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-675-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-676-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-677-0x000001B649000000-0x000001B649010000-memory.dmp

Filesize
64KB

Download
memory/2316-678-0x000001B649040000-0x000001B649050000-memory.dmp

Filesize
64KB

Download
memory/2316-569-0x000001B648C40000-0x000001B648C50000-memory.dmp

Filesize
64KB

Download
memory/2372-570-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2372-471-0x0000000140000000-0x000000014021D000-memory.dmp

Filesize
2.1MB

Download
memory/2476-191-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2476-185-0x0000000000190000-0x00000000001F0000-memory.dmp

Filesize
384KB

Download
memory/2476-203-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2476-377-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2584-390-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2700-420-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/2704-467-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/3296-458-0x0000000140000000-0x0000000140239000-memory.dmp

Filesize
2.2MB

Download
memory/3760-452-0x0000000140000000-0x0000000140259000-memory.dmp

Filesize
2.3MB

Download
memory/4020-450-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4020-550-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4204-396-0x0000000000540000-0x00000000005A0000-memory.dmp

Filesize
384KB

Download
memory/4204-419-0x0000000140000000-0x0000000140202000-memory.dmp

Filesize
2.0MB

Download
memory/4328-469-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4328-691-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/4420-449-0x0000000140000000-0x00000001401ED000-memory.dmp

Filesize
1.9MB

Download
memory/4448-421-0x0000000140000000-0x00000001401EC000-memory.dmp

Filesize
1.9MB

Download
memory/4632-372-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4632-156-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/4632-160-0x0000000140000000-0x0000000140200000-memory.dmp

Filesize
2.0MB

Download
memory/4632-168-0x0000000000410000-0x0000000000470000-memory.dmp

Filesize
384KB

Download
memory/4780-549-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4780-392-0x0000000140000000-0x0000000140210000-memory.dmp

Filesize
2.1MB

Download
memory/4804-468-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/5108-143-0x00000000020C0000-0x0000000002126000-memory.dmp

Filesize
408KB

Download
memory/5108-151-0x00000000020C0000-0x0000000002126000-memory.dmp

Filesize
408KB

Download
memory/5108-157-0x0000000000400000-0x0000000000601000-memory.dmp

Filesize
2.0MB

Download