0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Size

1.3MB
MD5

e1ce1ab15700f06fdb1a3764ebf2bc12
SHA1

2f81e41eddd14f9153826aed169a0ef4e3c1009d
SHA256

0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9
SHA512

b445f8b6081486ce38b544be45c70ea88a9ff2b14ebad9c8da25fe0895f1a1d6d42feb60dceebda7e93b228aa355d2c28bc7d8df615c4dc6dbbfda58e9b8b19b
SSDEEP

12288:MZwO+p+NLCI4aumlCSRBW8NGRP4Q+Eaw8lKnJlTxIWU8DUDwFi:MZwO+tvmlbBW8sRPEbyJlTaN8D1o

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
2240	alg.exe
1912	DiagnosticsHub.StandardCollector.Service.exe
2932	fxssvc.exe
464	elevation_service.exe
3160	elevation_service.exe
2444	maintenanceservice.exe
4348	msdtc.exe
2356	OSE.EXE
2504	PerceptionSimulationService.exe
1976	perfhost.exe
748	locator.exe
4984	SensorDataService.exe
4196	snmptrap.exe
4680	spectrum.exe
544	ssh-agent.exe
448	TieringEngineService.exe
3544	AgentService.exe
2876	vds.exe
3816	vssvc.exe
1696	wbengine.exe
3456	WmiApSrv.exe
3076	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 31 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\e985d1d0f93f084.bin	alg.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\wbengine.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	alg.exe
File opened for modification	C:\Windows\System32\alg.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\dllhost.exe	alg.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	alg.exe
File opened for modification	C:\Windows\system32\msiexec.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\AgentService.exe	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\spectrum.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\System32\vds.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\locator.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	alg.exe
File opened for modification	C:\Windows\system32\vssvc.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\klist.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	alg.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	alg.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	alg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008f232c17f0ebd901	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f5149d16f0ebd901	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000044362017f0ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-176 = "Microsoft PowerPoint Macro-Enabled Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-111 = "Microsoft Excel Macro-Enabled Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9936 = "QuickTime Movie"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d038a718f0ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000edab3819f0ebd901	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
668	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeAuditPrivilege	2932	fxssvc.exe
Token: SeRestorePrivilege	448	TieringEngineService.exe
Token: SeManageVolumePrivilege	448	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	3544	AgentService.exe
Token: SeBackupPrivilege	3816	vssvc.exe
Token: SeRestorePrivilege	3816	vssvc.exe
Token: SeAuditPrivilege	3816	vssvc.exe
Token: SeBackupPrivilege	1696	wbengine.exe
Token: SeRestorePrivilege	1696	wbengine.exe
Token: SeSecurityPrivilege	1696	wbengine.exe
Token: 33	3076	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3076	SearchIndexer.exe
Token: SeDebugPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeDebugPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeDebugPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeDebugPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeDebugPrivilege	2544	0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
Token: SeDebugPrivilege	2240	alg.exe
Token: SeDebugPrivilege	2240	alg.exe
Token: SeDebugPrivilege	2240	alg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2332	3076	SearchIndexer.exe	116
PID 3076 wrote to memory of 2332	3076	SearchIndexer.exe	116
PID 3076 wrote to memory of 1672	3076	SearchIndexer.exe	117
PID 3076 wrote to memory of 1672	3076	SearchIndexer.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe
"C:\Users\Admin\AppData\Local\Temp\0a349e41ae5568f93b06f9cba8bba0015485ba8b4cb2652a057217f85b09e2b9.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2240

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1912

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4672

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2932

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:3160

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:4348

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:2356

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2504

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1976

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:748

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4984

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4680

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4232

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3544

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:2876

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3456

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2332
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 916 920 928 8192 924 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
86a10dbdbb77490cf566a00010e6171d

SHA1
fa34fa5d579f93a748ba69bbf5ed5954d5c2eb8f

SHA256
15d8e2d5aea8e67e0a0e25f10b8521bb78b94367bd0315516cbd4c95f21db44e

SHA512
40f465f9a5664792e64eb59aeeec32bc12581455fd7aa092b006ae150ab562fc07fbbe5c126ac038507fb91d50c6e256d3fba5c19e3fe34623a40a8f50f2d0a5

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ea34badafbca1124bf8ef8c3743129b7

SHA1
1bd70e1a4520f16c4b293fc01b35dab71dcab7bd

SHA256
e5e552b00d432c330b86fd99cca4fc22d4aa470674d46140e3ffb37cd66b6f28

SHA512
35dc5115ef8398e7c028f301c04645ccb2d78ac10685bdc7c2912337f8a11edfaf7fd44f42d9f0b2ca9be69e3b5247ee83376c9021e8e31415953724654f3093

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
ea34badafbca1124bf8ef8c3743129b7

SHA1
1bd70e1a4520f16c4b293fc01b35dab71dcab7bd

SHA256
e5e552b00d432c330b86fd99cca4fc22d4aa470674d46140e3ffb37cd66b6f28

SHA512
35dc5115ef8398e7c028f301c04645ccb2d78ac10685bdc7c2912337f8a11edfaf7fd44f42d9f0b2ca9be69e3b5247ee83376c9021e8e31415953724654f3093

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.6MB

MD5
fd3cd9dd6a74d52f71712bac82582b44

SHA1
9ca96e45ab61f94073eea233680e25dc9a701af7

SHA256
b89489684a2f4130e29355da703754339e0cc85e7c7d5eeaec0755430fa6b8d9

SHA512
5a467e42176aa790266b0055fb762bdf7dce83fd98dedb8e2b8f49d097db633e2a9c1648f256e103a3b37067e94ae967973e374eea170a64bb93f9b999e33ae3

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.4MB

MD5
4aed9fa60ff2fa4197f1c2936f46f65a

SHA1
69206af2365af14657907ee107effc5763be8612

SHA256
3f334594dd0afe4f5e7dec07ed2e933683199f849fcd711a960722ef3a0e352c

SHA512
366b7834891a7266b62113b139f7260d48d7dbffa65fd2d131d6b0d4cce382ee482f2fc6053795e993167af07af621c4d02d12c19763f27e289427f725bacd8c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
d114a50a68c35e14f7dec3a390c6c471

SHA1
c65d625a3609fe95e100b5061ef74927a2b65fd2

SHA256
b6a3d07d98769f00022441939283379864ca446b8c707c6fe5ed0b6e3c85d9d7

SHA512
a41e6c84ab7372a7c4f1582ed1436bb98f0826d119384aa838d53fd7767acfbaa4efb055198c2a80c8b6ced9582e8b1de93e3255c86bf6c588ad986a86b84512

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
27c15c87393149667634cd3a84c6d897

SHA1
56ea952bb6bfec2e1f3ccebee1ec2d54b865647e

SHA256
345510731f57588ecc2d96f062e643f6061f230375c98ae78f790b6f852d88f0

SHA512
beae7f774bb33c17a00898d35d50a26ff7bfa746ab23b7cba004d62a18d27fb5224b9f3e6d372c3e88c84e662449cb6b645268c49c462690b6fce4d8717b0a71

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
10d22d5ee96590f6058e8cfa73b160fb

SHA1
2ffe9cd15a4478f6c59b1db3c8afa21864b14758

SHA256
425c6d9859ec5d100165789fb57358da4f97173f1ffafd2bb4308cca34753d31

SHA512
04d316b93ee346ffd136129c2e8f2254f2cd8a045d77520c4b7e03a92ae703f3b6722218dfc7ae5762a281debaea0b0b416954e9090420f36581f200d16cce0b

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
c976cd1961a14f893abc25a67627522a

SHA1
22f74e23ffa242704179062eafe599f899587637

SHA256
598533fa57eea9308711bb04ea4d3f6b1945dbe66925adb5172372a03d349d24

SHA512
ba6c60d61e91d84d642c5a7cba21660aaefde8d8af3c723b622b1af0f9f3a0d7b2e81a7814fd913a1dbc29ad0f3b9e270760806bf1c904340bd281cb2c068bff

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
5966e0ae338b3022e10d0337d6484d1c

SHA1
cd577fcffb1679e0bb8214268f2abaf5808ef108

SHA256
8671eb4cbe7f4746c22207d559fcff294639e3148f6836609eaeda20a45c7d38

SHA512
888713c32acd46f35c632c29c5ac4a31906376b1d258a20de1b1245853ec631d3bebd984b868a90b3fe46c71ccf806d2e57c3ae65f21d755173f3f8d991de1ca

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
62c3c1e63648ffc228a8bcd82c262130

SHA1
c701b523566d5c1f08fae44e5ea71572c800909e

SHA256
3f8e1579da734358328db361147637773185589732dad4d39e3e2f49455b4799

SHA512
1aae0bd4b5acf0b60531ae9ab00b394707561df28168d196a0c8e391a38654f71c1efa96c65c3066bb9a4abf92e68afacc59ee3b6b6cb066d506f1739f7d089c

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
234d70dd51eb64ddde92e1c28e5a7a1f

SHA1
4bf8a056656099c73cccfc37b606dcf848edaed1

SHA256
8897bd8ffda14e4524b1ee25004163176ed4871b4b0e51a0a359945462eae074

SHA512
6334b3a797965d582af1b6977d942f33a352520bc425af6711f4763bcf0e2057ea79108e4b863008ad4a85995a7d45754e57fb25ee973a1921bf4a61ab6989a8

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
d9b9f8bf91f7bdfa40b68baaf0d6fb22

SHA1
ef1666e975358c364d578faab1775b6616a9f9d6

SHA256
529687e5a1e96b67234aac0ef0df5f03170ad391b072635f28d5518eb4ef506b

SHA512
6778df0b48cf34cd1f72295ee278af7a9b6cbad1ced5bc791008184cf8d2cd78088d822edbec26ff38a5a3639103912bd11c7a38ae9a11cd75e4f63beac162d5

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
94041b4d84ae97116fffa43316f46d84

SHA1
bd1ad79e742d2c92c0166b06f2884df3e0ddcc3c

SHA256
651c4f24b189c24b94b6ad098c517268c300202f6b898e0594a2e9193cbbf118

SHA512
ecc7b93a3f864bc5646f37b8364d11fc61f5f4c20909761067e5a9f1226932466661c83e1253ca63d2d256df2df6c1eb362f24a637435feace2d7e9aeec159db

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
d076135cd1688e60a802dfbb122ac86e

SHA1
c476de82feed2f214413df055cbce8e62224fc3c

SHA256
c5ee946ea0cf79fb50d3ff7821afebdeefd775952f3e7cc9cca2011ea3e62b30

SHA512
1c1fd8660edbb885dacc003b0caa185a6551fc4724bd783fad8b7cee052cfd44468050930af9906e5c86e18e1da79eef09f62ac3bb98d0a2a9df35a3f5642b5b

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe

Filesize
4.8MB

MD5
b7659062c05e9ab5cec65bb377215a47

SHA1
b98a5805e7c4c493ec2da38f7ef6230dfe87b774

SHA256
5769a9bfd8f5a3282a4a581eeb11344fb2fff8587c6f1854018ae82a95f8f0c3

SHA512
9e1a4b287866f614bdf13defdfffa759d462e406e576e7ba9aa4b6815a28cefa98f8cb109faf5de3686b1391d8fda484b0c13289f0dac5f19edbae8d4554f234

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

Filesize
4.8MB

MD5
8de2fe5e681572591eade396d23c2a53

SHA1
e96bd25233bec90243049cf68b0932e2d1c917d3

SHA256
4d801bd1d70bbfe525a647c6c8d0142d3014906734159376c481907256865f82

SHA512
8ada07d7403758397acaaaeacf29a0027b13700286a92797ac6b6d52de8bd5ec41d3dfd1ce78a36a175b3ca2a6f483301d5877560aed5f9a2d0e45439a91331d

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe

Filesize
2.2MB

MD5
5b2a13a97cbf3fd0281b67592c5c81d4

SHA1
f4f2ff4274a8b7ea1c8e97a2b44cc1819796afa4

SHA256
7b0b8ca9b9b2c6d7a0fcd85ea77b011f7edfb7db826f11146dd3cd53c1f0fc36

SHA512
3acc1b1dea5344556362eac64ec8028d099ed1a4e6d13a6e7d3bc4bd669f68338074588e78ed74d2c5b0a06dbc83c0f050b2a76b73c94c4062457c1a9c34a487

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
331ecd3bddad9c4f71ea0188aebe71ef

SHA1
59dbf70ba749ccbed27cb96a96aa4ec2f5e44cb9

SHA256
730e0dbc67fe3a2cc6289d6dfa920eb29228ae7d551c788f44bbd984db782f5a

SHA512
c5612bdb757cad4594dcceedd6cdd096393912d477ac358a9ad5751bd83014453e14603a33b41383517f2086e60d2459fea24b2374b6f72051324b7fcaa42eb4

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe

Filesize
1.8MB

MD5
0ace90b893943029a6053dee34f9c513

SHA1
a5adf085d490db5c4954d53526d7582d92858066

SHA256
36462bdaa3985fae9167ca6fc731b7d38aee7970f089cbe2054624c9f02b56e8

SHA512
660605c3c1982df9b9f32180e0e23f4dee6253442ce5f19bd6fb3b60df9972ad1e8fdc20760b82f02ace3975ca963247bab00b3a3a7c0aafbbcf2ea2468f9ff4

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.5MB

MD5
5f18bb62ae453ad41a475fe24a93c90b

SHA1
1eae57f90972df8185b055aa0fd6d8c09f21d385

SHA256
651a30cfb5152b89c14cbfb77523c76803437011e19f4de51f6fa1abfdae74b5

SHA512
81b875c876d88029dcd4b053b7fb22b26579d641030a9b7f1bab359620dc3d7a30b63608e9c86d23c7512966fa478f49e0737416c30b5722fbe5bbe13141cf97

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe

Filesize
1.2MB

MD5
0a0946922a177f267739861321010c8b

SHA1
1d6fce25799f23a945cfc7ce536dbd700358e283

SHA256
2d0ef24758fe81b4ce4e9638ef867df48de64d3ddaf6229ff762c6a43f1555a2

SHA512
c75c89928b66ca5a1eda6e0ed53af788f070951ca38ea3dbd8439bea3ce4bd482e8d2b9e2fd7e613cc62fbe22e4edcc4411620ce296f4796e7d2882030551e62

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe

Filesize
1.2MB

MD5
0f773e1a350d0ea3372fd6525d3e4158

SHA1
f5d231a20f403a2f36e6b1c07d17fa2f135b31c0

SHA256
e8073e04f609fd47259cf5a72b1d897185afbe6356bd879bb5f60fbd54f245d7

SHA512
ea32328184560ee138d148e6c65103289b8bc4936dcc973ae47ca09128ff291bbfefb2b28d58804aa2bdeb2258be9d64949129bd3a1f7e5d60d05bb513b0ffca

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe

Filesize
1.2MB

MD5
84c21e37fdbd26a8b7b200037a405dd0

SHA1
2c20d4095b07865a9295a1d709898ef9220aa5f8

SHA256
25fcd156f3ce23d0d42aac7759bed547f37cb57af15cf66e5c73bca2654c4820

SHA512
c69b41e4c76e2557eba26f0b61c51d3464ff4c164743cd40526fd1bd3666728015665d776b00ff83ed547b97cee386d7fb7ad923ccbe21e7ba160894b907ac37

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe

Filesize
1.2MB

MD5
2096027d1a50e57ff00c24c06a8b19c1

SHA1
73490d1d7c921b2807f682b3eac769a146e3f683

SHA256
8669badfd9e1ea010362a7dd798bb936be4a638802d247834f141a325b5d802c

SHA512
d31f015f641f63765feafa6810e353ad7e214f7f1d24ba52614c5d90672d094ec237178a00676ac0ece07554304e0106a6b69edccb7b2b486cf275bda7db61df

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe

Filesize
1.2MB

MD5
828e5109989acfe883e130796621f41a

SHA1
a1e68a09aeb53a4797b1df3228cec37b64b7bdec

SHA256
35517e70d0df93189c87faf48f30dcb7f5a817d33ea77569a6f82adbb7bc981c

SHA512
2252fae4e91277a8d5797a5e98f7e51dde6a020d7b27f30d50b67e8c9b8b14bbb651103eeb6af33b82a9d163a94d383b0e0bb04ba4838d51ac5e8b29403310b3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe

Filesize
1.2MB

MD5
745db42fb8e56d467e42255fce685a04

SHA1
d4c38875f62f56203c2eea7da46fc9da495507e8

SHA256
76d75f159748e68b7c7da0b83bc9320ae98431e74cbad98fe17ce34572711b5f

SHA512
a4fc458cfb8ed23ec6dd84b9621f1c74ae4a3ccebe24f77c98ce0f3232184194db05ad15f901fbe9d4860db55f570c8093731803f79a431c7beb32390b4c4803

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe

Filesize
1.2MB

MD5
ae5d39408371520b436f1173696864a3

SHA1
78d55d6e6256f18c376ec54c40bf37d9b67156b5

SHA256
0a469ab970ee94e876641c486b08978c4fc26d068052f4eb6d0156d49b957ec2

SHA512
99cdac9690d5258e2d39720ff119a0f2966f5848b7112fae8c6b1bf6444544d112f7826ee19aa360395235e0bf4f88a8c97175ccffc28726097eac765a204775

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\java.exe

Filesize
1.4MB

MD5
9728a0c7c9edcda582c50cb335e141b7

SHA1
b01561c4e149dd9fc026bc3b6906236cdadefab6

SHA256
c24e1c49f896033590e0b7b5c84a16b029c0f84b4592a6b9dbf8774b37414c4e

SHA512
8f51b489b6058c3adffced87b4fe949a83c1f0b4230e40e85697bb013f19a1a34ac350a480c63a7c05464d1b100feb697e0a14c67a9881e69f7a3c0e48f3896a

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe

Filesize
1.2MB

MD5
1792b77df870ac3c7d39f1f4a314e154

SHA1
d475ccc25ed834e7f18f57c24b47fbebb33ba7d2

SHA256
df8a4cf97376633a0b15881e94057012385b784d71a60f9b76d9a3c60ebee86e

SHA512
5282953e92b8161281dad0d52a46c95210e0503a1844fcd5363bb90940ec762d3799e665fa993b56a3ca46b92d4d4ed9bae7e54128fad365861da642d7f822e3

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe

Filesize
1.2MB

MD5
2da325375e3d33a8b38e1e09d3ea1f31

SHA1
346836d3032456dac853eaf50a39d8503e25b4c8

SHA256
14914f4b57385f8b3841990d4ff40b842016885054d595f80e4034cdbcf8b07c

SHA512
c9c20db580a5e395a00cdeac9309ff17d061b78cefbb2ca4d7371e34d5b5ef5882716ff9dca6b4b4ef22d2079088aa0022d91e7f9b1ee334628c3d94c0e34488

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe

Filesize
1.3MB

MD5
792c665e1e9cc5b2d0217fa60aa1e6ef

SHA1
e2c8c1bc95493d0cb1d7ce5512a5beafaf1df059

SHA256
5984265ab3c26a16bb43841d0a684225e4a12c57fc9b9d6cf8513f98f4dffc27

SHA512
2ebe0be38fd0c8276c332f9dc50c74f7c56cb26481dcd715048cfc995885189540f80724f0d6da915a9163fd04bdbdbb1248d1063d147275c5918cdcabe32291

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe

Filesize
1.2MB

MD5
6abdbad4efeb2fff233451dda6531ca5

SHA1
5a894c8d435d00cc1006842e0df6a33c09d0865a

SHA256
2149dd76acbbd550da1aa370639fe48c952245015a653d91ef83856a216e9483

SHA512
80890db8e9902435b9933f3019e536c63ddecc7eeac816a8f82f1067ad0c7d5a372375e3c787596463d0dc5f579dadcf4f898117f016c3272c4d4ffd49c47ba2

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe

Filesize
1.2MB

MD5
12e51078870016738abdb5c9a7ceeed9

SHA1
cd7a9ceb03845111dc6295811938933506e2ecd5

SHA256
49d38eb5bbaae26842228accc03646797a46e8f4daa206a0c72e1671c2382eab

SHA512
127ad6859aa6321c91d720c67fd379d6d622fdcae961b2a666193c49f5d388508897687a040caeb1fd2432622e67ef53197cd7749b9a2b5177dec7b6bec8f67f

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe

Filesize
1.3MB

MD5
959d7e66441999a519a90bafe966bc43

SHA1
5449d89df08ed0fdd66aff13f16bb33a9322b9ec

SHA256
bc3cfa5e30b2529fecca75b3c0f6ad65132b2dd677f3b682acb0abf9d7a5d180

SHA512
178a03a989d13efbe0885ebf0404862a43f85d7988077e3da5508ca34bf8fbaed498a041f05ea36c7f07fb1fa137bd2b1964ea6fe91f06e4a8878de6c46e1b02

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe

Filesize
1.4MB

MD5
eb5c61fa29b3bb6e97a9b52643826cef

SHA1
ffb2948076b66427b9c3e4669a870ba2d9f53e87

SHA256
2e4863cab07df54aa2e78fbb5fd3bef9b94755172fd80165e891635b2ccdd469

SHA512
2ba594e29e65c8dee5486c83ba6390c60481e3b6fd66c1b935041754a59489d41fc9f0419110766ea61eea4e4891b2b0b810551eec530bd31747eb9d46b3a5c5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe

Filesize
1.5MB

MD5
94e0e4fab98fdf3e6eb5c17ea60cbf41

SHA1
0832f69f630de9e3be53df7edad423cfc7869247

SHA256
6b0facfe5783861cec54d226b8afa9f05029c335f865448e96b650be09fbb517

SHA512
e1ce7fa97e77a1e721202bdecea1ea5cf2e50a656095139cd1e799a7b66cf4db840155875a9f2975042f46028768c7fc1beb0276662f44cdf80f6b6c4012d751

Download Submit
C:\Program Files\Windows Media Player\wmpnetwk.exe

Filesize
1.5MB

MD5
120e68c5b52832e1931b358e5435ccdc

SHA1
066b9b296af9a6c2d9ee6ba76470eb763158905b

SHA256
7ba72a301bb3b67568e62ac7b863baaebd08002071cc2e66eacfb3c97069ce36

SHA512
d5da02be82085c5c7722fede5324443096b284dd6836d605a13064bd0ad7ff357109b5c7cb351e06541a4ff397ce04cbf79179b360d6d2c2cbbcd80800b4acee

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ba5c6a186fa1c8b0ddcd53b503833df8

SHA1
d4bdac34402c1424d1a5cda55d3999188819b1a0

SHA256
d12e9c5471654770c5f02dc2bf2d424afc89fe445d1ca58c5326b28a00041ed2

SHA512
c1e4a485c7c61ed51ca025033cb4f8316a0b870fc62cf5de61fb08c14f0d6124485a09da7bb2a761a605e49157017715f5e944e6d42c504d3baf23b576af4e34

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
8ee7c863bfd6f3cc01cbac134204d01f

SHA1
4645e80f78a7a60fb4e9d57cae497bafc3e725f9

SHA256
be8bb4a11cc523b36c8b3064441b3bf8a6b7a696a3acb24ca9983e8328af5486

SHA512
7ce37291214adbf06c62eac5c852ce76d05e51e79a8b45dc258bff1c76dbe6e22e0d60a7a7300acb332732d1a1fe342b53a24a1327b1e1e40605b5d11aa46986

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
510f0c88134de79b02e37664e50826af

SHA1
34a6ffb77c62f57c1f749c6856c8f0374305e286

SHA256
ca0bb719872d427dbd7a0f4e50ae5686a188cd2222c9f08d0c7edec74d21ef52

SHA512
94cf05700001e277c66d8d7bfe7342051f80478dcd3b6ebb90cd1fbaf39751d83ecbdf25484bb0d4cc29f7ba75152f5a076ae8b11b0e394e702c9cdee6554d03

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
317b8f3caec5ed2f9cd25fa4c102b012

SHA1
4d4f5fe83d720c8d71fd62e4908f426dcc72e727

SHA256
582d8eec8410a4cca25fb16bb5ec7c678b00686ec76fccc075440a96121dd480

SHA512
38a0111edbf14d6415e92a8296816f529c8358151905d87c0ded0b52ea1f54d48a2c8b1b886667c8a93e3ca1ad94a1735309762741fc31c05f14b037cc18c89e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
356098c1028cc1996c967b6e1e2c938b

SHA1
f62b15cbb4aef7712c0b45a142b3471d17693d85

SHA256
8a658fe7a3ec89ab14f363fa09ac77141d75e5af0877ce22cf20ddb85b830c74

SHA512
244511477ac9ea843bd7e34844cd84fbec40399c378359da02a2fc679bc383509ae015142390383e10cdf39c7b8c6136accd816b09e62986486b2805b4a24b1a

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0a60772a65404b312f0903b8575eb58b

SHA1
4050f6857739ae06aefd3ecae317e7928718088f

SHA256
50aba1c075294df1b4cfb118ad5c51a62a14bd5270658b9a3ebfa4dcab73adeb

SHA512
2107e1aac267e67062692202c54a6ba89bdecee08079f46dfb72df23a50a6fa2c2d15a33e04a1df7629ff7899805844ba1403c512770cb188505f9cdd22534b5

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
0a60772a65404b312f0903b8575eb58b

SHA1
4050f6857739ae06aefd3ecae317e7928718088f

SHA256
50aba1c075294df1b4cfb118ad5c51a62a14bd5270658b9a3ebfa4dcab73adeb

SHA512
2107e1aac267e67062692202c54a6ba89bdecee08079f46dfb72df23a50a6fa2c2d15a33e04a1df7629ff7899805844ba1403c512770cb188505f9cdd22534b5

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
aefc76f6802789848d83ac1b6eca5510

SHA1
5894882f0f9639bbf7584297cbdf422f6b7c0b65

SHA256
b83d2f3a076d59b6723bf8a58d66ceabe141dff8db1b20d03b813cf387f37f84

SHA512
c7636685ab6b3809f6cd5b463c00f4e1911e2081303a1dede5b2c81cb69c56420e1cc6b830aa4fe1fb125b2dec731fd8a6fa739c66c503adef5cecc66cf37318

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
865068d526f5d559f8e9177b1d3c34c5

SHA1
e974712460709024e6359e35e503ad2855a707cb

SHA256
28be51fdc2755a2eef4f7296126abe38149efe2b6be45b14bc845336541eda71

SHA512
13b8277e8de9a435256b5b9428f0dc6eea45a464e5d7fcd38f724ee1ee8479c2d9870dc7bc6670c2b84454efe1e223a7ab08678083eba58c6bb7728047ca487a

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3d510d71c39d13a798fa1f42cc8410c8

SHA1
11ea61750c73712ec4b4490179b4b8c41e3182e1

SHA256
bc55124e5d2917c1be20bca4c523dcaf6a495a917d7a48d8477ed6443f595d0b

SHA512
d31184521bfdbcc5d7865aa9c47af99e9fe2def5f14958f69ced508dfa21d244a921ca970caa535d12084a336cc42919e9aea5809d2b6706e8e17fe0dd97d37d

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
3d510d71c39d13a798fa1f42cc8410c8

SHA1
11ea61750c73712ec4b4490179b4b8c41e3182e1

SHA256
bc55124e5d2917c1be20bca4c523dcaf6a495a917d7a48d8477ed6443f595d0b

SHA512
d31184521bfdbcc5d7865aa9c47af99e9fe2def5f14958f69ced508dfa21d244a921ca970caa535d12084a336cc42919e9aea5809d2b6706e8e17fe0dd97d37d

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
cc375974be95e3060ee7f634d814eb4d

SHA1
e10a421077d68751012732a052acf5917deff4f2

SHA256
a58be6145865914ed1e66b7d22ddf37284fe5efd9eaf611fcabc55d404e7454a

SHA512
9e3c6de4275118d86a428a65b4ca662e3bfe75d66451839a5c418bd24fe7c6721afc10c0569cd71a08029ab06a0a726752a1dba8b153cb3141039039dc6dcfb6

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
e3f2c0690f5e4912f8bebe7fca3a5035

SHA1
119eecd6e0a4d2d9d0437adc2d548987380080f2

SHA256
4465b053caf92891a05fdf6bc61ecc3bfbf1bb0f7b45138460ed790a3535dda3

SHA512
9fe6a3c0032eabe5f353f4aa7526d0d7380dc01776c568a7474948d83367e7826acbeceede24cdd70e288a0e29391dcafab5cfb6b9bddb3e5784188b6cfaeabe

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
7698c3d5613daba0d9181f67389fe318

SHA1
a9d25645c991e48a3b8fb6d15d3d8e9410f09ee2

SHA256
6fc713294dba2eee2d628c93b64833ef91236a6d243009f8a21f0c1977974c77

SHA512
409852dee62a6998ff2b637603e3c918be2f117c51f5ecddce0aa8b7a3ef0866a0ead9e6d9025ca1ffb1d4c28b4009e91d93e2abb9ae6d34b82e4bf6216a1f91

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
c38063c21f41f627263dea1fd01dbbc3

SHA1
af5edb3918fa7e1b542408303a1aa56ba84a1fae

SHA256
23f296891b9deb10ee325f6837a2f28eff8bd77f20ee608a044b78dbcfa4dbc3

SHA512
0fbff994f58d4f14846f0f1198ba7acb5be0a65f60a19b9b8cd17e6b3dbd0dc1e00fa9110e1fafc5c718a1b133d5d6af5141e8f62b7ca85106909c8ed5307ede

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
27b1ae03ff203e55f7bf056ed94f13e0

SHA1
576921c5ef95f78627947901de9cdf0e52e20b90

SHA256
593bf94e83c8a12501fa08684c25219be69406656423d5751314761c3a52d093

SHA512
2e964ca77df2b34e8a568eb2510a78f37f0492bf61d34219911629a5190cdded2d175a7447d02928e73740ce24fd595f391cfcf0fa8897bc6e0a694265a6c688

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
18529351c972f7cc8c76cc371f1a6c7e

SHA1
aee07ef44b64e131d88282ffde990e0dff0cdbc0

SHA256
e2b96ef4850b25032cdc32515ca4f8373ac436a0aabf4ff9e6b18508f733d00e

SHA512
2b900880fcfadcb3e2953f629e2886040c3f08a4af7ef7d71e6fbf9370fe21ee77af1f255bdf98d07db7f949c6e1f4ffe9b283816ac5f43273f1e9c35ca2f400

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
340e9e5cec51f33cd7cf00a1419fb64c

SHA1
f3291bda778c70d19240cc0eed62f78342e621bf

SHA256
e85028121b38601eeef9882c60794d1482ef4f74748f54387a1b3b19a2f11e39

SHA512
24deb28ca97696aa2ee4df2f0d0c963dff74a02fe19dd9125b5d3218eb219a2bec5681f5c420831142af82b91e12dc5947deb394bca8dca61c62c648afca8e9d

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
2d83e97bbc91424eba1eea8451eff37b

SHA1
f19d41d1b51580ade19264ac0aefa599eb95980a

SHA256
5d9448cad45701e1419daeb196f98d52cf7691fde14c4abed74bfd2cb024a93b

SHA512
fe8a0ba755c7a6b35784c7fafb7a3057cc8f86e05025dbc8f8caba8de2e9f6391c8e9cb78aa2a7d8c9583799e9df8bfa8073807ff0126ba616676b20c957c5b0

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
709a811523698cbfa70e2329769c75b6

SHA1
84159e36ddc4eccb5fe4ee95e53f0cf80f439126

SHA256
9a67d3fd937c2e92a64958f8eae77d00d90d5c6d613758ae8ee9e00855a179d5

SHA512
fa232912cc5e1e45c54c8a7d1bca893b47ad9b54a83be602c531d34610aed6c8f0b3ea6b5097e6ea259c8e1f51039cf95a6928dd1acb2a97f67edebeb576843c

Download Submit
C:\Windows\system32\AgentService.exe

Filesize
1.7MB

MD5
8ee7c863bfd6f3cc01cbac134204d01f

SHA1
4645e80f78a7a60fb4e9d57cae497bafc3e725f9

SHA256
be8bb4a11cc523b36c8b3064441b3bf8a6b7a696a3acb24ca9983e8328af5486

SHA512
7ce37291214adbf06c62eac5c852ce76d05e51e79a8b45dc258bff1c76dbe6e22e0d60a7a7300acb332732d1a1fe342b53a24a1327b1e1e40605b5d11aa46986

Download Submit
C:\Windows\system32\AppVClient.exe

Filesize
1.3MB

MD5
b1e37700e88aef53abcb2436daa39147

SHA1
8a4af23161389b55fd52e345aa740a739ae9715e

SHA256
13f68743bef84babd3ad4c40df7d99019751391421c530136c9f00ad2b91e2bb

SHA512
62114103e161129e4ad871b2f8b30965bdbad0fd0659f9638a67c1974eafeeacfd1f52352e0af2f1b03d724332620b19b2723dc76f250a13c318dafcd8be1af9

Download Submit
C:\Windows\system32\SgrmBroker.exe

Filesize
1.5MB

MD5
8a7943f08bc5c9e35d100d0ac41f4cdc

SHA1
81bf87a03fe39b0ccc11218545e33d9f5b7486e4

SHA256
b16a7ae27f2e46b25d4b25b55c669123227ef53c9c1bc14b456c72101abb5da5

SHA512
7e3e7ea3ada71d8b4e6b158333bb88b9bafa7020dabb96de8e0d87671bf29977e65e9eb4e2a35baefca4e13bb6b0a55935602de2b5a31c80a9d8f8abbe9d71bd

Download Submit
C:\Windows\system32\fxssvc.exe

Filesize
1.2MB

MD5
317b8f3caec5ed2f9cd25fa4c102b012

SHA1
4d4f5fe83d720c8d71fd62e4908f426dcc72e727

SHA256
582d8eec8410a4cca25fb16bb5ec7c678b00686ec76fccc075440a96121dd480

SHA512
38a0111edbf14d6415e92a8296816f529c8358151905d87c0ded0b52ea1f54d48a2c8b1b886667c8a93e3ca1ad94a1735309762741fc31c05f14b037cc18c89e

Download Submit
C:\Windows\system32\msiexec.exe

Filesize
1.2MB

MD5
e6a996970d01872c78a27c7f2d9f6a12

SHA1
0cc0e9ea63f4c5417347f62d665e8102bd0f2765

SHA256
423f51740fd47bae3aa2add6b0f09051c675569c2270eb53652d4bc3a2878c21

SHA512
9e7667dffc058ca0afb72689d63275d8f0ba850a4677c094f657560b976ba62f0116065cbfc13a1288cc43af11312bb1f8f6aa59660b4f73d490b2bbc42d622a

Download Submit
C:\odt\office2016setup.exe

Filesize
5.6MB

MD5
40207b37bb4074a50dddd8cd23493ec0

SHA1
c3b96d6bcec974bbdef9bd06397850c34902b4b8

SHA256
cb4458c709d19da5168dcf2af50773584dd1b36eac323da6d59e9e1de4d5db7b

SHA512
a0c0a3325e41be6950369a97485f75fcec8edffda7e1d13e906d93d75d9ebcd5e71607bfd79c0bf95d7b3f78682f62029dd245cded68485044c1d51db42a071e

Download Submit
memory/448-275-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/448-216-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/448-207-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/464-61-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/464-115-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/464-53-0x0000000000440000-0x00000000004A0000-memory.dmp

Filesize
384KB

Download
memory/464-54-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/544-202-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/544-192-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/544-262-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/748-205-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/748-214-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/748-140-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/748-147-0x00000000006E0000-0x0000000000740000-memory.dmp

Filesize
384KB

Download
memory/1696-271-0x0000000000BE0000-0x0000000000C40000-memory.dmp

Filesize
384KB

Download
memory/1696-265-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/1912-34-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1912-35-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1912-29-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1912-27-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/1912-93-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/1976-136-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1976-200-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/2240-12-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2240-76-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2240-20-0x00000000006D0000-0x0000000000730000-memory.dmp

Filesize
384KB

Download
memory/2240-13-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/2356-117-0x0000000000840000-0x00000000008A0000-memory.dmp

Filesize
384KB

Download
memory/2356-107-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2356-173-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/2444-77-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2444-91-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2444-88-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2444-84-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2444-85-0x0000000001690000-0x00000000016F0000-memory.dmp

Filesize
384KB

Download
memory/2444-79-0x0000000140000000-0x0000000140209000-memory.dmp

Filesize
2.0MB

Download
memory/2504-186-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2504-133-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/2504-123-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2544-26-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2544-0-0x0000000000400000-0x00000000005E5000-memory.dmp

Filesize
1.9MB

Download
memory/2544-7-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/2544-6-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/2544-1-0x0000000002380000-0x00000000023E7000-memory.dmp

Filesize
412KB

Download
memory/2876-320-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2876-237-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/2876-245-0x0000000000C40000-0x0000000000CA0000-memory.dmp

Filesize
384KB

Download
memory/2932-39-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/2932-40-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2932-46-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2932-48-0x0000000000A00000-0x0000000000A60000-memory.dmp

Filesize
384KB

Download
memory/2932-50-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3076-290-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/3076-297-0x0000000000820000-0x0000000000880000-memory.dmp

Filesize
384KB

Download
memory/3160-72-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3160-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3160-66-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/3160-65-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/3456-277-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/3456-284-0x0000000000500000-0x0000000000560000-memory.dmp

Filesize
384KB

Download
memory/3544-234-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3544-220-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-233-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3544-228-0x0000000000BC0000-0x0000000000C20000-memory.dmp

Filesize
384KB

Download
memory/3816-258-0x0000000000770000-0x00000000007D0000-memory.dmp

Filesize
384KB

Download
memory/3816-250-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4196-236-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4196-175-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download
memory/4196-165-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/4348-102-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4348-95-0x0000000000D40000-0x0000000000DA0000-memory.dmp

Filesize
384KB

Download
memory/4348-151-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4348-94-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/4680-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-249-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4680-188-0x0000000000670000-0x00000000006D0000-memory.dmp

Filesize
384KB

Download
memory/4984-219-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-153-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4984-160-0x00000000006A0000-0x0000000000700000-memory.dmp

Filesize
384KB

Download